Please remember that security is constantly evolving. We will do our best to keep these tips updated and add new ones as they are discovered. Also, nothing is 100% secure. While these tips will help secure your WordPress site, they won't make it hack-proof. If you find any issues with rules or have some rules you'd like to add, please contact us.

.htaccess Rules

The .htaccess file is a special file that works on Apache and Apache-like web servers. If your website is using NGINX, these tips won't work. You will need to use NGINX-specific configurations.

The .htaccess file is usually hidden by default. You will need to enable viewing hidden or dot files from within the cPanel file editor. As always, before you make any changes, you should backup the existing .htaccess file. Configuration errors in a .htaccess file will result in an Error 500.

When placing these rules into your .htaccess file, you should place them above any existing rules.

Helpful Tip: Don't just copy and paste all the following snippets at once. If there's a server compatibility issue or one of these snippets breaks something, it might be difficult to track down which one caused it. Add one, test your site, and then add the next one. If your site errors after adding one of these snippets, remove the last one you added and verify the error goes away.

7G Firewall

The 7G firewall ruleset is a free ruleset that will help protect websites, not just WordPress. These rules block a lot of common attacks and can help improve performance.

Disable Directory Browsing

Directory browsing will let you view files in a directory if there is no index file. This can pose a security risk. Add this snippet to prevent directory browsing.

# Disable directory browsing
Options All -Indexes

Prevent PHP Execution in wp-uploads

Plugins with upload vulnerabilities can place PHP or executable code into the wp-uploads directory. In this directory, you need to create a new .htaccess file and add the following code to it:

# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all
</Files>

Important: If you're serving other file types like SVGs, txt files, etc., adjust the file type list. Otherwise, the server will not allow you download or view the file.

You should also add the Disable Directory Browsing snippet to this .htaccess file as well.

Restrict Access to wp-includes

The wp-includes directory contains files and directories that are needed for the core WordPress software to run. No one needs access to this directory. Add this snippet to your main .htaccess file:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Deny Access to important files

This snippet will protect important files that no one on the Internet needs access to. These files are any error_log, wp-config.php, php.ini, and the .htaccess file.

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

Protect the wp-admin directory and login page

A lot of attacks happen through bots. Protecting your wp-admin directory and login page can help shield your site from these bots. This snippet should be uses if people will be logging into the site from potentially anywhere or it's a public site. Don't forget to replace "your-site.com" with your WordPress domain.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

If this is not a public site (or the public is not logging into it), and you have static IPs or don't mind updating the list to provide access, you can use this snippet instead:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

To allow access, change "IP Address One, Two, Three", etc. to the IP addresses of anyone who needs to login. If you need to add more IPs, duplicate the entire line RewriteCond %{REMOTE_ADDR} !^IP Address Three$ as many times as needed and add the IP in the placeholder. To remove access, delete the entire line.

If you provide someone access and they still can't login, they might be using IPv6 in which case you will need to also add their IPv6 address. You can use this link to see both your IPv4 and IPv6 addresses: https://www.nodespace.com/ip-address/

Prevent Script Injections

The following snippet can help prevent script injections.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Adjust file permissions on wp-config.php

Additionally, adjust the file permissions on wp-config.php. Typically the file permissions 644 offer good protection but you can also use 640, and the strictest of 600. Keep in mind these permissions or anything more restrictive might prevent your site from working properly.

Automatically Update WordPress

Use the WordPress Toolkit included on all hosting accounts to automatically update WordPress and your themes and plugins. If a security issue is found, your site will be patched automatically. See our guide here: https://help.nodespace.com/knowledgebase.php?article=363