Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
WordPress Hardening

Hardening WordPress

Securing WordPress using a combination of configuration changes and plugins.

.htaccess and wp-config.php tasks

1. Add keys to wp-config.php

2. Hide .htaccess and wp-config.php

<Files .htaccess wp-config.php>
order allow,deny
deny from all

3. Move wp-config.php to another location and create a new wp-config.php to include it

define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../path/to/wp-config.php');

4. Disable file editing. Add the following to wp-config.php

define('DISALLOW_FILE_EDIT', true);

5. Disable access to wp-includes/

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

6. Prevent username enumeration

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

7. Prevent script injection

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

8. Prevent PHP execution using .htaccess. This .htaccess files goes in wp-content/uploads/.

# Kill PHP Execution
<Files *.php>
deny from all

9. Disable xml-rpc.php if not using mobile app for site management

<files xmlrpc.php>
order allow,deny
deny from all

10. Limit Login and Access to /wp-admin/ to a Specific IP

<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(\/)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin/$
	RewriteCond %{REMOTE_ADDR} !^63\.224\.182\.124$
	RewriteCond %{REMOTE_ADDR} !^96\.81\.205\.229$
	RewriteRule ^(.*)$ - [R=403,L]

Plugins and Other

1. Install Saltech Functionality Plugin to limit login attempts.

2. If you need functionality not already provided above, like blocking known attackers, install WordFence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment