Further Security for WordPress Sites

WordPress Security

WordPress sites are the most exploited ones on the internet. This is due to the fact that WordPress itself is the most used CMS for building sites. As there are many members of the WordPress community there are also many members of the hackers which aim to exploit your website and abuse it for their own purposes, such as using your account’s resources for crypto mining or sending spam.

You can implement several good practices with any WordPress site that you build. Those include using .htaccess file rules in addition to some plugins which can help mitigate some of the most used attacks.

Further WordPress Security

We can start with custom htaccess file rules. Those will forbid external users to some of your website’s contents. We recommend using the following:

Managed WordPress Hosting with Personal WP Assistant

– The htaccess file in your document root should include:

#############################
# BEGIN Local Folder Security
#############################
# Disable Directory Browsing
    Options -Indexes
# Deny wp-config.php
<Files wp-config.php>
    order allow,deny
    deny from all
</Files>

# Disable Access to wp-includes
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
#############################
# END Local Folder Security
#############################

Those rules ensure that visitors do not have access to some of your core files.

– For the .htaccess file in the directory /wp-content/uploads we recommend denying access to php files. Hackers usually do not use the php extension when attempting to exploit your site this way, however, it is a good idea to deny access to .php files which might have been uploaded through a plugin or a different way.

#############################
# BEGIN Uploads Deny PHP
#############################
<Files ~ "\.ph(?:p[345]?|t|tml)$">
    deny from all
</Files>
#############################
# END Uploads Deny PHP
#############################

WordPress Security Plugins

We also recommend using the following plugin types:

  • One to hide your WordPress login
  • A captcha for each form that you have on your website
  • Dedicated Security plugins with small memory usage