sirchrispy · March 15, 2016 21:40
diff --git a/security.php b/security.php
 <?php
 /*
    Steps to Secure WordPress
    
    1. Create your own database with a unique name
    2. Use a unique table prefix
    3. Change default Admin username
    4. After install, remove wp-admin/install.php
    5. Disable version info
    6. Secure wp-config.php via .htaccess file
    7. Create a .htaccess file in /uploads/ to restrict file types
    8. Add a firewall plugin:
        https://wordpress.org/support/view/plugin-reviews/wp-simple-firewall
        or https://plugin-planet.com/bbq-pro/
    9. Prevent Hotlinking (also see https://perishablepress.com/creating-the-ultimate-htaccess-anti-hotlinking-strategy/)
    
 */
    
    
 // Disable all version information (functions.php)
 function fs_disable_version_info() { return ''; }
 add_filter('the_generator', 'fs_disable_version_info');

 ?>

 # SECURE WP-CONFIG.PHP (root .htaccess)
 # Blocks external access to wp-config
 # Allows access from files on server
 <Files wp-config\.php>
    Order Deny,Allow
    Deny from all
 </Files>


 # SECURE UPLOADS DIRECTORY (/uploads/ .htaccess)
 # Allows access to uploaded media files, while denying requests for all other requests
 # Allows only designated file types
 <Files ~ ".*\..*">
    Order Allow,Deny
    Deny from all
 </Files>
 <FilesMatch "\.(jpg|jpeg|jpe|gif|png|tif|tiff|pdf)$">
    Order Deny,Allow
    Allow from all
 </FilesMatch>


 # HOTLINK PROTECTION
 # replace 'example' with main part of your own domain
 # currently protects .gif, .jp*, .png files, but you can add more
 <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?example\. [NC]
    RewriteRule .* - [F]
 </IfModule>
	<?php
	/*
	Steps to Secure WordPress

	1. Create your own database with a unique name
	2. Use a unique table prefix
	3. Change default Admin username
	4. After install, remove wp-admin/install.php
	5. Disable version info
	6. Secure wp-config.php via .htaccess file
	7. Create a .htaccess file in /uploads/ to restrict file types
	8. Add a firewall plugin:
	https://wordpress.org/support/view/plugin-reviews/wp-simple-firewall
	or https://plugin-planet.com/bbq-pro/
	9. Prevent Hotlinking (also see https://perishablepress.com/creating-the-ultimate-htaccess-anti-hotlinking-strategy/)

	*/


	// Disable all version information (functions.php)
	function fs_disable_version_info() { return ''; }
	add_filter('the_generator', 'fs_disable_version_info');

	?>

	# SECURE WP-CONFIG.PHP (root .htaccess)
	# Blocks external access to wp-config
	# Allows access from files on server
	<Files wp-config\.php>
	Order Deny,Allow
	Deny from all
	</Files>


	# SECURE UPLOADS DIRECTORY (/uploads/ .htaccess)
	# Allows access to uploaded media files, while denying requests for all other requests
	# Allows only designated file types
	<Files ~ ".\..">
	Order Allow,Deny
	Deny from all
	</Files>
	<FilesMatch "\.(jpg\|jpeg\|jpe\|gif\|png\|tif\|tiff\|pdf)$">
	Order Deny,Allow
	Allow from all
	</FilesMatch>


	# HOTLINK PROTECTION
	# replace 'example' with main part of your own domain
	# currently protects .gif, .jp*, .png files, but you can add more
	<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{REQUEST_FILENAME} -f
	RewriteCond %{REQUEST_FILENAME} \.(gif\|jpe?g?\|png)$ [NC]
	RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?example\. [NC]
	RewriteRule .* - [F]
	</IfModule>