WordPress

Hardening WordPress: Security Tweaks & Code Snippets

Looking for quick and easy ways to improve your website security by hardening WordPress? Here are some WordPress security code snippets to better secure your website. We’ve previously shared other useful WordPress code snippets, SEO code snippets, and general website security code snippets so take a look at those posts for more quick tricks and tips. Here is a collection of our most used WordPress security code snippets. Most of these go in .htaccess files and work great on our Apache hosting servers.

 

1. Block PHP code execution in wp-includes, wp-content & uploads directories

Here’s an important trick for hardening WordPress straight from our general website security code snippets. This will prevent malicious PHP scripts from running in directories that shouldn’t have PHP scripts in them. Do make sure to carefully check your website functionality after implementing this as it can break theme or plugin functionality that relies on PHP files in these directories. If you need to whitelist specific files, we suggest using the Sucuri WordPress security plugin. To implement this code snippet just create a .htaccess file in each directory you want to protect and add the code below:

<FilesMatch "\.(?i:php)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>  

 

2. Change your WP Database Prefix

WordPress uses the wp_ prefix on all its MySQL tables by default, sometimes you might want to change this to your own custom prefix. A lot of WordPress security guides recommend changing the prefix to something non-standard but it is arguable that this helps much. Since if an attacker already has database access then you clearly have bigger problems, and they can simply read the prefix from your tables. Even so, it can’t hurt to change your database prefix which will foil basic attacks. Here’s how you do it in 3 steps:

Step 1: Change the prefix set in wp-config.php
Step 2: Change the prefix of the actual tables using phpMyAdmin or similar
Step 3: Run the SQL  query below to update fields in wp_options and wp_usermeta tables

UPDATE `newprefix_options` SET `option_name`=REPLACE(`option_name`,'wp_','newprefix_') WHERE `option_name` LIKE '%wp_%';
UPDATE `newprefix_usermeta` SET `meta_key`=REPLACE(`meta_key`,'wp_','newprefix_') WHERE `meta_key` LIKE '%wp_%';

 

3. Block xmlrpc.php access

A couple of years ago attacks on xmlrpc.php were common. Not many websites actually use the XMLRPC functionality so one simple way of avoiding these attacks was to simply delete the xmlrpc.php file. However the file was restored every time you updated WordPress, so this wasn’t a very good solution. A better way is to block or limit access to xmlrpc.php via .htaccess. Note that Jetpack is one popular plugin that requires XMLRPC to work, but most websites won’t need it at all and can safely block it.

Add this code to your .htaccess file, you can set the IP addresses to allow access from if necessary (your own IP and your server IP):

<Files xmlrpc.php>
<IfModule !mod_authz_core.c>
order deny,allow
deny from all
allow from <IP ADDRESS>
</IfModule>
<IfModule mod_authz_core.c>
Require ip <IP ADDRESS> <IP ADDRESS>
</IfModule>
</Files>

Or alternatively, a simpler way is just to deny from all:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

 

4. Limit access to wp-login.php and /wp-admin/ by IP address

For the ultimate WordPress security, you can restrict access to wp-login.php and /wp-admin/ area to only your static IP address. Though of course this will only work if you are the only user that logs into the website, and you do need a static IP address in order to do this. Simply add this code to your .htaccess file to limit access to wp-login.php:

<Files wp-login.php>
Order deny,allow
Deny from all
Allow from <YOUR IP ADDRESS>
</Files>

To limit access to the whole /wp-admin/ directory, create a .htaccess file at /wp-admin/.htaccess and add this code:

Order Deny,Allow
Deny from all
Allow from <YOUR IP ADDRESS>

 

5. Limit access to wp-login.php and /wp-admin/ by referrer

Many websites have multiple users and can’t limit access by IP address, but you can check that the referrer is a link on your website and not an external script. Many attacks send requests directly to your wp-login.php file, this snippet will block those attacks while letting your genuine website users log in normally. This is suitable for membership sites and should work fine with WooCommerce. Make sure to change http/https and yourdomain.com to your own website URL:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?yourdomain\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

