Using security plugins along with better security measures for your WordPress CMS is only smart. WordPress’s popularity makes it ideal for hackers to try gain access to WordPress sites. That is why using Wordfence Security and Firewall plugin is a great choice to increase security of your installation.
Wordfence Import Settings
386694919d5afa41ee9d165768b2389f5ac65376a16e3aed7454940e5bcca2e87370bc881867249490b1e9cd71d3d7b9cc1b7fbe8453bde253b9af3e11de266b96fb982dc9f831b6ac5d389474fb61df
How to Use Import Settings
In your WordPress Dashboard locate Wordfence plugin menu option > Tools > Import/Export Options
And then copy paste above code > Save changes
htaccess rules for WordPress Security
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR]
How to Use htaccess rules for WordPress Security
First download and backup .htaccess file from your web server usually located in File Manager > public_html > .htaccess
Then, you should see something like this
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress
CHANGE THAT to include .htaccess rules for WordPress Like This
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)[*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L[
# END WordPress
Save changes for .htaccess file to be updated
At this stage, visit your website to double check all is working. If its not, delete the changes you made (or simply upload your backup and overwrite .htaccess)
Force SSL Logins
WordPress provides rules through wp-config.php file where you can force ALL logins to do through https version your website. You should definitely use this option for better security of your WordPress CMS. Simply edit File Manager > public_html > wp-config.php to insert below code
Force SSL Logins
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true );
WordPress Security
Because WordPress Content Management System is popular, hackers create scripts that look for security vulnerabilities in WordPress CMS built sites. Considering the importance of security means that you won’t wake up to a hacked WordPress site.
Other things to consider apart from using Wordfence security plugin for WordPress is that you can and should regularly update your passwords for
- WordPress Dashboard
- Web Hosting Account
- PhpMyAdmin Database
Then, depending on the website setup (as in WooCommerce or small business site) you could start looking in to paid version Auto Backup options such as:
- VaultPress
- UpdraftPlus
Protect WordPress uploads folder
Create a new file and call it .htaccess and upload that file specifically in to wp-content/uploads/.htaccess with these rules (note to change the PHP Version according to your own server) below example uses mod_php8 and if yours is 7 then you would change it to mod_php7
# BEGIN RankYa WordPress Specialist Codes
# BEGIN PHP code execution protection
<IfModule mod_php8'c>
php_flag engine 0
</IfModule>
# END PHP code execution protection
# Another way double make sure to Kill PHP Execution, as in, everyone denied to execute file extension that has 'ph
<Files ~ "\'ph(?:p[345]?|t|tml)$">
Require all denied
</Files>
# -ExecCGI = Execution of CGI scripts using mod_cgi is NOT permitted'
#Options -ExecCGI
<IfModule mod_cgi'c>
Options -ExecCGI
</IfModule>
<IfModule mod_cgid'c>
Options -ExecCGI
</IfModule>
# faster and safer uploads
RemoveHandler 'ini 'sh 'bsh 'bash 'awk 'nawk 'gawk 'csh 'var 'c 'in 'h 'asc 'md5 'sha 'sha1 'cgi 'pl 'php 'inc 'asp 'exe 'bin 'py 'pl 'phtml
RemoveHandler 'out 'output 'overlay 'p12 'p5c 'pam 'pas 'patch 'phps 'php5 'php4 'php3 'pbxproj 'pdb 'pdf 'pem 'perl 'phar 'php 'php_cs 'phpize 'phpt 'pingpong 'pipelining 'pk
#its harder to run code on just text programs
<FilesMatch "\'(ini|sh|bsh|bash|awk|nawk|gawk|csh|var|c|in|h|asc|md5|sha|sha1|cgi|pl|php|php*|py|inc|asp|exe|bin|list|py|rb|phtml|tag|info|txt)$">
ForceType text/plain
</FilesMatch>
Website security is an ongoing process because hackers never stop exploiting WordPress built websites. These are only some of the methods for better securing a wordpress site.
Thanks for sharing this important piece of information with us, I am going to try and follow this word press blog.