roryashfordbentley/General Rules

## add-to-main-wordpress.htaccess
# General Security Hardening measures

# XSS-Protection
# https://kb.sucuri.net/warnings/hardening/headers-x-xss-protection

<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
</IfModule>


# X-Frame-Options
# https://kb.sucuri.net/warnings/hardening/headers-x-frame-clickjacking

<IfModule mod_headers.c>
  Header always append X-Frame-Options SAMEORIGIN
</IfModule>


# X-Content-Type: nosniff
# https://kb.sucuri.net/warnings/hardening/headers-x-content-type

<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
</IfModule>

# Wordpress recommend the following
# http://codex.wordpress.org/Hardening_WordPress
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Put this at the very END of your main .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

## add-to-wp-config.php
<?php
// Put this somewhere within wp-config.php
// Disable Theme editor
// Increases security and protects from
// clients that like to fiddle :D
?>

<?php define('DISALLOW_FILE_EDIT',true); ?>

## General Rules
1. DO NOT use 'admin/administrator/website-name/company-name' as your WordPress username
2. DO generate a secure password
3. DO create your own themes so you can ensure they are clean
4. DO check plugin reviews and check they are actively maintained
5. DO Keep regular backups
6. DO NOT push `wp-config.php` to a public Git Repository
7. DO use a custom database prefix instead of the default `wp_`
8. DO use a custom Directory structure
9.

## put-in-uploads-folder.htaccess
# create a .htaccess file within your uploads directory to prevent the execution of any file that contains 'php'

# Dont execute anything that contains the string 'php'
<FilesMatch "\.(php|php\.)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# Dont allow any of the listed scripts to be executed within this directory
# Typically you would never need to execute any code within your uploads dirtectory
# If you find this breaks something it could be a b adly built plugin using this data-store for its code (which is bad!)
Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

## put-in-wp-includes-folder.htaccess
# create a .htaccess file within your uploads directory to prevent the execution of any file that contains 'php'

# Dont execute anything that contains the string 'php'
<FilesMatch "\.(php|php\.)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# Dont allow any of the listed scripts to be executed within this directory
# Typically you would never need to execute any code within your uploads dirtectory
# If you find this breaks something it could be a b adly built plugin using this data-store for its code (which is bad!)
Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
	# General Security Hardening measures

	# XSS-Protection
	# https://kb.sucuri.net/warnings/hardening/headers-x-xss-protection

	<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	</IfModule>


	# X-Frame-Options
	# https://kb.sucuri.net/warnings/hardening/headers-x-frame-clickjacking

	<IfModule mod_headers.c>
	Header always append X-Frame-Options SAMEORIGIN
	</IfModule>


	# X-Content-Type: nosniff
	# https://kb.sucuri.net/warnings/hardening/headers-x-content-type

	<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
	</IfModule>

	# Wordpress recommend the following
	# http://codex.wordpress.org/Hardening_WordPress
	# Block the include-only files.
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Put this at the very END of your main .htaccess file:

	<files wp-config.php>
	order allow,deny
	deny from all
	</files>
	<?php
	// Put this somewhere within wp-config.php
	// Disable Theme editor
	// Increases security and protects from
	// clients that like to fiddle :D
	?>

	<?php define('DISALLOW_FILE_EDIT',true); ?>
	1. DO NOT use 'admin/administrator/website-name/company-name' as your WordPress username
	2. DO generate a secure password
	3. DO create your own themes so you can ensure they are clean
	4. DO check plugin reviews and check they are actively maintained
	5. DO Keep regular backups
	6. DO NOT push `wp-config.php` to a public Git Repository
	7. DO use a custom database prefix instead of the default `wp_`
	8. DO use a custom Directory structure
	9.
	# create a .htaccess file within your uploads directory to prevent the execution of any file that contains 'php'

	# Dont execute anything that contains the string 'php'
	<FilesMatch "\.(php\|php\.)$">
	Order Allow,Deny
	Deny from all
	</FilesMatch>

	# Dont allow any of the listed scripts to be executed within this directory
	# Typically you would never need to execute any code within your uploads dirtectory
	# If you find this breaks something it could be a b adly built plugin using this data-store for its code (which is bad!)
	Options -ExecCGI
	AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi