Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
110 lines (74 sloc) 3.38 KB

wpcheck / HOWTO

How can you protect your WordPress installation? Here are some best practices to protect against attackers. It's no rocket science.

1. Prevent file access

Filter name: sensitive-files

1.1 Hide WordPress, system & sensitive files

Insert the following code in your .htaccess file:

<FilesMatch "(^\.|wp-config(-sample)*\.php)">
    order deny,allow
    deny from all

This code prohibits access to WordPress configuration files and sensitive system files e.g. .htaccess, .htpasswd, .ssh and others.

If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:

<FilesMatch "(repair|wp-mail)\.php">
    order deny,allow
    deny from all

Putting it all together:

<FilesMatch "(^\.|(repair|wp-mail|wp-config(-sample)*)\.php)">
    order deny,allow
    deny from all
1.2 Hide LOG and TXT files

Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. Must be placed in /wp-content/.htaccess

<FilesMatch "\.(log|txt)$">
    order allow,deny
    deny from all

2. Protect wp-admin

Filter name: wp-login

2.1 Basic access authentication

If possible, set up an access protection for the WordPress login page. Create a .htpasswd file (htpasswd Generator will help you) and paste this code snippet in your .htaccess file:

<Files wp-login.php>
    AuthName "Welcome to admin area"
    AuthType Basic
    AuthUserFile /path/to/.htpasswd
    require valid-user
2.2 Administration over HTTPS

Secure your Admin area or - better - the complete WordPress site. Thanks Let's EncryptHTTPS is now really easy. Ask your hoster.

3. Don't show PHP errors

Filter name: fpd-vulnerability

The Full Path Disclosure (FPD) vulnerability allows the hacker to identify the file/root path. To turn the actual display of errors off, add the following snippet to the .htaccess file:

<IfModule mod_php5.c>
    php_flag display_errors off

Modify mod_php5.c to mod_php7.c if PHP7 is installed on your server.

4. Prevent directory listing

Filter name: directory-listing

Depending on the Apache configuration your visitors can get a directory listing of all the files in a folder. To prevent this mistake add the following line to your .htaccess file:

Options -Indexes

Nice to have

Move WordPress default folders