Hardening WordPress Like a Boss
Ready to Start Your Career?

Hardening WordPress Like a Boss

Sebastián Vargass profile image
By: Sebastián Vargas
August 18, 2018
There is a need to begin to better protect WordPress platforms. With the huge amount of IOC, where the WordPress platforms are attacked, which I have seen closely, I created this guide for free use. If you want to collaborate with me in any endeavor, you can contact me at sebastian.vargas@protonmail.com.If you do not believe me about the amount of vulnerable websites, you can research for educational purposes with the following Google dork:Rule# 1: Do not buy websites from anyone. If you have a low budget, then use WordPress.com and cut the risks. Hardening WordPress Method: The proposed structure consists of the following main points, which should be emphasized in their correct deployment, to guarantee a lower exposure to technological risks.
  • Access Control: There may be risks of data loss due to access of accounts with weak configuration.
  • Directories: Risk of cybercrime through the insertion of webshell and control centers for the distribution of malware with phishing banking consequences.
  • Components: Risk of service availability through DDOS attacks or exploit use.
  • Searches: Reputation risk through bad configuration, with the consequence of data filtration, access to private folders, and administration routes.
  • Backup: Risk of data loss
  • Absence of Security: The sum of all the mentioned risks.
  • Main Safety Recommendations:
    • Keep the WordPress version updated, always with the latest stable version.
    • Keep the plugins updated.
    • Do not use the admin account.
    • Have only one user with administrator privileges.
    • Do not use weak keys.
    • Use the minimum privilege with users.
    • Do not use pirate templates.
    • Do not use unnecessary plugins.
Change Database PrefixDo not use wp_Replace with something random. vs31uaq3_Recommended Permitswp-config.phpDesirable: 400uploads folderDesirable: 755htaccess filesDesirable: 400Recommended Security PluginsCache Plugins
Disable Page Code Editingdefine('DISALLOW_FILE_EDIT', true);Protects Browsing of Open DirectoriesOptions -IndexesProtects Direct Call of .php Files<Files * .php>deny from all</ Files>Protect File UploadOrder Allow, DenyDeny from all<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $">Allow from allRemove the WordPress Version From the Headerremove_action ('wp_head', 'wp_generator');Robots.txt rules
User-agent: *Allow: /Disallow: /wp-admin/Disallow: /wp-includes/Disallow: /wp-content/Disallow: /search/*/feedDisallow: /search/*/*Disallow: /readme.htmlDisallow: /license.txtDisallow: /*?*Disallow: /*?Disallow: /*.php$Disallow: /*.js$Disallow: /*.inc$Disallow: /*.css$Disallow: /*.gz$Disallow: /*.wmv$Disallow: /*.cgi$Disallow: /*.xhtml$Allow: /wp-content/uploads/Allow: /*?page=*User-agent: Mediapartners-GoogleAllow: /User-agent: Adsbot-GoogleAllow: /User-agent: Googlebot-ImageAllow: /User-agent: Googlebot-MobileAllow: /User-agent: ia_archiver*Disallow: /User-agent: duggmirrorDisallow: /Sitemap: http://domain.com/sitemap.xml
BadBot Protection
RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]RewriteRule .* - [F,L]SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]SetEnvIfNoCase user-Agent ^Yandex [NC,OR]SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]SetEnvIfNoCase user-Agent ^HTTrack [NC]Order Allow,DenyAllow from allDeny from env=bad_bot
RewriteCond %{REQUEST_METHOD} (HEAD|GET|POST|OPTIONS) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR]RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00)
Block Timthumb Wordpress
RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC]RewriteRule . - [S=1]
Block readme.html
<files readme.html>order allow,denydeny from all</files>
Block xml-rpc
<Files xmlrpc.php>order deny,allowdeny from all</Files>
Audit Wordpress Security
  1. https://securityheaders.com/
  2. https://www.wpdoctor.es
  3. https://wpscans.com/
 A+ in securityheaders.io
header('X-Frame-Options: SAMEORIGIN');header( 'X-Content-Type-Options: nosniff' );header( 'X-XSS-Protection: 1;mode=block' );header("Strict-Transport-Security: max-age=31536000; includeSubDomains");header("X-Content-Security-Policy: default-src 'self';script-src https://apis.google.com https://platform.twitter.com; child-src https://plusone.google.com https://facebook.com https://platform.twitter.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+header("Referrer-Policy: no-referrer-when-downgrade");header("Feature-Policy: vibrate 'self'");
Leaving wordpress safe is not so complex; do it today and avoid becoming a malware control center.
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry