Hardening WordPress Like a Boss

August 18, 2018 | Views: 7178

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

There is a need to begin to better protect WordPress platforms. With the huge amount of IOC, where the WordPress platforms are attacked, which I have seen closely, I created this guide for free use. If you want to collaborate with me in any endeavor, you can contact me at sebastian.vargas@protonmail.com.

If you do not believe me about the amount of vulnerable websites, you can research for educational purposes with the following Google dork:

Rule # 1: Do not buy websites from anyone. If you have a low budget, then use WordPress.com and cut the risks. Hardening WordPress Method: The proposed structure consists of the following main points, which should be emphasized in their correct deployment, to guarantee a lower exposure to technological risks.

  • Access Control: There may be risks of data loss due to access of accounts with weak configuration.
  • Directories: Risk of cybercrime through the insertion of webshell and control centers for the distribution of malware with phishing banking consequences.
  • Components: Risk of service availability through DDOS attacks or exploit use.
  • Searches: Reputation risk through bad configuration, with the consequence of data filtration, access to private folders, and administration routes.
  • Backup: Risk of data loss
  • Absence of Security: The sum of all the mentioned risks.
  • Main Safety Recommendations:
    • Keep the WordPress version updated, always with the latest stable version.
    • Keep the plugins updated.
    • Do not use the admin account.
    • Have only one user with administrator privileges.
    • Do not use weak keys.
    • Use the minimum privilege with users.
    • Do not use pirate templates.
    • Do not use unnecessary plugins.
Change Database Prefix

Do not use wp_
Replace with something random. vs31uaq3_

Recommended Permits

Desirable: 400
uploads folder
Desirable: 755
htaccess files
Desirable: 400

Recommended Security Plugins

Cache Plugins


Disable Page Code Editing

define('DISALLOW_FILE_EDIT', true);

Protects Browsing of Open Directories
Options -Indexes

Protects Direct Call of .php Files

<Files * .php>
deny from all
</ Files>

Protect File Upload

Order Allow, Deny
Deny from all
<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $">
Allow from all

Remove the WordPress Version From the Header

remove_action ('wp_head', 'wp_generator');
Robots.txt rules
User-agent: *
Allow: /
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/
Disallow: /search/*/feed
Disallow: /search/*/*
Disallow: /readme.html
Disallow: /license.txt
Disallow: /*?*
Disallow: /*?
Disallow: /*.php$
Disallow: /*.js$
Disallow: /*.inc$
Disallow: /*.css$
Disallow: /*.gz$
Disallow: /*.wmv$
Disallow: /*.cgi$
Disallow: /*.xhtml$
Allow: /wp-content/uploads/
Allow: /*?page=*
User-agent: Mediapartners-Google
Allow: /
User-agent: Adsbot-Google
Allow: /
User-agent: Googlebot-Image
Allow: /
User-agent: Googlebot-Mobile
Allow: /
User-agent: ia_archiver*
Disallow: /
User-agent: duggmirror
Disallow: /
Sitemap: http://domain.com/sitemap.xml

BadBot Protection

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]
RewriteRule .* - [F,L]
SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]
SetEnvIfNoCase user-Agent ^Yandex [NC,OR]
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]
SetEnvIfNoCase user-Agent ^HTTrack [NC]
Order Allow,Deny
Allow from all
Deny from env=bad_bot


RewriteRule ^(.*)$ - [F,L]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00)

Block Timthumb WordPress

RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC]
RewriteRule . - [S=1]

Block readme.html

<files readme.html>
order allow,deny
deny from all

Block xml-rpc

<Files xmlrpc.php>
order deny,allow
deny from all

Audit Wordpress Security

  1. https://securityheaders.com/
  2. https://www.wpdoctor.es
  3. https://wpscans.com/



 A+ in securityheaders.io

header('X-Frame-Options: SAMEORIGIN');

header( 'X-Content-Type-Options: nosniff' );

header( 'X-XSS-Protection: 1;mode=block' );

header("Strict-Transport-Security: max-age=31536000; includeSubDomains");

header("X-Content-Security-Policy: default-src 'self';

script-src https://apis.google.com https://platform.twitter.com; 

child-src https://plusone.google.com https://facebook.com https://platform.twitter.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+

header("Referrer-Policy: no-referrer-when-downgrade");

header("Feature-Policy: vibrate 'self'");


Leaving wordpress safe is not so complex; do it today and avoid becoming a malware control center.
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?