vapvarun · February 24, 2026 20:19
diff --git a/01-salt-keys.php b/01-salt-keys.php
 <?php
 /**
 * WordPress Salt Keys in wp-config.php
 *
 * Salt keys encrypt session cookies. Get fresh keys from:
 * https://api.wordpress.org/secret-key/1.1/salt/
 *
 * Regenerate after any suspected breach, after removing
 * a compromised admin user, or quarterly for high-value sites.
 */
 define('AUTH_KEY',         'unique-phrase-here');
 define('SECURE_AUTH_KEY',  'unique-phrase-here');
 define('LOGGED_IN_KEY',    'unique-phrase-here');
 define('NONCE_KEY',        'unique-phrase-here');
 define('AUTH_SALT',        'unique-phrase-here');
 define('SECURE_AUTH_SALT', 'unique-phrase-here');
 define('LOGGED_IN_SALT',   'unique-phrase-here');
 define('NONCE_SALT',       'unique-phrase-here');
diff --git a/02-wp-config-hardening.php b/02-wp-config-hardening.php
 <?php
 /**
 * wp-config.php hardening constants (Tweaks 2-6)
 *
 * Change table prefix, disable file editing, disable file mods,
 * force SSL admin, and limit post revisions.
 */

 // 2. Change database table prefix (set during install or migrate existing)
 $table_prefix = 'x7k9_';

 // 3. Disable Theme/Plugin Editor in dashboard
 define('DISALLOW_FILE_EDIT', true);

 // 4. Disable plugin/theme installs and updates from dashboard
 // Use only for sites managed via Git/CI-CD deployment pipelines
 define('DISALLOW_FILE_MODS', true);

 // 5. Force SSL for admin and login pages
 define('FORCE_SSL_ADMIN', true);

 // 6. Limit post revisions to reduce database bloat
 define('WP_POST_REVISIONS', 5);
diff --git a/03-move-wp-config-above-webroot.txt b/03-move-wp-config-above-webroot.txt
 # 7. Move wp-config.php above web root
 #
 # WordPress automatically looks for wp-config.php one directory
 # above the web root. No code changes needed — just move the file.
 # This prevents direct web access even if PHP processing fails.

 # Server structure:
 /home/user/wp-config.php          # Config file (above web root)
 /home/user/public_html/            # Web root
 /home/user/public_html/wp-admin/
 /home/user/public_html/wp-content/
 /home/user/public_html/wp-includes/
 /home/user/public_html/index.php
diff --git a/04-apache-security-headers.conf b/04-apache-security-headers.conf
 # 8. Apache .htaccess — Security Headers
 #
 # Add to your root .htaccess file to prevent common attack vectors:
 # XSS, clickjacking, MIME sniffing, and enforce HTTPS via HSTS.

 # Security headers
 Header set X-Content-Type-Options "nosniff"
 Header set X-Frame-Options "SAMEORIGIN"
 Header set X-XSS-Protection "1; mode=block"
 Header set Referrer-Policy "strict-origin-when-cross-origin"
 Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

 # Block access to sensitive files
 <FilesMatch "^(wp-config\.php|\.htaccess|readme\.html|license\.txt)$">
    Order allow,deny
    Deny from all
 </FilesMatch>

 # Disable directory browsing
 Options -Indexes
diff --git a/05-nginx-security-headers.conf b/05-nginx-security-headers.conf
 # 8. Nginx — Security Headers
 #
 # Add to your server block in nginx.conf to prevent
 # XSS, clickjacking, MIME sniffing, and enforce HTTPS.

 add_header X-Content-Type-Options "nosniff" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

 # Block sensitive files
 location ~* /(wp-config\.php|\.htaccess|readme\.html|license\.txt) {
    deny all;
 }

 # Disable directory listing
 autoindex off;
diff --git a/06-restrict-wp-admin-apache.conf b/06-restrict-wp-admin-apache.conf
 # 9. Apache — Restrict wp-admin access by IP
 #
 # Place this .htaccess inside the wp-admin/ directory.
 # Only allow access from your office IP and VPN range.
 # Important: Exclude admin-ajax.php if your frontend uses AJAX.

