//How to improve basic security of a WordPress site

How to improve basic security of a WordPress site

This page lists some modifications that can be made to make a standard WordPress installation more secure. The techniques covered are:

Protect wp-admin directory

The wp-admin/ directory can be protected from unauthorised access using apache web server. The specific directory can be protected using .htaccess which will only allow authorised users to access and login to the admin section of the wordpress site.

Stop scripts execution in wp-includes

It is possible to stop certain scripts being executed which are contained in the wp-includes directory. This is done by adding code to the main .htaccess at the root directory of the website.

Site wide restrictions

Code can be added to the .htaccess file located in the root of the site inorder to further restrict access to certain files contained in any part of the site. The regular expression used for this is "^.*\.([Hh][Tt][Aa])".

Protect wp-config file

Protect the main config file of the wordpress installation by disallowing access. This can be done by explcitiy denying accesss to the config by by added the below code to the .htaccess in the root of the site.



order allow,deny
deny from all

Protect wp-content folder

It is possible to protect certain files from being accessable from the wp-content folder. The can be done by placing a .htaccess in the wp-content folder. The regular expression used might vary depending on the wordpress configuration that is being run. For example, the a basic entry in the .htaccess file might be as follows:


Order deny,allow
Deny from all

Allow from all

The above code is not compatible with a wordpress installation that is based on bootstrap. The following changes have to be made in order to restrict access to the wp-content folder, while still allowing the bootstrap elements to work correctly.



Site wide directory restriction

It is a good idea to restrict access to certain directories that should never be accessed by used under normal circumstances. This can be achieved using the code added to .htaccess file:



RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Disable directory browsing

A standard Apache installation will allow access to directory listings, which contains details of files and scripts in the directory (even if they are not directly accessible). To restrict the access of directories on your site use the code below added to the root .htaccess file.


# disable directory browsing
Options All -Indexes