Depicus/Securing Wordpress

## Securing Wordpress
sudo apt update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache

sudo certbot certonly --manual --preferred-challenges dns -d wordpress.depicus.com

SSLCertificateFile /etc/letsencrypt/live/wordpress.depicus.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wordpress.depicus.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

# make files
find /var/www/wordpress/ -type f -exec chmod 640 {} \;
find /var/www/wordpress/ -type d -exec chmod 750 {} \;
chown -R www-data:www-data /var/www/wordpress

	<Directory /var/www/wordpress>
    		Options -Indexes +FollowSymLinks -MultiViews
    		AllowOverride All
	      Require all granted
	</Directory>

# redirect pesky script kiddies use in root
RewriteEngine on
RewriteRule phpmyadmin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule phptest http://www.fbi.gov/ [L,NC,QSA]
RewriteRule pma http://www.fbi.gov/ [L,NC,QSA]
RewriteRule myadmin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule wp-admin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule HNAP1 http://www.fbi.gov/ [L,NC,QSA]
RewriteRule administrator http://www.fbi.gov/ [L,NC,QSA]
RewriteRule vtigercrm http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^w00tw00t$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule manager http://www.fbi.gov/ [L,NC,QSA]
RewriteRule cgi-bin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule wp-login.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule manager http://www.fbi.gov/ [L,NC,QSA]
RewriteRule components http://www.fbi.gov/ [L,NC,QSA]
RewriteRule admin.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule blog_edit.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule blogs.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule profile_blog_new.php$  http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^member/manage_blog.php$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^blogs/my_page/add/$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^account/submit/add-blog/$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^my_blogs&action=add http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^member/manage_blog.php$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^user/soapCaller.bs http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^phph/php/ph.php http://www.fbi.gov/ [L,NC,QSA]

# block access to files
<Files  ~ "\.(sql|bak)$">
  Order allow,deny
  Deny from all
</Files>

<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Only allow GET,PUT,POST and HEAD Request Methods
RewriteCond %{REQUEST_METHOD} !^(GET|PUT|POST|HEAD)
RewriteRule .* - [F]

#
<IfModule mod_headers.c>
    Header unset ETag
    # Header set X-Frame-Options: deny
    Header set X-XSS-Protection: "1; mode=block"
    Header set X-Content-Type-Options: nosniff
    # Header set X-WebKit-CSP: "default-src 'self'"
    # Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>

# add in wp-admin .htaccess
Order deny,allow
Deny from all
Allow from 192.168.43.0/24
Allow from x.xx.x.x
	sudo apt update
	sudo apt-get install software-properties-common
	sudo add-apt-repository universe
	sudo add-apt-repository ppa:certbot/certbot
	sudo apt-get update
	sudo apt-get install certbot python-certbot-apache

	sudo certbot certonly --manual --preferred-challenges dns -d wordpress.depicus.com

	SSLCertificateFile /etc/letsencrypt/live/wordpress.depicus.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/wordpress.depicus.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	# make files
	find /var/www/wordpress/ -type f -exec chmod 640 {} \;
	find /var/www/wordpress/ -type d -exec chmod 750 {} \;
	chown -R www-data:www-data /var/www/wordpress

	<Directory /var/www/wordpress>
	Options -Indexes +FollowSymLinks -MultiViews
	AllowOverride All
	Require all granted
	</Directory>

	# redirect pesky script kiddies use in root
	RewriteEngine on
	RewriteRule phpmyadmin http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule phptest http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule pma http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule myadmin http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule wp-admin http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule HNAP1 http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule administrator http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule vtigercrm http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^w00tw00t$ http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule manager http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule cgi-bin http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule wp-login.php http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule manager http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule components http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule admin.php http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule blog_edit.php http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule blogs.php http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule profile_blog_new.php$ http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^member/manage_blog.php$ http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^blogs/my_page/add/$ http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^account/submit/add-blog/$ http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^my_blogs&action=add http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^member/manage_blog.php$ http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^user/soapCaller.bs http://www.fbi.gov/ [L,NC,QSA]
	RewriteRule ^phph/php/ph.php http://www.fbi.gov/ [L,NC,QSA]

	# block access to files
	<Files ~ "\.(sql\|bak)$">
	Order allow,deny
	Deny from all
	</Files>

	<FilesMatch "^\.">
	Order allow,deny
	Deny from all
	</FilesMatch>

	# Block the include-only files.
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Only allow GET,PUT,POST and HEAD Request Methods
	RewriteCond %{REQUEST_METHOD} !^(GET\|PUT\|POST\|HEAD)
	RewriteRule .* - [F]

	#
	<IfModule mod_headers.c>
	Header unset ETag
	# Header set X-Frame-Options: deny
	Header set X-XSS-Protection: "1; mode=block"
	Header set X-Content-Type-Options: nosniff
	# Header set X-WebKit-CSP: "default-src 'self'"
	# Header set X-Permitted-Cross-Domain-Policies: "master-only"
	</IfModule>

	# add in wp-admin .htaccess
	Order deny,allow
	Deny from all
	Allow from 192.168.43.0/24
	Allow from x.xx.x.x