 <Files "*.php">
    Order deny,allow
    Deny from all
    Allow from 203.0.113.50    # Office IP
    Allow from 198.51.100.0/24 # VPN range
 </Files>
diff --git a/07-restrict-wp-admin-nginx.conf b/07-restrict-wp-admin-nginx.conf
 # 9. Nginx — Restrict wp-admin and wp-login.php by IP
 #
 # Only allow admin access from specified IP addresses.
 # Replace IPs with your office IP and VPN range.

 location /wp-admin/ {
    allow 203.0.113.50;
    allow 198.51.100.0/24;
    deny all;
 }

 location = /wp-login.php {
    allow 203.0.113.50;
    allow 198.51.100.0/24;
    deny all;
 }
diff --git a/08-disable-xmlrpc.php b/08-disable-xmlrpc.php
 <?php
 /**
 * 10. Disable XML-RPC via PHP filter
 *
 * XML-RPC is a legacy API frequently exploited for
 * brute force attacks and DDoS amplification.
 * Blocking at the server level (see .conf files) is preferred
 * since it prevents the request from reaching PHP entirely.
 */
 add_filter('xmlrpc_enabled', '__return_false');
diff --git a/09-disable-xmlrpc-server.conf b/09-disable-xmlrpc-server.conf
 # 10. Block XML-RPC at the server level (preferred over PHP filter)
 #
 # Prevents the request from reaching PHP at all,
 # saving server resources during brute force attacks.

 # Apache — add to root .htaccess
 <Files xmlrpc.php>
    Order deny,allow
    Deny from all
 </Files>

 # Nginx — add to server block
 location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
 }
diff --git a/14-restrict-wpadmin-nginx.conf b/14-restrict-wpadmin-nginx.conf
 # Restrict wp-admin and wp-login.php access by IP (Nginx)
 #
 # Add to server block. Replace IPs with your
 # office/VPN addresses. Ensure admin-ajax.php
 # remains accessible for frontend AJAX requests.

 location /wp-admin/ {
    allow 203.0.113.50;
    allow 198.51.100.0/24;
    deny all;
 }

 location = /wp-login.php {
    allow 203.0.113.50;
    allow 198.51.100.0/24;
    deny all;
 }
	<?php
	/**
	* WordPress Salt Keys in wp-config.php
	*
	* Salt keys encrypt session cookies. Get fresh keys from:
	* https://api.wordpress.org/secret-key/1.1/salt/
	*
	* Regenerate after any suspected breach, after removing
	* a compromised admin user, or quarterly for high-value sites.
	*/
	define('AUTH_KEY', 'unique-phrase-here');
	define('SECURE_AUTH_KEY', 'unique-phrase-here');
	define('LOGGED_IN_KEY', 'unique-phrase-here');
	define('NONCE_KEY', 'unique-phrase-here');
	define('AUTH_SALT', 'unique-phrase-here');
	define('SECURE_AUTH_SALT', 'unique-phrase-here');
	define('LOGGED_IN_SALT', 'unique-phrase-here');
	define('NONCE_SALT', 'unique-phrase-here');
	<?php
	/**
	* wp-config.php hardening constants (Tweaks 2-6)
	*
	* Change table prefix, disable file editing, disable file mods,
	* force SSL admin, and limit post revisions.
	*/

	// 2. Change database table prefix (set during install or migrate existing)
	$table_prefix = 'x7k9_';

	// 3. Disable Theme/Plugin Editor in dashboard
	define('DISALLOW_FILE_EDIT', true);

	// 4. Disable plugin/theme installs and updates from dashboard
	// Use only for sites managed via Git/CI-CD deployment pipelines
	define('DISALLOW_FILE_MODS', true);

	// 5. Force SSL for admin and login pages
	define('FORCE_SSL_ADMIN', true);

	// 6. Limit post revisions to reduce database bloat
	define('WP_POST_REVISIONS', 5);
	# 7. Move wp-config.php above web root
	#
	# WordPress automatically looks for wp-config.php one directory
	# above the web root. No code changes needed — just move the file.
	# This prevents direct web access even if PHP processing fails.

