Other WordPress Security Resources
- Block snoopy bots with Jeff Starr’s list of 6 great .htaccess bot-blocking techniques at Digging into WordPress
- Move your WordPress installation out of your root directory with Jeff Starr’s tutorial at Digging into WordPress
- Password Management software: 1Password or KeePass (free)
Featured WordPress Security Plugins
- Update Notifierwill email you every time there’s a new WP or plugin update to install.
- Limit Login Attempts prevents brute force attacks.
- WP Security Scan looks through your WordPress installation and identifies common insecurities. It is super easy to understand and implement.
- AntiVirus keeps an eye on your theme files and emails you if anything changes them–like a hacker adding malicious code.
Code snippets
Prevent directory browsing
Turn off directory listing by adding this code to your .htaccess file:
Options -Indexes
Hide your wp-config file
Block all external access to your config file by adding this code to your .htaccess file:
<files wp-config.php> order allow,deny deny from all </files>
Defend against injection.
Protect against any attempt to modify your PHP GLOBALS and _REQUEST variables by adding this code to your .htaccess:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
From http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
Hide your WordPress version
Remove your WordPress version number from your header by adding this code to your functions.php:
remove_action('wp_head','wp_generator');
Credit to Jeff Starr: http://digwp.com/2009/07/remove-wordpress-version-number/
Don’t show login errors.
Hide login errors from hackers. Add this code to your functions.php:
add_filter('login_errors',create_function('$a', "return null;"));
Pingback: WordPress Security Talk | ginacarson[dot]com