Note: paths below assume subdirectory install in wordpress subdirectory and WordPress multi-environment configuration.
See: Why are there path disclosures when directly loading certain files?
Add the following to .user.ini (or similar):
# Turn off display of errors to prevent full path disclosures in WordPress
# https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files
display_errors = OffAdd the following to wordpress/.htaccess:
# Block access to wp-config.php
<Files "wp-config.php">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
</Files>Add the following to wordpress/wp-config/.htaccess:
# Block access to all files in this directory
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>Add the following to wordpress/.htaccess:
# Restrict access to login form only to certain IPs
<Files "wp-login.php">
<IfModule mod_authz_core.c>
# Only allow 1.2.3.4 address and 5.6.7 subnet
Require ip 1.2.3.4 5.6.7
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
# Only allow 1.2.3.4 address and 5.6.7 subnet
Allow from 1.2.3.4 5.6.7
</IfModule>
</Files>Add the following to wordpress/wp-content/.htaccess:
# Restrict access to debug.log only to certain IPs
<Files "debug.log">
<IfModule mod_authz_core.c>
# Only allow 1.2.3.4 address and 5.6.7 subnet
Require ip 1.2.3.4 5.6.7
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
# Only allow 1.2.3.4 address and 5.6.7 subnet
Allow from 1.2.3.4 5.6.7
</IfModule>
</Files>Add the following to wordpress/wp-content/uploads/.htaccess:
# Block access to .php, .php3, .php4, .php5 and .phtml files
<FilesMatch "\.(?:[Pp][Hh][Pp][345]?|[Pp][Hh][Tt][Mm][Ll])$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
</FilesMatch>