NB: Do not copy-paste into an existing WordPress installation without reviewing and editing accordingly!
This is a living document, currently in more of a draft state. Untested snippets are marked as such.
Note: always place htaccess rules outside the # BEGIN WordPress / # END WordPress area
1a. chmod folders 755; files 644
find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \;
1b. chmod themes’ functions.php to 600 (prevents code injection, malware, etc)
1c. Move wp-config
outside public_html
(a.k.a. one level higher)
This works for WP out of the box.
2. redirect all traffic to https
https://serverguy.com/servers/redirect-http-to-https/
3. Deny all access for wp-config.php
<files wp-config.php> order allow,deny deny from all </files>
4. move wp-config to folder outside the domain
5. rename wp-config to something else / hide in plain sight
6. give wp-content its own domain
7. basicAuth to /wp-admin/
htaccess:
AuthType Basic AuthName "Password Protected Area" AuthUserFile /home/<user>/<website>/wp-admin/.htpasswd Require valid-user
htpasswd:
http://www.htaccesstools.com/htpasswd-generator/
7a. block access to wp-admin/admin-ajax.php
htaccess:
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
8a. htaccess block script execution in /wp-includes/
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] # REMOVE NEXT LINE ON MULTISITE RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
8b. remove directory listing
htaccess:
Options -Indexes
9. kill PHP execution in /wp-content/uploads/
place the following .htaccess
in /wp-content/uploads/
# Kill PHP Execution <Files ~ "\.ph(?:p[345]?|t|tml)$"> deny from all </Files>
10. disable dashboard file editing in wp-config
## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
11. hide wp-admin
Write your own logic or use WPS Hide Login.
12. limit-login-attempts
Hiding the admin page makes this measure unnecessary.
12. Disable hotlinking of images with forbidden or custom image option
/!\ not tested
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wpbeginner.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
13. Disable public access to /wp-content/debug.log
htaccess:
Other Settings
// Disable All Automatic Updates (except for core)
define( 'AUTOMATIC_UPDATER_DISABLED', true );
* Completely disables the auto-updater mechanism.
Src: https://make.wordpress.org/core/2013/10/25/the-definitive-guide-to-disabling-auto-updates-in-wordpress-3-7/
Disable Automatic Updates Except For Core
// Disable plugin and theme update and installation define( 'DISALLOW_FILE_MODS', true ); // Limit auto-Updates to Core only define( 'WP_AUTO_UPDATE_CORE', 'minor' );
s
s
Did this solve your issue?
RIGHT NOW THIS HAS HELPED 0% WEBSITE VISITORS.
TOTAL VOTES: 0