Securing WordPress involves many many techniques, tricks. I don’t want to go too far on this topic, here let me share with you some useful code snippets that you can throw into .htaccess file without thinking. These code snippets will greatly enhance the security level of your WordPress blog/website, keeping 90% hackers outside of your site!
This tutorial applies to Apache, Lightspeed servers only.
Before we start , make sure you have this tiny, yet powerful file name .htaccess on your site root folder.
Note: if your WordPress installation is not on site root folder, don’t take .htaccess file with WordPress, this file must be kept on website root folder, it could, theoretically, be reached with this url : http://www.domain.com/.htaccess (due to security reasons, it could be reached using this way, but it’s there, right under the root folder ! )
Let begin. Open the file with Text Editor, like Notepad++. DO NOT use Windows Notepad, it’s stupid, will cause many problems. Insert the following snippets into .htaccess file.
1. Disable directory browsing
# Disable directory browsing Options All -Indexes
2. Hide Server Signature
#Hide Server Signature ServerSignature Off
3. (Advanced, Optional) Restrict wp-login.php access by IP addresses
#Restrict wp-login.php access <Files wp-login.php> Order Deny,Allow Deny from All #IP Whitelist, one per line allow from IP1 allow from IP2 allow from IP3 </Files>
Note: IP could be full or partial, you can restrict access by a fix IP address like 220.127.116.11 , only the very computer with this IP could login your site now, yeah, you might have notices, it’s Google public DNS address.
If you want computers within that area to have access to your login file, use 8.8.8. or even 8.8. Thus, a lot more people within the IP range could reach wp-login.php file, this is useful when you want all your company staff to have access to your wp-login.php file. As we know, a company usually has lots of computers within same IP range.
4. (Advanced) Forbid Access to important files
Try going to http://www.yourdomain.com/readme.html you will see your WordPress installation version, lol,hackers will know that, and find security holes of that version. So you need to delete it manually, each time you upgrade WordPress ,that file will reappear, stupid to do it manually.
Don’t bother yourself doing repetitive work, use the following code snippet, it will block access to readme.html file, and many more similar important files, like: error_log, change log, license, htaccess file.
#Forbid Access to the following files <FilesMatch "(error_log|[rR]eadme|[cC]hangelog|[lL]icense|config|\.[hH][tT][aApP].*)"> Order allow,deny Deny from all Satisfy All </FilesMatch>
—– This is why the following url returns 403:
Above are necessary techniques you need to know, without causing chaos.
If you want more exciting, yet potentially risky techiniques, go to http://perishablepress.com/5g-blacklist-2013/ Use at your own risk :)