WP software updates
All software updated on Mondays using: https://managewp.com/
Malware scanner
Use an external scan, rather than plugin: https://sitecheck.sucuri.net/
Scanning a website is a memory intensive activity.
Plugins
- Hide wp-login and wp-admin: https://wordpress.org/plugins/wps-hide-login/
- jQuery Updater: https://wordpress.org/plugins/jquery-updater/
REST API – not disabled
- W3Total Cache > Page Cache > Disable REST API
- Object cache disabled to allow Backupbuddy
Server Level
- force SSL > https://blog.cpanel.com/force-https-redirection/
- Firewall – limit login attempts – protection from brute force attacks
Functions
// Remove Windows Live Writer Header
remove_action( 'wp_head', 'wlwmanifest_link');
// Remove WordPress Version
remove_action('wp_head', 'wp_generator');
//Remove Weblog Client Link - XML-RPC
remove_action ('wp_head', 'rsd_link');
// this one is for accessibility score
// Removes et_add_viewport_meta from the wp_head phase
function remove_divi_actions() {
remove_action( 'wp_head', 'et_add_viewport_meta' );
}
// Call 'remove_divi_actions' during WP initialization
add_action('init','remove_divi_actions');
// add ability to pinch and zoom
function et_new_viewport_meta(){
echo '<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=1" />';
}
add_action( 'wp_head', 'et_new_viewport_meta', 15 );
wp-config.php
//
//Disable Plugin and Theme Editor
//=====================================
define('DISALLOW_FILE_EDIT', true);
.htaccess
putting global https://forums.cpanel.net/threads/htaccess-global.242511/
# Start ActionSkills Security
# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Header set Content-Security-Policy ...
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
# Start credit ithemes security
# Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC
<files xmlrpc.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
# Protect System Files - Security > Settings > System Tweaks > System Files
<files .htaccess>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.html>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.txt>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files wp-config.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
# Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
# Protect System Files - Security > Settings > System Tweaks > System Files
RewriteRule ^wp-admin/install\.php$ - [F]
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (^|.*/)\.(git|svn)/.* - [F]
# Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
# Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes
RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
# Filter Request Methods - Security > Settings > System Tweaks > Request Methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]
# Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
RewriteCond %{QUERY_STRING} \.\.\/ [OR]
RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} https?: [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
RewriteCond %{QUERY_STRING} %24&x [NC,OR]
RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=jetpack-sso
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
RewriteRule ^.* - [F]
# Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters
RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC]
RewriteRule ^.* - [F]
</IfModule>
# End credit ithemes security
# End ActionSkills Security
