Scribd Logo
Upload

Welcome to Scribd!

  • 18 views

    Wordpress Security Settings

    Uploaded by

    Clelton Silva
    This document provides instructions for securing WordPress security settings through .htaccess and wp-config file modifications. It includes adding security headers, blocking SQL injection and XSS attacks, denying access to sensitive files, disabling directory browsing, blocking bad bots, removing server information, and disabling WordPress updates and comments.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Wordpress Security Settings

    Uploaded by

    Clelton Silva
    18 views4 pages
    This document provides instructions for securing WordPress security settings through .htaccess and wp-config file modifications. It includes adding security headers, blocking SQL injection and XSS attacks, denying access to sensitive files, disabling directory browsing, blocking bad bots, removing server information, and disabling WordPress updates and comments.

    Original Description:

    Original Title

    wordpress_security_settings

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for securing WordPress security settings through .htaccess and wp-config file modifications. It includes adding security headers, blocking SQL injection and XSS attacks, denying access to sensitive files, disabling directory browsing, blocking bad bots, removing server information, and disabling WordPress updates and comments.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    18 views4 pages

    Wordpress Security Settings

    Uploaded by

    Clelton Silva
    This document provides instructions for securing WordPress security settings through .htaccess and wp-config file modifications. It includes adding security headers, blocking SQL injection and XSS attacks, denying access to sensitive files, disabling directory browsing, blocking bad bots, removing server information, and disabling WordPress updates and comments.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 4

    Wordpress Security Settings

    ===================================================================================
    ====
    #Add code in .htaccess File

    #Security Headers
    <IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header set X-Xss-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=self"
    Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
    </IfModule>

    #X-Frame-Options
    <IfModule mod_headers.c>
    Header always append X-Frame-Options SAMEORIGIN
    </IfModule>

    #Protect Against SQL Injection


    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
    RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
    RewriteRule ^(.*)$ - [F,L]
    </IfModule>

    # Blocks some XSS attacks


    <IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule .* index.php [F,L]
    </IfModule>

    #BEGIN Block bad hackers


    SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
    Deny from env=block_bad_bots

    # Disable directory browsing


    Options All -Indexes
    # Deny access to all .htaccess files
    <files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </files>

    # Deny access to readme.html


    <files readme.html>
    Order allow,deny
    Deny from all
    </files>

    # Deny access to license.txt


    <files license.txt>
    Order allow,deny
    Deny from all
    </files>

    # Deny access to wp-config.php file


    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    # Deny access to error_log


    <files error_log>
    Order allow,deny
    Deny from all
    </files>

    #Possible Username & Password Disclosure.

    <FilesMatch "(^\.|wp-config(-sample)*\.php)">
    Order Deny,Allow
    Deny from all
    </FilesMatch>
    <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    </Files>

    #OLD#
    #Deny Access To Sensitive Files in WordPress.

    Options All -Indexes


    # Protect some other files
    <FilesMatch "(liesmich.html|faq.html|readme.html|license.txt|faq.txt|
    credits.html|(.*)\.ttf|(.*)\.bak)">
    Order Deny,Allow
    Deny from all
    </FilesMatch>

    <FilesMatch "^.*(error_log|wp-config.php|robots.txt|php.ini|.[hH][tT]
    [aApP].*)$">
    Order deny,allow
    Deny from all
    </FilesMatch>
    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>

    <files install.php>
    Order allow,deny
    Deny from all
    </files>

    <files fantastico_fileslist.txt>
    Order allow,deny
    Deny from all
    </files>

    <files fantversion.php>
    Order allow,deny
    Deny from all
    </files>

    #WordPress XML-RPC Authentication Bruteforce.

    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    </Files>

    #Directory Lisitng Enabled.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    #WriteCheckString:1562058044_52870
    RewriteRule .* - [E=HTTP_MOD_REWRITE:On]
    <FilesMatch "">

    <IfModule mod_headers.c>
    Header set Cache-Control "max-age=300, public"
    Header add Strict-Transport-Security "max-age=31415926;includeSubDomains;"
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options DENY
    Header set X-Content-Type-Options nosniff
    </IfModule>
    <IfModule mod_headers.c>
    Header unset Server
    Header set Connection keep-alive
    Header always unset X-Powered-By
    Header unset X-Powered-By
    Header unset X-CF-Powered-By
    Header unset X-Mod-Pagespeed
    Header unset X-Pingback
    </IfModule>
    </FilesMatch>
    </IfModule>

    --------------------------------------------------------------
    2) wp-config file
    Add code in wp-config file
    header("Set-Cookie: hidden=value; httpOnly");
    define( 'AUTOMATIC_UPDATER_DISABLED', true );

    header_remove("X-Powered-By");
    header('X-Frame-Options: SAMEORIGIN');
    ===================================================================================
    ==

    You might also like