10 Effective Ways to Secure Your WordPress Site

Secure Wordpress

There are many useful security plugins for Wordpress, however today we’re going to take a look at 10 effective ways to secure your wordpress site. Mainly these things are .htaccess code snippets that will help to improve your WordPress site security.

What is the .htaccess file?

.htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

1. Disable Directory Browsing

There is no reason enabling directory browsing. It allows hackers to look into your site’s directory and file structure to find a vulnerable file.

 # Disable directory browsing
 Options All -Indexes

2. Disable PHP Execution in the Uploads Folder

One of the most important things is to prevent the backdoor from being added to the wp-content /uploads directory.

Create a .htaccess file in /wp-content/uploads/ and copy paste the code. This will stops PHP execution within the folder.

 # Disable PHP execution
 <Files *.php>
 deny from all

3. Protecting .htaccess File Itself

To protect .htaccess file itself from unauthorized access by attackers, you can stop them from accessing the file, simply add following code to your .htaccess file:

 <Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all

4. Protect WordPress Configuration wp-config.php File

Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it.

Protect your wp-config.php file via this code.

 # Protect wp config
 <Files wp-config.php>
 order allow,deny
 deny from all

5. Block cross-site scripting (XSS)

Cross-site scripting or XSS is a vulnerability that allows unauthorized JavaScript code to be executed on a website.

Below code snippet protects your site against some common XSS attacks:

 # Blocks common XSS attacks
 <IfModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 RewriteRule .* index.php [F,L]

6. Disable Access to XML-RPC File

Each WordPress install comes with a file called xmlrpc.php. This file allows third-party apps to connect to your WordPress site.

 # Block WordPress XML-RPC requests
 <Files xmlrpc.php>
 order deny,allow
 deny from all

7. Restrict Access to WP Includes

The /wp-includes/ folder contains the core WordPress files. There are any good reason for anyone to have access it.

 # Block Access to Includes Folder 
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]

8. Restrict Direct Access To Plugin and Theme PHP files

There is no reason to have direct access to the plugin and theme file. Remember to change themes and file paths.

 # Restricts access to PHP files from plugin and theme directories
 RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
 RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
 RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
 RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
 RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
 RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

9. Blocking Author Scans in WordPress

A common technique used in brute force attacks is to run author scans on a WordPress site and then use brute force technique to crack passwords for those users.

You can block such scans by this code snippet:

 # Block Author Scans
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (author=\d+) [NC]
 RewriteRule .* - [F]

10. Disable Your Plugin and Theme Modifications

To disable your admin’s capability to edit plugins and themes, add the line below to your wp-config file:

define( 'DISALLOW_FILE_EDIT', true );


Above .htaccess and wp-config modification is just one part of the WordPress security guide, but with these steps your Wordpress site is little bit more secure than it was before.

If you like this blog post and it was useful to you, please follow us on Twitter and Facebook.

Related articles


Post a Comment