Created
August 20, 2018 12:22
-
-
Save gitnepal/62f88c6b0c4c814506349009030fedf6 to your computer and use it in GitHub Desktop.
Securing Wordpress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##Change Database Prefix | |
Do not use wp_ | |
Replace testsite_ | |
##Permissions | |
wp-config.php -> 400 | |
uploads folder -> 755 | |
htaccess files -> 400 | |
##Security Plugins | |
iThemes Security | |
Cerber Security & Antispam | |
BulletProof Security | |
All In One WP Security & Firewall | |
Sucuri Security - Auditing, Malware Scanner and Security Hardening | |
All In One WP Security & Firewall | |
##Cache Plugins | |
W3 Total Cache | |
Wp SuperCache | |
##Disable Page Code Editing | |
define('DISALLOW_FILE_EDIT', true); | |
##Protects Browsing of Open Directories | |
Options -Indexes | |
##Protects Direct Call of .php Files | |
<Files * .php> | |
deny from all | |
</ Files> | |
##Protect File Upload | |
Order Allow, Deny | |
Deny from all | |
<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $"> | |
Allow from all | |
##Remove the WordPress Version From the Header | |
remove_action ('wp_head', 'wp_generator'); | |
##Robots.txt | |
User-agent: * | |
Allow: / | |
Disallow: /wp-admin/ | |
Disallow: /wp-includes/ | |
Disallow: /wp-content/ | |
Disallow: /search/*/feed | |
Disallow: /search/*/* | |
Disallow: /readme.html | |
Disallow: /license.txt | |
Disallow: /*?* | |
Disallow: /*? | |
Disallow: /*.php$ | |
Disallow: /*.js$ | |
Disallow: /*.inc$ | |
Disallow: /*.css$ | |
Disallow: /*.gz$ | |
Disallow: /*.wmv$ | |
Disallow: /*.cgi$ | |
Disallow: /*.xhtml$ | |
Allow: /wp-content/uploads/ | |
Allow: /*?page=* | |
User-agent: Mediapartners-Google | |
Allow: / | |
User-agent: Adsbot-Google | |
Allow: / | |
User-agent: Googlebot-Image | |
Allow: / | |
User-agent: Googlebot-Mobile | |
Allow: / | |
User-agent: ia_archiver* | |
Disallow: / | |
User-agent: duggmirror | |
Disallow: / | |
Sitemap: http://domain.com/sitemap.xml | |
##Bot Protection | |
RewriteEngine On | |
RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC] | |
RewriteRule .* - [F,L] | |
SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR] | |
SetEnvIfNoCase user-Agent ^Yandex [NC,OR] | |
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR] | |
SetEnvIfNoCase user-Agent ^HTTrack [NC] | |
Order Allow,Deny | |
Allow from all | |
Deny from env=bad_bot | |
##Badrequest | |
RewriteCond %{REQUEST_METHOD} (HEAD|GET|POST|OPTIONS) [NC] | |
RewriteRule ^(.*)$ - [F,L] | |
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) | |
##Block Timthumb WordPress | |
RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC] | |
RewriteRule . - [S=1] | |
#Block readme.html | |
<files readme.html> | |
order allow,deny | |
deny from all | |
</files> | |
#Block xml-rpc | |
<Files xmlrpc.php> | |
order deny,allow | |
deny from all | |
</Files> | |
##Audit Wordpress Security | |
https://securityheaders.com/ | |
https://www.wpdoctor.es | |
https://wpscans.com/ | |
##Headers | |
header('X-Frame-Options: SAMEORIGIN'); | |
header( 'X-Content-Type-Options: nosniff' ); | |
header( 'X-XSS-Protection: 1;mode=block' ); | |
header("Strict-Transport-Security: max-age=31536000; includeSubDomains"); | |
header("X-Content-Security-Policy: default-src 'self'; | |
script-src https://apis.google.com https://platform.twitter.com; | |
child-src https://plusone.google.com https://facebook.com https://platform.twitter.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+ | |
header("Referrer-Policy: no-referrer-when-downgrade"); | |
header("Feature-Policy: vibrate 'self'"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment