WP software updates
All software updated on Mondays using: https://managewp.com/
Malware scanner
Use an external scan, rather than plugin: https://sitecheck.sucuri.net/
Scanning a website is a memory intensive activity.
Plugins
- Hide wp-login and wp-admin: https://wordpress.org/plugins/wps-hide-login/
- jQuery Updater: https://wordpress.org/plugins/jquery-updater/
REST API – not disabled
- W3Total Cache > Page Cache > Disable REST API
- Object cache disabled to allow Backupbuddy
Server Level
- force SSL > https://blog.cpanel.com/force-https-redirection/
- Firewall – limit login attempts – protection from brute force attacks
Functions
// Remove Windows Live Writer Header remove_action( 'wp_head', 'wlwmanifest_link'); // Remove WordPress Version remove_action('wp_head', 'wp_generator'); //Remove Weblog Client Link - XML-RPC remove_action ('wp_head', 'rsd_link'); // this one is for accessibility score // Removes et_add_viewport_meta from the wp_head phase function remove_divi_actions() { remove_action( 'wp_head', 'et_add_viewport_meta' ); } // Call 'remove_divi_actions' during WP initialization add_action('init','remove_divi_actions'); // add ability to pinch and zoom function et_new_viewport_meta(){ echo '<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=1" />'; } add_action( 'wp_head', 'et_new_viewport_meta', 15 );
wp-config.php
// //Disable Plugin and Theme Editor //===================================== define('DISALLOW_FILE_EDIT', true);
.htaccess
putting global https://forums.cpanel.net/threads/htaccess-global.242511/
# Start ActionSkills Security # Security Headers <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" # Header set Content-Security-Policy ... Header set Referrer-Policy "same-origin" Header set Feature-Policy "geolocation 'self'; vibrate 'none'" </IfModule> # Start credit ithemes security # Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC <files xmlrpc.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> # Protect System Files - Security > Settings > System Tweaks > System Files <files .htaccess> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files readme.html> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files readme.txt> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files wp-config.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> # Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing Options -Indexes <IfModule mod_rewrite.c> RewriteEngine On # Protect System Files - Security > Settings > System Tweaks > System Files RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] RewriteCond %{REQUEST_FILENAME} -f RewriteRule (^|.*/)\.(git|svn)/.* - [F] # Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Filter Request Methods - Security > Settings > System Tweaks > Request Methods RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC] RewriteRule ^.* - [F] # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] # Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC] RewriteRule ^.* - [F] </IfModule> # End credit ithemes security # End ActionSkills Security