Skip to content

Instantly share code, notes, and snippets.

@tlongren
Last active March 8, 2024 09:27
Show Gist options
  • Save tlongren/2e0c748e486a59e16dab0a6c2c4d9b05 to your computer and use it in GitHub Desktop.
Save tlongren/2e0c748e486a59e16dab0a6c2c4d9b05 to your computer and use it in GitHub Desktop.
WordPress Hardening

Hardening WordPress

Securing WordPress using a combination of configuration changes and plugins.

.htaccess and wp-config.php tasks

1. Add keys to wp-config.php

2. Hide .htaccess and wp-config.php

<Files .htaccess wp-config.php>
order allow,deny
deny from all
</Files>

3. Move wp-config.php to another location and create a new wp-config.php to include it

<?php
define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../path/to/wp-config.php');

4. Disable file editing. Add the following to wp-config.php

define('DISALLOW_FILE_EDIT', true);

5. Disable access to wp-includes/

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

6. Prevent username enumeration

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

7. Prevent script injection

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

8. Prevent PHP execution using .htaccess. This .htaccess files goes in wp-content/uploads/.

# Kill PHP Execution
<Files *.php>
deny from all
</Files>

9. Disable xml-rpc.php if not using mobile app for site management

<files xmlrpc.php>
order allow,deny
deny from all
</files>

10. Limit Login and Access to /wp-admin/ to a Specific IP

<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(\/)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin/$
	RewriteCond %{REMOTE_ADDR} !^63\.224\.182\.124$
	RewriteCond %{REMOTE_ADDR} !^96\.81\.205\.229$
	RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Plugins and Other

1. Install Saltech Functionality Plugin to limit login attempts.

2. If you need functionality not already provided above, like blocking known attackers, install WordFence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment