mukeshwani · July 13, 2020 00:27
diff --git a/WP Security Code Snippets b/WP Security Code Snippets
 *Add snippes 1-7 to your .htaccess file*
 1. Protect WordPress important files

 <FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
 Order deny,allow
 Deny from all
 </FilesMatch>


 2. Prevent wordpress username enumeration

 RewriteCond %{QUERY_STRING} author=d
 RewriteRule ^ /? [L,R=301]

 3. Restrict direct access to Plugin and Theme files
 	
 # Restrict access to PHP files from plugin and theme directories
 RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
 RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

 # If you need to exclude paste following before the ReWriteRule above and replace with your plugins files or directories to exclude
 RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
 RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/


 4. Prevent PHP files in uploads folder.
 # Paste this in a new .htaccess file in the wp-content/uploads folder.
 <Files "*.php">
 Order Deny,Allow
 Deny from All
 </Files>

 5. Limit access to admin dashboard
 ErrorDocument 401 /index.php?error=404
 ErrorDocument 403 /index.php?error=404

 <IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteRule ^(.*)$ - [F]
 </IfModule>

 6. Remove unneeded files
 readme.html
 /wp-admin/install.php
 wp-config-sample.php

 7. Prevent sql injection with this and add to .htaccess

 Options +FollowSymLinks
 RewriteEngine On
 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
 RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
 RewriteRule ^(.*)$ index.php [F,L]
 	
 8. Secure with HTTP Headers.
 #Add the following code to whitelist allowed content, script, styles, and other content sources:
 header('Access-Control-Allow-Headers:X-WP-Nonce');
 header('Content-Security-Policy: default-src self');

 #Add the line below to instruct the browser not to render a page in a frame: 
 header('X-Frame-Options: SAMEORIGIN');

 #Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');

 #Add the code below to instruct the browser to only use HTTPS:
 header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

 #Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:
 @ini_set('session.cookie_httponly', true);
 @ini_set('session.cookie_secure', true);
 @ini_set('session.use_only_cookies', true);
	Add snippes 1-7 to your .htaccess file
	1. Protect WordPress important files

	<FilesMatch "^.(error_log\|wp-config\.php\|php.ini\|\.[hH][tT][aApP].)$">
	Order deny,allow
	Deny from all
	</FilesMatch>


	2. Prevent wordpress username enumeration

	RewriteCond %{QUERY_STRING} author=d
	RewriteRule ^ /? [L,R=301]

	3. Restrict direct access to Plugin and Theme files

	# Restrict access to PHP files from plugin and theme directories
	RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
	RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

	# If you need to exclude paste following before the ReWriteRule above and replace with your plugins files or directories to exclude
	RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
	RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/


	4. Prevent PHP files in uploads folder.
	# Paste this in a new .htaccess file in the wp-content/uploads folder.
	<Files "*.php">
	Order Deny,Allow
	Deny from All
	</Files>

	5. Limit access to admin dashboard
	ErrorDocument 401 /index.php?error=404
	ErrorDocument 403 /index.php?error=404

	<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
	RewriteCond %{REQUEST_URI} ^(.)?wp-login\.php(.)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
	RewriteRule ^(.*)$ - [F]
	</IfModule>

	6. Remove unneeded files
	readme.html
	/wp-admin/install.php
	wp-config-sample.php

	7. Prevent sql injection with this and add to .htaccess

	Options +FollowSymLinks
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=\|[\|%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=\|[\|%[0-9A-Z]{0,2})
	RewriteRule ^(.*)$ index.php [F,L]

	8. Secure with HTTP Headers.
	#Add the following code to whitelist allowed content, script, styles, and other content sources:
	header('Access-Control-Allow-Headers:X-WP-Nonce');
	header('Content-Security-Policy: default-src self');

	#Add the line below to instruct the browser not to render a page in a frame:
	header('X-Frame-Options: SAMEORIGIN');

	#Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types
	header('X-XSS-Protection: 1; mode=block');
	header('X-Content-Type-Options: nosniff');

	#Add the code below to instruct the browser to only use HTTPS:
	header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

	#Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:
	@ini_set('session.cookie_httponly', true);
	@ini_set('session.cookie_secure', true);
	@ini_set('session.use_only_cookies', true);