This page lists some modifications that can be made to make a standard WordPress installation more secure. The techniques covered are:
- Protect wp-admin directory
- Stop scripts execution in wp-includes
- Site wide restrictions
- Protect wp-config file
- Protect wp-content folder
- Site wide directory restriction
- Disable directory browsing
wp-admin/ directory can be protected from unauthorised access using apache web server. The specific directory can be protected using
.htaccess which will only allow authorised users to access and login to the admin section of the wordpress site.
It is possible to stop certain scripts being executed which are contained in the wp-includes directory. This is done by adding code to the main
.htaccess at the root directory of the website.
Code can be added to the
.htaccess file located in the root of the site inorder to further restrict access to certain files contained in any part of the site. The regular expression used for this is
Protect the main config file of the wordpress installation by disallowing access. This can be done by explcitiy denying accesss to the config by by added the below code to the
.htaccess in the root of the site.
order allow,deny deny from all
It is possible to protect certain files from being accessable from the wp-content folder. The can be done by placing a
.htaccess in the wp-content folder. The regular expression used might vary depending on the wordpress configuration that is being run. For example, the a basic entry in the
.htaccess file might be as follows:
Order deny,allow Deny from all Allow from all
The above code is not compatible with a wordpress installation that is based on bootstrap. The following changes have to be made in order to restrict access to the wp-content folder, while still allowing the bootstrap elements to work correctly.
It is a good idea to restrict access to certain directories that should never be accessed by used under normal circumstances. This can be achieved using the code added to
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
A standard Apache installation will allow access to directory listings, which contains details of files and scripts in the directory (even if they are not directly accessible). To restrict the access of directories on your site use the code below added to the root
# disable directory browsing Options All -Indexes