Last active
October 28, 2015 15:22
-
-
Save roryashfordbentley/c618516bbade3077c8c0 to your computer and use it in GitHub Desktop.
Wordpress Security scripts for better protection. Add as needed to .htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# General Security Hardening measures | |
# XSS-Protection | |
# https://kb.sucuri.net/warnings/hardening/headers-x-xss-protection | |
<IfModule mod_headers.c> | |
Header set X-XSS-Protection "1; mode=block" | |
</IfModule> | |
# X-Frame-Options | |
# https://kb.sucuri.net/warnings/hardening/headers-x-frame-clickjacking | |
<IfModule mod_headers.c> | |
Header always append X-Frame-Options SAMEORIGIN | |
</IfModule> | |
# X-Content-Type: nosniff | |
# https://kb.sucuri.net/warnings/hardening/headers-x-content-type | |
<IfModule mod_headers.c> | |
Header set X-Content-Type-Options nosniff | |
</IfModule> | |
# Wordpress recommend the following | |
# http://codex.wordpress.org/Hardening_WordPress | |
# Block the include-only files. | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^wp-admin/includes/ - [F,L] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
</IfModule> | |
# Put this at the very END of your main .htaccess file: | |
<files wp-config.php> | |
order allow,deny | |
deny from all | |
</files> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// Put this somewhere within wp-config.php | |
// Disable Theme editor | |
// Increases security and protects from | |
// clients that like to fiddle :D | |
?> | |
<?php define('DISALLOW_FILE_EDIT',true); ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. DO NOT use 'admin/administrator/website-name/company-name' as your WordPress username | |
2. DO generate a secure password | |
3. DO create your own themes so you can ensure they are clean | |
4. DO check plugin reviews and check they are actively maintained | |
5. DO Keep regular backups | |
6. DO NOT push `wp-config.php` to a public Git Repository | |
7. DO use a custom database prefix instead of the default `wp_` | |
8. DO use a custom Directory structure | |
9. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# create a .htaccess file within your uploads directory to prevent the execution of any file that contains 'php' | |
# Dont execute anything that contains the string 'php' | |
<FilesMatch "\.(php|php\.)$"> | |
Order Allow,Deny | |
Deny from all | |
</FilesMatch> | |
# Dont allow any of the listed scripts to be executed within this directory | |
# Typically you would never need to execute any code within your uploads dirtectory | |
# If you find this breaks something it could be a b adly built plugin using this data-store for its code (which is bad!) | |
Options -ExecCGI | |
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# create a .htaccess file within your uploads directory to prevent the execution of any file that contains 'php' | |
# Dont execute anything that contains the string 'php' | |
<FilesMatch "\.(php|php\.)$"> | |
Order Allow,Deny | |
Deny from all | |
</FilesMatch> | |
# Dont allow any of the listed scripts to be executed within this directory | |
# Typically you would never need to execute any code within your uploads dirtectory | |
# If you find this breaks something it could be a b adly built plugin using this data-store for its code (which is bad!) | |
Options -ExecCGI | |
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment