Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
110 lines (74 sloc) 3.38 KB

wpcheck / HOWTO

How can you protect your WordPress installation? Here are some best practices to protect against attackers. It's no rocket science.

1. Prevent file access


Filter name: sensitive-files

1.1 Hide WordPress, system & sensitive files

Insert the following code in your .htaccess file:

<FilesMatch "(^\.|wp-config(-sample)*\.php)">
    order deny,allow
    deny from all
</FilesMatch>

This code prohibits access to WordPress configuration files and sensitive system files e.g. .htaccess, .htpasswd, .ssh and others.

If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:

<FilesMatch "(repair|wp-mail)\.php">
    order deny,allow
    deny from all
</FilesMatch>

Putting it all together:

<FilesMatch "(^\.|(repair|wp-mail|wp-config(-sample)*)\.php)">
    order deny,allow
    deny from all
</FilesMatch>
1.2 Hide LOG and TXT files

Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. Must be placed in /wp-content/.htaccess

<FilesMatch "\.(log|txt)$">
    order allow,deny
    deny from all
</FilesMatch>

2. Protect wp-admin


Filter name: wp-login

2.1 Basic access authentication

If possible, set up an access protection for the WordPress login page. Create a .htpasswd file (htpasswd Generator will help you) and paste this code snippet in your .htaccess file:

<Files wp-login.php>
    AuthName "Welcome to admin area"
    AuthType Basic
    AuthUserFile /path/to/.htpasswd
    require valid-user
</Files>
2.2 Administration over HTTPS

Secure your Admin area or - better - the complete WordPress site. Thanks Let's EncryptHTTPS is now really easy. Ask your hoster.

3. Don't show PHP errors


Filter name: fpd-vulnerability

The Full Path Disclosure (FPD) vulnerability allows the hacker to identify the file/root path. To turn the actual display of errors off, add the following snippet to the .htaccess file:

<IfModule mod_php5.c>
    php_flag display_errors off
</IfModule>

Modify mod_php5.c to mod_php7.c if PHP7 is installed on your server.

4. Prevent directory listing


Filter name: directory-listing

Depending on the Apache configuration your visitors can get a directory listing of all the files in a folder. To prevent this mistake add the following line to your .htaccess file:

Options -Indexes

Nice to have

Move WordPress default folders