Hardening WordPress Like a Boss

There is a need to begin to better protect WordPress platforms. With the huge amount of IOC, where the WordPress platforms are attacked, which I have seen closely, I created this guide for free use. If you want to collaborate with me in any endeavor, you can contact me at sebastian.vargas@protonmail.com.If you do not believe me about the amount of vulnerable websites, you can research for educational purposes with the following Google dork:

• "index of" inurl:wp-content/"
• "inurl:"/wp-content/wpclone-temp/wpclone_backup/"
• "inurl:"/wp-content/plugins/wp-shopping-cart/"
• intext:DB_PASSWORD || intext:”MySQL hostname” ext:txt
• inurl:”-wp13.txt”
• inurl:”/wp-content/wpclone-temp/wpclone_backup/”
• inurl:log -intext:log ext:log inurl:wp-
• filetype:sql intext:wp_users phpmyadmin
• inurl:”/wp-content/uploads/levoslideshow/
• inurl:wp-config -intext:wp-config “‘DB_PASSWORD'”
• inurl:/wp-content/wpbackitup_backups

Rule# 1: Do not buy websites from anyone. If you have a low budget, then use WordPress.com and cut the risks. Hardening WordPress Method: The proposed structure consists of the following main points, which should be emphasized in their correct deployment, to guarantee a lower exposure to technological risks.

• Access Control: There may be risks of data loss due to access of accounts with weak configuration.
• Directories: Risk of cybercrime through the insertion of webshell and control centers for the distribution of malware with phishing banking consequences.
• Components: Risk of service availability through DDOS attacks or exploit use.
• Searches: Reputation risk through bad configuration, with the consequence of data filtration, access to private folders, and administration routes.
• Backup: Risk of data loss
• Absence of Security: The sum of all the mentioned risks.
• Main Safety Recommendations:
  • Keep the WordPress version updated, always with the latest stable version.
  • Keep the plugins updated.
  • Do not use the admin account.
  • Have only one user with administrator privileges.
  • Do not use weak keys.
  • Use the minimum privilege with users.
  • Do not use pirate templates.
  • Do not use unnecessary plugins.

Change Database PrefixDo not use wp_Replace with something random. vs31uaq3_Recommended Permitswp-config.phpDesirable: 400uploads folderDesirable: 755htaccess filesDesirable: 400Recommended Security Plugins
    
iThemes Security
    
Cerber Security & Antispam
    
BulletProof Security
  
All In One WP Security & Firewall
  
Sucuri Security - Auditing, Malware Scanner and Security Hardening
  
Acunetix WP Security & Acunetix Secure WordPress
  
Wordfence Security Plugin
    
All In One WP Security & Firewall
Cache Plugins
    
W3 Total Cache
    
Wp SuperCache

 

Disable Page Code Editingdefine('DISALLOW_FILE_EDIT', true);Protects Browsing of Open DirectoriesOptions -IndexesProtects Direct Call of .php Files<Files * .php>deny from all</ Files>Protect File UploadOrder Allow, DenyDeny from all<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $">Allow from allRemove the WordPress Version From the Headerremove_action ('wp_head', 'wp_generator');Robots.txt rules

User-agent: *Allow: /Disallow: /wp-admin/Disallow: /wp-includes/Disallow: /wp-content/Disallow: /search/*/feedDisallow: /search/*/*Disallow: /readme.htmlDisallow: /license.txtDisallow: /*?*Disallow: /*?Disallow: /*.php$Disallow: /*.js$Disallow: /*.inc$Disallow: /*.css$Disallow: /*.gz$Disallow: /*.wmv$Disallow: /*.cgi$Disallow: /*.xhtml$Allow: /wp-content/uploads/Allow: /*?page=*User-agent: Mediapartners-GoogleAllow: /User-agent: Adsbot-GoogleAllow: /User-agent: Googlebot-ImageAllow: /User-agent: Googlebot-MobileAllow: /User-agent: ia_archiver*Disallow: /User-agent: duggmirrorDisallow: /Sitemap: http://domain.com/sitemap.xml

BadBot Protection

RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]RewriteRule .* - [F,L]SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]SetEnvIfNoCase user-Agent ^Yandex [NC,OR]SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]SetEnvIfNoCase user-Agent ^HTTrack [NC]Order Allow,DenyAllow from allDeny from env=bad_bot

Badrequest

RewriteCond %{REQUEST_METHOD} (HEAD|GET|POST|OPTIONS) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR]RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00)

Block Timthumb Wordpress

RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC]RewriteRule . - [S=1]

Block readme.html

<files readme.html>order allow,denydeny from all</files>

Block xml-rpc

<Files xmlrpc.php>order deny,allowdeny from all</Files>

Audit Wordpress Security

1. https://securityheaders.com/
2. https://www.wpdoctor.es
3. https://wpscans.com/

Add CDN

https://www.cloudflare.com

 A+ in securityheaders.io

header('X-Frame-Options: SAMEORIGIN');header( 'X-Content-Type-Options: nosniff' );header( 'X-XSS-Protection: 1;mode=block' );header("Strict-Transport-Security: max-age=31536000; includeSubDomains");header("X-Content-Security-Policy: default-src 'self';script-src https://apis.google.com https://platform.twitter.com; child-src https://plusone.google.com https://facebook.com https://platform.twitter.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+header("Referrer-Policy: no-referrer-when-downgrade");header("Feature-Policy: vibrate 'self'");