Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save nucleare/5b0be2b67b647ba87d2aa210d67c5dbe to your computer and use it in GitHub Desktop.
Save nucleare/5b0be2b67b647ba87d2aa210d67c5dbe to your computer and use it in GitHub Desktop.
Some common rules to harden WordPress running on Apache webserver

How to harden WordPress install

Note: paths below assume subdirectory install in wordpress subdirectory and WordPress multi-environment configuration.

Prevent full path disclosure

See: Why are there path disclosures when directly loading certain files?

Add the following to .user.ini (or similar):

# Turn off display of errors to prevent full path disclosures in WordPress
# https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files
display_errors = Off

Block access to configuration files

Add the following to wordpress/.htaccess:

# Block access to wp-config.php
<Files "wp-config.php">
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Deny from all
	</IfModule>
</Files>

Add the following to wordpress/wp-config/.htaccess:

# Block access to all files in this directory
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Deny from all
</IfModule>

Limit access to login page (if applicable)

Add the following to wordpress/.htaccess:

# Restrict access to login form only to certain IPs
<Files "wp-login.php">
	<IfModule mod_authz_core.c>
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Require ip 1.2.3.4 5.6.7
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order deny,allow
		Deny from all
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Allow from 1.2.3.4 5.6.7
	</IfModule>
</Files>

Limit access to debug log

Add the following to wordpress/wp-content/.htaccess:

# Restrict access to debug.log only to certain IPs
<Files "debug.log">
	<IfModule mod_authz_core.c>
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Require ip 1.2.3.4 5.6.7
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order deny,allow
		Deny from all
		# Only allow 1.2.3.4 address and 5.6.7 subnet
		Allow from 1.2.3.4 5.6.7
	</IfModule>
</Files>

Disable execution of PHP files from within uploads folder

Add the following to wordpress/wp-content/uploads/.htaccess:

# Block access to .php, .php3, .php4, .php5 and .phtml files
<FilesMatch "\.(?:[Pp][Hh][Pp][345]?|[Pp][Hh][Tt][Mm][Ll])$">
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Deny from all
	</IfModule>
</FilesMatch>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment