Let's go straight to the point, I do not think it is useful to explain why we must secure and protect its Wordpress site. Not that it is vulnerable to attacks, but because there are a lot of computer attacks on the net.
Here are the various ways to protect his site, they are all complementary, but can also be used separately and block nevertheless a lot of conventional attacks!
- Protection by plugins: install the Secure Wordpress plugins. Easy to use, it will protect you by removing information useful to hackers and queries malicious URL. Here is an overview of the possible settings of the plugin:
| Removes the version of WordPress in all areas, including the flows, but not in the admin part. | |
| Removes the version of WordPress in the area of administration for non-administrators. Shows the version of Wordpress only to users with the rights of publication of your plugins. | |
creates the file index.php in the /plugins/ and/themes/directories to avoid showing your directory list. |
|
Removes the link from Really Simple Discovery in the frontend wp_head |
|
Removes the link from Windows Live Writer in the frontend wp_head |
|
| Removes upgrading the WordPress core to all users except the administrator. Displays a message when the availability of a new version of WordPress only for users with the rights to update. | |
| Removes the update of plugins for all users except the administrator. Displays a message when the availability of a plugin in the Admin Panel only to haves users the rights to edit plugins. | |
| Removes the update of the theme to all users except the administrator. Displays a message when a new version of theme only to users with the rights to edit the themes. | |
| Removes version of WordPress on the url form scripts and stylesheets only one frontend. | |
| Protect WordPress against malicious URL requests |
- Protect Wordpress with your .htaccess file: copy / paste the following in your .htaccess file, it will protect the file .htaccess and wp – config.php, and you will protect against a large majority of attempts to hack your site!
# protected the htaccess and wp-config file
<files .htaccess=""></files>
order allow, deny
Deny from all<files wp-config.php=""></files>
order allow, deny
Deny from all# protection of reading directories
Options – Indexes# 5G BLACKLIST/FIREWALL
# http://perishablepress.com/5g-blacklist/ @# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c=""></ifModule>
RewriteEngine On
RewriteBase /.
RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
RewriteCond %{QUERY_STRING} (menu|mod|path|tag) = .? /? [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} echo.*kae [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} =\%27$ [NC,OR]
RewriteCond %{QUERY_STRING} = '$ [NC,OR]
RewriteCond %{QUERY_STRING} . .. [NC,OR]
RewriteCond %{QUERY_STRING} ? [NC,OR]
RewriteCond % {%{QUERY_STRING}: [NC,OR]
RewriteCond %{QUERY_STRING}.[ [NC,OR]
[RewriteCond %{QUERY_STRING} ] [NC]
RewriteRule. * -. [F]# 5G:[USER AGENTS]
<ifModule mod_setenvif.c=""></ifModule>
SetEnvIfNoCase User-Agent ^ $ keep_out
SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|turnit) keep_out
SetEnvIfNoCase User-Agent (zmeu|nutch|vikspider|binlar|sucker) keep_out
<limit get="" post="" put=""></limit>
Order Allow, Deny
Allow from all
Deny from env = keep_out# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c=""></ifModule>
RedirectMatch 403 (https? |) FTP|PHP): / /.
RedirectMatch 403 /(cgi|https?|) IMA|UCP).
RedirectMatch 403 / (Permanent| Better) $
RedirectMatch 403 (=\'|=\%27|/\'/?| ).css()$
RedirectMatch 403 (,|//|)+|/,/|{0}|(/(|…| +++||| \"\")
RedirectMatch 403. (cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar) $
RedirectMatch 403 /(contac|fpw|install|pingserver|register).php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107_)
RedirectMatch 403 (eval(|_vti_|(null)|echo.*kae|config.xml)
RedirectMatch 403 .well-known/host-meta
RedirectMatch 403 /function.array-rand
RedirectMatch 403 );$(this).html)
RedirectMatch 403 proc/self/about
RedirectMatch 403 msnbot.htm)._
RedirectMatch 403 /ref.outcontrol
RedirectMatch 403 com_cropimage
RedirectMatch 403 indonesia.htm
RedirectMatch 403 {$itemURL}
RedirectMatch 403 function ()
RedirectMatch 403 labels.rdf
RedirectMatch 403 playing.php
RedirectMatch 403 muieblackcat# 5G:[BAD IPS]
<limit get="" post="" put=""></limit>
Order Allow, Deny
Allow from all
# repeat-edit-uncomment next line to block IPs
# Deny from 123.456.789 its# 5G:[WordPress]
<ifModule mod_rewrite.c=""></ifModule>
RedirectMatch 403 / $ &
RedirectMatch 403 (? i) / & (t|title) =
RedirectMatch 403 (? i) / (bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 (? i) /(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
RedirectMatch 403 (? i) /(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster) /? $
RedirectMatch 403 (? i) /(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles)
- Last point, use Cloudflare. Cloudflare is site that you will protect from hackers and their attacks, but in addition, it is also a CDN, so also will accelerate you your website! In addition, it also has a cache and various options to optimize your site. And it's free! Only constraint: requires that you can change your DNS.