How to Harden Wordpress for Better Security

Publish date: 2020-10-02

Hi, Here are few tips to harden your wordpress installation:

  1. Disallow File Editing and explicitly set website url in wp-config.php (Some malware replaces Website url in wp_options table.)
define( 'DISALLOW_FILE_EDIT', true );
define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );
define( 'FORCE_SSL_ADMIN', true );
  1. Replace Default .htaccess with following:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
  1. In wp-content Folder create new .htaccess file and insert following to Limit Extensions:
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js|woff|woff2|ttf|pdf)$">
Allow from all
</Files>

  1. Simply Install This Plugin: http://sysadmin.lol/wp-harden.php

  2. if you require expert help, feel free to email me.

To be Continued…