In this section, we’ll talk about some tips to properly protect your WordPress blog : Using Apache .htaccess configuration file.
This file is used for many functions including security.
Start first with:
<files wp-config.php> order allow,deny deny from all </files>
The WordPress configuration file is really important. Protect the database and the credentials from possible attacks.
order deny,allow allow from XXX.XXX.XXX.XXX deny from all
Create a .htaccess file in the wp-admin directory for only your IP address. So nobody else can access this directory. Naturally, if you have a dynamic address, you will need to adjust your .htaccess file via FTP sometimes.
<Files .htaccess> order allow,deny deny from all </Files>
Reinforce all your .htaccess files with this code, it prevents manipulation thereof by hackers or software.
Options All -Indexes
Add this line to prevent directory listing of your folders.
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
Protect the wp-includes folder from unauthorized access.
order deny,allow deny from all <files ~ ".(xml|css|jpe?g|png|gif|js)$"> allow from all </files>
Finally protect the wp-content folder with this code.
In addition to these methods, I recommend installing another .htaccess file in the /uploads folder. This is to prevent malicious code that can be found in plugins or themes. No one is safe from a distracted developer who made a mistake and that its code could lead to hack your site by an “exploit”.
Most of these “exploit”, use a program included in a file that may seem normal at first sight. For sure, the “exploit” will create other files in order to better spread in your website and the /uploads folder is targeted because often the permissions of this directory are low.
So include a .htaccess file in the / uploads:
<Files *.php> deny from all </Files>
This code will prevent malicious code to create .php files in your folder.