 

6. Force SSL in the WP Admin area

If you aren’t using https for your full website we’d highly recommend using it for your admin area to protect yourself against password snooping attacks. Since all our hosting accounts come with automatic free SSL certificates all you need to do is add the following line to your wp-config.php:

define('Force_SSL_Admin', true);

 

7. Lock down your wp-config.php file

Your wp-config.php file is possibly the most important file in your whole WordPress installation since it includes your database login credentials and other information that a hacker would love to see. You can protect your wp-config.php file by adding the following code to your .htaccess file:

<Files wp-config.php>
Order deny,allow
Deny from all
</Files>

 

8. Block username / user id phishing

Many WordPress websites already disable author archives completely or change the author URL slugs to something other than the username. This helps with security because then potential attackers cannot see what your authors use as their login username. But if you haven’t secured your author archives then a malicious attacker can use a specific URL query string to find out your user’s usernames:

https://www.yourdomain.com/?author=1

By default this URL will redirect to your author archive at https://www.yourdomain.com/author/your-username/ for your user id 1 – which is often your admin user. Unless the author slug has been changed (which is highly recommended), this gives the attacker the username of the user. Let’s block this by adding the following code to your .htaccess so that anyone using the ?author=1 string to scan your site will be harmlessly redirected to the homepage:

<IfModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} ^author=([0-9]*)
 RewriteRule .* https://www.yourdomain.com/? [L,R=302]
</IfModule>

 

9. Change author slug: user nickname instead of username

As mentioned in the previous tip, you can change your author archive slugs so that potentially malicious people can’t see what your author usernames are. Add the following code to your theme functions.php and rebuild your permalinks. Make sure your users have a nickname set and then your author archives will use that instead of their username:

add_action( 'user_profile_update_errors', 'set_user_nicename_to_nickname', 10, 3 );
function set_user_nicename_to_nickname( &$errors, $update, &$user ) {
 if ( ! empty( $user->nickname ) ) {
  $user->user_nicename = sanitize_title( $user->nickname, $user->display_name );
 }
}

 

10. Disable the theme and plugin file editor

The WordPress admin area has a easy way to edit your theme and plugin files just by going to Editor under the Appearance/Plugins menu items. This also makes it very easy for a malicious attacker to edit your theme files if they gain access to your WordPress website. Don’t make it easy for them and disable the file editing by adding the following line to wp-config.php. You will still be able to edit your theme and plugin files via FTP:

define('DISALLOW_FILE_EDIT', true);

 

Looking for more tips on hardening WordPress and other website security tweaks? Check out our developer resource code.hostasean.com for more code snippets and also our own WordPress plugins. Let us know in the comments if you are having any problems or have any more tips.

Mr WordPress

We use WordPress every day, and so do many of our customers. We post tips, tricks and WordPress guides on the HostAsean blog to help you put together your own powerful WordPress based website. Subscribe for the latest updates or check back regularly.

Share
Published by
Mr WordPress

Recent Posts

HTTP vs HTTPS: Risks of not using an SSL certificate on your website

HTTP vs HTTPS and SSL certificates can be a confusing topic. You probably know that…

5 years ago

Free Upgrades to Existing Web Hosting Packages

We have some news for you, we've not just upgraded one of our most popular…

5 years ago

Don’t reinvent the wheel. Why use WordPress instead of coding your own CMS

You shouldn't need much convincing, WordPress is a great tool for a lot of website…

5 years ago

No need to buy SSL certificates – they’re free!

You need an SSL certificate on your website, that’s not up for discussion. But we…

5 years ago

Save the environment – keep your website lightweight and energy efficient

Save the environment one line of code at a time. Improving your website performance benefits…

5 years ago

Troubleshooting common email issues

It’s inevitable, something’s gone wrong – usually just when you need to send that important…

5 years ago