Ready to Start Your Career?

Hardening WordPress Like a Boss

Sebastián Vargas's profile image

By: Sebastián Vargas

August 18, 2018

There is a need to begin to better protect WordPress platforms. With the huge amount of IOC, where the WordPress platforms are attacked, which I have seen closely, I created this guide for free use. If you want to collaborate with me in any endeavor, you can contact me at you do not believe me about the amount of vulnerable websites, you can research for educational purposes with the following Google dork:Rule# 1: Do not buy websites from anyone. If you have a low budget, then use and cut the risks. Hardening WordPress Method: The proposed structure consists of the following main points, which should be emphasized in their correct deployment, to guarantee a lower exposure to technological risks.
  • Access Control: There may be risks of data loss due to access of accounts with weak configuration.
  • Directories: Risk of cybercrime through the insertion of webshell and control centers for the distribution of malware with phishing banking consequences.
  • Components: Risk of service availability through DDOS attacks or exploit use.
  • Searches: Reputation risk through bad configuration, with the consequence of data filtration, access to private folders, and administration routes.
  • Backup: Risk of data loss
  • Absence of Security: The sum of all the mentioned risks.
  • Main Safety Recommendations:
    • Keep the WordPress version updated, always with the latest stable version.
    • Keep the plugins updated.
    • Do not use the admin account.
    • Have only one user with administrator privileges.
    • Do not use weak keys.
    • Use the minimum privilege with users.
    • Do not use pirate templates.
    • Do not use unnecessary plugins.
Change Database PrefixDo not use wp_Replace with something random. vs31uaq3_Recommended Permitswp-config.phpDesirable: 400uploads folderDesirable: 755htaccess filesDesirable: 400Recommended Security PluginsCache Plugins
Disable Page Code Editingdefine('DISALLOW_FILE_EDIT', true);Protects Browsing of Open DirectoriesOptions -IndexesProtects Direct Call of .php Files<Files * .php>deny from all</ Files>Protect File UploadOrder Allow, DenyDeny from all<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $">Allow from allRemove the WordPress Version From the Headerremove_action ('wp_head', 'wp_generator');Robots.txt rules
User-agent: *Allow: /Disallow: /wp-admin/Disallow: /wp-includes/Disallow: /wp-content/Disallow: /search/*/feedDisallow: /search/*/*Disallow: /readme.htmlDisallow: /license.txtDisallow: /*?*Disallow: /*?Disallow: /*.php$Disallow: /*.js$Disallow: /*.inc$Disallow: /*.css$Disallow: /*.gz$Disallow: /*.wmv$Disallow: /*.cgi$Disallow: /*.xhtml$Allow: /wp-content/uploads/Allow: /*?page=*User-agent: Mediapartners-GoogleAllow: /User-agent: Adsbot-GoogleAllow: /User-agent: Googlebot-ImageAllow: /User-agent: Googlebot-MobileAllow: /User-agent: ia_archiver*Disallow: /User-agent: duggmirrorDisallow: /Sitemap:
BadBot Protection
RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]RewriteRule .* - [F,L]SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]SetEnvIfNoCase user-Agent ^Yandex [NC,OR]SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]SetEnvIfNoCase user-Agent ^HTTrack [NC]Order Allow,DenyAllow from allDeny from env=bad_bot
RewriteCond %{REQUEST_METHOD} (HEAD|GET|POST|OPTIONS) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR]RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00)
Block Timthumb Wordpress
RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC]RewriteRule . - [S=1]
Block readme.html
<files readme.html>order allow,denydeny from all</files>
Block xml-rpc
<Files xmlrpc.php>order deny,allowdeny from all</Files>
Audit Wordpress Security
 A+ in
header('X-Frame-Options: SAMEORIGIN');header( 'X-Content-Type-Options: nosniff' );header( 'X-XSS-Protection: 1;mode=block' );header("Strict-Transport-Security: max-age=31536000; includeSubDomains");header("X-Content-Security-Policy: default-src 'self';script-src; child-src"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+header("Referrer-Policy: no-referrer-when-downgrade");header("Feature-Policy: vibrate 'self'");
Leaving wordpress safe is not so complex; do it today and avoid becoming a malware control center.
Schedule Demo