WP software updates

All software updated on Mondays using: https://managewp.com/

Malware scanner

Use an external scan, rather than plugin: https://sitecheck.sucuri.net/
Scanning a website is a memory intensive activity.

Plugins

  • Hide wp-login and wp-admin: https://wordpress.org/plugins/wps-hide-login/
  • jQuery Updater: https://wordpress.org/plugins/jquery-updater/

REST API – not disabled

  • W3Total Cache > Page Cache > Disable REST API
  • Object cache disabled to allow Backupbuddy

Server Level

  • force SSL > https://blog.cpanel.com/force-https-redirection/
  • Firewall – limit login attempts – protection from brute force attacks

Functions



// Remove Windows Live Writer Header
remove_action( 'wp_head', 'wlwmanifest_link');

// Remove WordPress Version
remove_action('wp_head', 'wp_generator');

//Remove Weblog Client Link - XML-RPC
remove_action ('wp_head', 'rsd_link');

// this one is for accessibility score
// Removes et_add_viewport_meta from the wp_head phase
function remove_divi_actions() {
	remove_action( 'wp_head', 'et_add_viewport_meta' );
}
// Call 'remove_divi_actions' during WP initialization
add_action('init','remove_divi_actions');

// add ability to pinch and zoom
function et_new_viewport_meta(){
	echo '<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=1" />';
}
add_action( 'wp_head', 'et_new_viewport_meta', 15 );



wp-config.php


//
//Disable Plugin and Theme Editor
//===================================== 
define('DISALLOW_FILE_EDIT', true);

.htaccess

putting global https://forums.cpanel.net/threads/htaccess-global.242511/


# Start ActionSkills Security

# Security Headers
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "same-origin"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
 
 

# Start credit ithemes security

# Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
     
     
     
# Protect System Files - Security > Settings > System Tweaks > System Files
    <files .htaccess>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files readme.html>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files readme.txt>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files wp-config.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
     
     
        # Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing
    Options -Indexes
 
    <IfModule mod_rewrite.c>
        RewriteEngine On
 
        # Protect System Files - Security > Settings > System Tweaks > System Files
        RewriteRule ^wp-admin/install\.php$ - [F]
        RewriteRule ^wp-admin/includes/ - [F]
        RewriteRule !^wp-includes/ - [S=3]
        RewriteRule ^wp-includes/[^/]+\.php$ - [F]
        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
        RewriteRule ^wp-includes/theme-compat/ - [F]
        RewriteCond %{REQUEST_FILENAME} -f
        RewriteRule (^|.*/)\.(git|svn)/.* - [F]
 
        # Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
        RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
 
        # Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
        RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
 
        # Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes
        RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
 
        # Filter Request Methods - Security > Settings > System Tweaks > Request Methods
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
        RewriteRule ^.* - [F]
 
        # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
        RewriteCond %{QUERY_STRING} \.\.\/ [OR]
        RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp: [NC,OR]
        RewriteCond %{QUERY_STRING} https?: [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
        RewriteCond %{QUERY_STRING} %24&x [NC,OR]
        RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
        RewriteRule ^.* - [F]
 
        # Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters
        RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC]
        RewriteRule ^.* - [F]
    </IfModule>
# End credit ithemes security 
# End ActionSkills Security