Hardening & Improving WordPress Security
<Files *.php>
deny from all
</Files>
<Files wp-tinymce.php>
allow from all
</Files>
<Files ms-files.php>
allow from all
</Files>
<Files *.php>
deny from all
</Files>
admin
user + generate a new password.php
/..php5
/.html
/.phtml
/.txt
files from the /wp-content/uploads
foler.grep -R --exclude="*.js" -e 'eval(' .|cut -c -80
in the command line of the site's root folder to help find evil codewp-config.php
file: define( 'DISALLOW_FILE_EDIT', true );
/xml-rpc.php
file as an additional step to this: Disable XML-RPC access by adding this plugin to the /mu-plugins
folder: https://gist.github.com/ericrasch/bda89f60042dd433037b.htaccess
for additional file security.htaccess
files to both the /wp-content
and /wp-includes
foldersUPDATE wp_posts SET ping_status="closed";
in a database editing app like Sequel Pro (but only if you know what you're doing).wp-config.php
file using the iThemes Security plugingenesis:up:mirror
command to automatically sync/delete the hacked files within the /wp-content/uploads/
folder.wp-editor.php
and .cache.php
bundle exec cap production genesis:down
admin
user + password
companyname_admin
for the username and contact+sitedomainwithextension@companyname.com
for the email (Staff Writers will work for a name and Staff as a nickname; just make sure you know what's being displayed publicly) and generate a passwordadmin
user and auto-reassign all Post/Pages from that user to the new admin user you just createdyo
to install the latest version of WordPress through Yeoman..php
/..php5
/.html
/.phtml
/.txt
files from the /wp-content/uploads
foler. There's generally only 1 index.php
in that foler.grep -R --exclude="*.js" -e 'eval(' .|cut -c -80
in the command line of the site's root folder to help find evil code (source: http://halfelf.org/2013/evaluating-evil/ which also gives a good snapshot of a clean WP install)wp-config.php
file: define( 'DISALLOW_FILE_EDIT', true );
/mu-plugins
folder
.htaccess
for additional file security by using the Solid Base .htaccess
CHANGETHENAMEOFYOURWEBSITEHERE.com
where you need to reference your own website's domain.htaccess
files to both the /wp-content
and /wp-includes
foldersUPDATE wp_posts SET ping_status="closed";
wp-config.php
file
$table_prefix = 'wp_';
.cache.php
file every hour and at 00:27 minutes, so just deleting the file wasn't enoughchmod
.htaccess
to 444chmod
wp-config.php
to 400.js
script on the front-end of your website. I didn't like that, so I'm not going to use this plugin.Some of these worked just fine, but they required more digging to find out the actual issues on the site and/or were handled better by the plugins listed above. Others required you to create an account to even begin to use them.