Scribd
Upload
32 views

Wordpress Security Settings

This document provides instructions for securing WordPress security settings through .htaccess and wp-config file modifications. It includes adding security headers, blocking SQL injection and XSS attacks, denying access to sensitive files, disabling directory browsing, blocking bad bots, removing server information, and disabling WordPress updates and comments.

Uploaded by

Clelton Silva
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
32 views

Wordpress Security Settings

This document provides instructions for securing WordPress security settings through .htaccess and wp-config file modifications. It includes adding security headers, blocking SQL injection and XSS attacks, denying access to sensitive files, disabling directory browsing, blocking bad bots, removing server information, and disabling WordPress updates and comments.

Uploaded by

Clelton Silva
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

Wordpress Security Settings

===================================================================================
====
#Add code in .htaccess File

#Security Headers
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
</IfModule>

#X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>

#Protect Against SQL Injection


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

# Blocks some XSS attacks


<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>

#BEGIN Block bad hackers


SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

# Disable directory browsing


Options All -Indexes
# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

# Deny access to readme.html


<files readme.html>
Order allow,deny
Deny from all
</files>

# Deny access to license.txt


<files license.txt>
Order allow,deny
Deny from all
</files>

# Deny access to wp-config.php file


<files wp-config.php>
order allow,deny
deny from all
</files>

# Deny access to error_log


<files error_log>
Order allow,deny
Deny from all
</files>

#Possible Username & Password Disclosure.

<FilesMatch "(^\.|wp-config(-sample)*\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

#OLD#
#Deny Access To Sensitive Files in WordPress.

Options All -Indexes


# Protect some other files
<FilesMatch "(liesmich.html|faq.html|readme.html|license.txt|faq.txt|
credits.html|(.*)\.ttf|(.*)\.bak)">
Order Deny,Allow
Deny from all
</FilesMatch>

<FilesMatch "^.*(error_log|wp-config.php|robots.txt|php.ini|.[hH][tT]
[aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>
<files .htaccess>
Order allow,deny
Deny from all
</files>

<files install.php>
Order allow,deny
Deny from all
</files>

<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>

<files fantversion.php>
Order allow,deny
Deny from all
</files>

#WordPress XML-RPC Authentication Bruteforce.

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

#Directory Lisitng Enabled.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#WriteCheckString:1562058044_52870
RewriteRule .* - [E=HTTP_MOD_REWRITE:On]
<FilesMatch "">

<IfModule mod_headers.c>
Header set Cache-Control "max-age=300, public"
Header add Strict-Transport-Security "max-age=31415926;includeSubDomains;"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
</IfModule>
<IfModule mod_headers.c>
Header unset Server
Header set Connection keep-alive
Header always unset X-Powered-By
Header unset X-Powered-By
Header unset X-CF-Powered-By
Header unset X-Mod-Pagespeed
Header unset X-Pingback
</IfModule>
</FilesMatch>
</IfModule>

--------------------------------------------------------------
2) wp-config file
Add code in wp-config file
header("Set-Cookie: hidden=value; httpOnly");
define( 'AUTOMATIC_UPDATER_DISABLED', true );

header_remove("X-Powered-By");
header('X-Frame-Options: SAMEORIGIN');
===================================================================================
==

You might also like