WordPress Tips: 8 steps to secure your WordPress website with .htaccess

In this video, I will continue tips on securing your #WordPress website. Its important to take the time to apply some simple security mechanisms to ensure your website doesn’t get compromised.

We will walk you through 8 settings/rules you can apply to protect your website. Most of these steps involve .htaccess so make sure your hosting service provides that. If your website doesn’t run on Apache2 then you won’t be able to make these securing enhancements. Also backup your WordPress files before you attempt these steps or try on dev site first.

Video Index:
00:00 - Intro
04:11 - Setup
05:11 - Tip # 1: Protect Core WP Files
07:22 - Tip # 2: Prevent Username Enumeration
08:34 - Tip # 3: Prevent Direct Access to Plugins and Themes Folders
10:47 - Tip # 4: Prevent PHP files in WP Uploads folder
12:49 - Tip # 5: Limit access to WP Admin Dashboard
14:07 - Tip # 6: Delete unneeded files
15:27 - Tip # 7: Prevent SQL Injections
16:07 - Tip # 8: Secure HTTP Headers

*Add snippes 1-7 to your .htaccess file*
1. Protect WordPress important files

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>


2. Prevent wordpress username enumeration

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

3. Restrict direct access to Plugin and Theme files
	
# Restrict access to PHP files from plugin and theme directories
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

# If you need to exclude paste following before the ReWriteRule above and replace with your plugins files or directories to exclude
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/


4. Prevent PHP files in uploads folder.
# Paste this in a new .htaccess file in the wp-content/uploads folder.
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>

5. Limit access to admin dashboard
ErrorDocument 401 /index.php?error=404
ErrorDocument 403 /index.php?error=404

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

6. Remove unneeded files
readme.html
/wp-admin/install.php
wp-config-sample.php

7. Prevent sql injection with this and add to .htaccess

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
	
8. Secure with HTTP Headers.
#Add the following code to whitelist allowed content, script, styles, and other content sources:
header('Access-Control-Allow-Headers:X-WP-Nonce');
header('Content-Security-Policy: default-src self');

#Add the line below to instruct the browser not to render a page in a frame: 
header('X-Frame-Options: SAMEORIGIN');

#Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');

#Add the code below to instruct the browser to only use HTTPS:
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

#Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);