	# Server structure:
	/home/user/wp-config.php # Config file (above web root)
	/home/user/public_html/ # Web root
	/home/user/public_html/wp-admin/
	/home/user/public_html/wp-content/
	/home/user/public_html/wp-includes/
	/home/user/public_html/index.php
	# 8. Apache .htaccess — Security Headers
	#
	# Add to your root .htaccess file to prevent common attack vectors:
	# XSS, clickjacking, MIME sniffing, and enforce HTTPS via HSTS.

	# Security headers
	Header set X-Content-Type-Options "nosniff"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-XSS-Protection "1; mode=block"
	Header set Referrer-Policy "strict-origin-when-cross-origin"
	Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

	# Block access to sensitive files
	<FilesMatch "^(wp-config\.php\|\.htaccess\|readme\.html\|license\.txt)$">
	Order allow,deny
	Deny from all
	</FilesMatch>

	# Disable directory browsing
	Options -Indexes
	# 8. Nginx — Security Headers
	#
	# Add to your server block in nginx.conf to prevent
	# XSS, clickjacking, MIME sniffing, and enforce HTTPS.

	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header Referrer-Policy "strict-origin-when-cross-origin" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	# Block sensitive files
	location ~* /(wp-config\.php\|\.htaccess\|readme\.html\|license\.txt) {
	deny all;
	}

	# Disable directory listing
	autoindex off;
	# 9. Apache — Restrict wp-admin access by IP
	#
	# Place this .htaccess inside the wp-admin/ directory.
	# Only allow access from your office IP and VPN range.
	# Important: Exclude admin-ajax.php if your frontend uses AJAX.

	<Files "*.php">
	Order deny,allow
	Deny from all
	Allow from 203.0.113.50 # Office IP
	Allow from 198.51.100.0/24 # VPN range
	</Files>
	# 9. Nginx — Restrict wp-admin and wp-login.php by IP
	#
	# Only allow admin access from specified IP addresses.
	# Replace IPs with your office IP and VPN range.

	location /wp-admin/ {
	allow 203.0.113.50;
	allow 198.51.100.0/24;
	deny all;
	}

	location = /wp-login.php {
	allow 203.0.113.50;
	allow 198.51.100.0/24;
	deny all;
	}
	<?php
	/**
	* 10. Disable XML-RPC via PHP filter
	*
	* XML-RPC is a legacy API frequently exploited for
	* brute force attacks and DDoS amplification.
	* Blocking at the server level (see .conf files) is preferred
	* since it prevents the request from reaching PHP entirely.
	*/
	add_filter('xmlrpc_enabled', '__return_false');
	# 10. Block XML-RPC at the server level (preferred over PHP filter)
	#
	# Prevents the request from reaching PHP at all,
	# saving server resources during brute force attacks.

	# Apache — add to root .htaccess
	<Files xmlrpc.php>
	Order deny,allow
	Deny from all
	</Files>

	# Nginx — add to server block
	location = /xmlrpc.php {
	deny all;
	access_log off;
	log_not_found off;
	}
	# Restrict wp-admin and wp-login.php access by IP (Nginx)
	#
	# Add to server block. Replace IPs with your
	# office/VPN addresses. Ensure admin-ajax.php
	# remains accessible for frontend AJAX requests.

	location /wp-admin/ {
	allow 203.0.113.50;
	allow 198.51.100.0/24;
	deny all;
	}

	location = /wp-login.php {
	allow 203.0.113.50;
	allow 198.51.100.0/24;
	deny all;
	}