Hardening WordPress Security

WordPress itself already provide some security guidance for it’s user on how to tighten the security for wordpress. I’m just going to write the quick way for it, check it out :

put .htaccess at root :


# Block WordPress wp-config.php requests
<files wp-config.php>
order allow,deny
deny from all
</files>

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wp498/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wp498/index.php [L]
</IfModule>

# END WordPress

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

put .htaccess at /wp-content/uploads :


# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all
</Files>

edit wp-config.php at root and add the code below :


## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

edit functions.php at active theme’s folder and add the code below :


/* Remove Unnecessary Code From Your WordPress Blog Header */
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'wp_shortlink_wp_head');

Leave a Reply

Your email address will not be published. Required fields are marked *