Skip to content

Instantly share code, notes, and snippets.

@gitnepal

gitnepal/alpha_wp_secure.txt

Created August 20, 2018 12:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gitnepal/62f88c6b0c4c814506349009030fedf6 to your computer and use it in GitHub Desktop.
Save gitnepal/62f88c6b0c4c814506349009030fedf6 to your computer and use it in GitHub Desktop.
Download ZIP
Securing Wordpress
Raw
alpha_wp_secure.txt
##Change Database Prefix
Do not use wp_
Replace testsite_
##Permissions
wp-config.php -> 400
uploads folder -> 755
htaccess files -> 400
##Security Plugins
iThemes Security
Cerber Security & Antispam
BulletProof Security
All In One WP Security & Firewall
Sucuri Security - Auditing, Malware Scanner and Security Hardening
All In One WP Security & Firewall
##Cache Plugins
W3 Total Cache
Wp SuperCache
##Disable Page Code Editing
define('DISALLOW_FILE_EDIT', true);
##Protects Browsing of Open Directories
Options -Indexes
##Protects Direct Call of .php Files
<Files * .php>
deny from all
</ Files>
##Protect File Upload
Order Allow, Deny
Deny from all
<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $">
Allow from all
##Remove the WordPress Version From the Header
remove_action ('wp_head', 'wp_generator');
##Robots.txt
User-agent: *
Allow: /
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/
Disallow: /search/*/feed
Disallow: /search/*/*
Disallow: /readme.html
Disallow: /license.txt
Disallow: /*?*
Disallow: /*?
Disallow: /*.php$
Disallow: /*.js$
Disallow: /*.inc$
Disallow: /*.css$
Disallow: /*.gz$
Disallow: /*.wmv$
Disallow: /*.cgi$
Disallow: /*.xhtml$
Allow: /wp-content/uploads/
Allow: /*?page=*
User-agent: Mediapartners-Google
Allow: /
User-agent: Adsbot-Google
Allow: /
User-agent: Googlebot-Image
Allow: /
User-agent: Googlebot-Mobile
Allow: /
User-agent: ia_archiver*
Disallow: /
User-agent: duggmirror
Disallow: /
Sitemap: http://domain.com/sitemap.xml
##Bot Protection
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]
RewriteRule .* - [F,L]
SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]
SetEnvIfNoCase user-Agent ^Yandex [NC,OR]
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]
SetEnvIfNoCase user-Agent ^HTTrack [NC]
Order Allow,Deny
Allow from all
Deny from env=bad_bot
##Badrequest
RewriteCond %{REQUEST_METHOD} (HEAD|GET|POST|OPTIONS) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00)
##Block Timthumb WordPress
RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC]
RewriteRule . - [S=1]
#Block readme.html
<files readme.html>
order allow,deny
deny from all
</files>
#Block xml-rpc
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
##Audit Wordpress Security
https://securityheaders.com/
https://www.wpdoctor.es
https://wpscans.com/
##Headers
header('X-Frame-Options: SAMEORIGIN');
header( 'X-Content-Type-Options: nosniff' );
header( 'X-XSS-Protection: 1;mode=block' );
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("X-Content-Security-Policy: default-src 'self';
script-src https://apis.google.com https://platform.twitter.com;
child-src https://plusone.google.com https://facebook.com https://platform.twitter.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+
header("Referrer-Policy: no-referrer-when-downgrade");
header("Feature-Policy: vibrate 'self'");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment