Skip to content

Instantly share code, notes, and snippets.

@wiz4host

wiz4host/wordpress-hardening-techniques.md

Forked from tlongren/wordpress-hardening-techniques.md
Created November 19, 2018 05:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wiz4host/01c03044a0fc470c636461b18fc31899 to your computer and use it in GitHub Desktop.
Save wiz4host/01c03044a0fc470c636461b18fc31899 to your computer and use it in GitHub Desktop.
Download ZIP
WordPress Hardening
Raw
wordpress-hardening-techniques.md

Hardening WordPress

Securing WordPress using a combination of configuration changes and plugins.

.htaccess and wp-config.php tasks

1. Add keys to wp-config.php

2. Hide .htaccess and wp-config.php

<Files .htaccess wp-config.php>
order allow,deny
deny from all
</Files>

3. Move wp-config.php to another location and create a new wp-config.php to include it

<?php
define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../path/to/wp-config.php');

4. Disable file editing. Add the following to wp-config.php

define('DISALLOW_FILE_EDIT', true);

5. Disable access to wp-includes/

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

6. Prevent username enumeration

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

7. Prevent script injection

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

8. Prevent PHP execution using .htaccess. This .htaccess files goes in wp-content/uploads/.

# Kill PHP Execution
<Files *.php>
deny from all
</Files>

9. Disable xml-rpc.php if not using mobile app for site management

<files xmlrpc.php>
order allow,deny
deny from all
</files>

10. Limit Login and Access to /wp-admin/ to a Specific IP

<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(\/)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin/$
	RewriteCond %{REMOTE_ADDR} !^63\.224\.182\.124$
	RewriteCond %{REMOTE_ADDR} !^96\.81\.205\.229$
	RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Plugins and Other

1. Install Saltech Functionality Plugin to limit login attempts.

2. If you need functionality not already provided above, like blocking known attackers, install WordFence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment