Looking for quick and easy ways to improve your website security by hardening WordPress? Here are some WordPress security code snippets to better secure your website. We’ve previously shared other useful WordPress code snippets, SEO code snippets, and general website security code snippets so take a look at those posts for more quick tricks and tips. Here is a collection of our most used WordPress security code snippets. Most of these go in .htaccess files and work great on our Apache hosting servers.
Here’s an important trick for hardening WordPress straight from our general website security code snippets. This will prevent malicious PHP scripts from running in directories that shouldn’t have PHP scripts in them. Do make sure to carefully check your website functionality after implementing this as it can break theme or plugin functionality that relies on PHP files in these directories. If you need to whitelist specific files, we suggest using the Sucuri WordPress security plugin. To implement this code snippet just create a .htaccess file in each directory you want to protect and add the code below:
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch>
WordPress uses the wp_ prefix on all its MySQL tables by default, sometimes you might want to change this to your own custom prefix. A lot of WordPress security guides recommend changing the prefix to something non-standard but it is arguable that this helps much. Since if an attacker already has database access then you clearly have bigger problems, and they can simply read the prefix from your tables. Even so, it can’t hurt to change your database prefix which will foil basic attacks. Here’s how you do it in 3 steps:
Step 1: Change the prefix set in wp-config.php
Step 2: Change the prefix of the actual tables using phpMyAdmin or similar
Step 3: Run the SQL query below to update fields in wp_options and wp_usermeta tables
UPDATE `newprefix_options` SET `option_name`=REPLACE(`option_name`,'wp_','newprefix_') WHERE `option_name` LIKE '%wp_%'; UPDATE `newprefix_usermeta` SET `meta_key`=REPLACE(`meta_key`,'wp_','newprefix_') WHERE `meta_key` LIKE '%wp_%';
A couple of years ago attacks on xmlrpc.php were common. Not many websites actually use the XMLRPC functionality so one simple way of avoiding these attacks was to simply delete the xmlrpc.php file. However the file was restored every time you updated WordPress, so this wasn’t a very good solution. A better way is to block or limit access to xmlrpc.php via .htaccess. Note that Jetpack is one popular plugin that requires XMLRPC to work, but most websites won’t need it at all and can safely block it.
Add this code to your .htaccess file, you can set the IP addresses to allow access from if necessary (your own IP and your server IP):
<Files xmlrpc.php> <IfModule !mod_authz_core.c> order deny,allow deny from all allow from <IP ADDRESS> </IfModule> <IfModule mod_authz_core.c> Require ip <IP ADDRESS> <IP ADDRESS> </IfModule> </Files>
Or alternatively, a simpler way is just to deny from all:
<Files xmlrpc.php> order deny,allow deny from all </Files>
For the ultimate WordPress security, you can restrict access to wp-login.php and /wp-admin/ area to only your static IP address. Though of course this will only work if you are the only user that logs into the website, and you do need a static IP address in order to do this. Simply add this code to your .htaccess file to limit access to wp-login.php:
<Files wp-login.php> Order deny,allow Deny from all Allow from <YOUR IP ADDRESS> </Files>
To limit access to the whole /wp-admin/ directory, create a .htaccess file at /wp-admin/.htaccess and add this code:
Order Deny,Allow Deny from all Allow from <YOUR IP ADDRESS>
Many websites have multiple users and can’t limit access by IP address, but you can check that the referrer is a link on your website and not an external script. Many attacks send requests directly to your wp-login.php file, this snippet will block those attacks while letting your genuine website users log in normally. This is suitable for membership sites and should work fine with WooCommerce. Make sure to change http/https and yourdomain.com to your own website URL:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^https://(.*)?yourdomain\.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ - [F] </IfModule>
If you aren’t using https for your full website we’d highly recommend using it for your admin area to protect yourself against password snooping attacks. Since all our hosting accounts come with automatic free SSL certificates all you need to do is add the following line to your wp-config.php:
define('Force_SSL_Admin', true);
Your wp-config.php file is possibly the most important file in your whole WordPress installation since it includes your database login credentials and other information that a hacker would love to see. You can protect your wp-config.php file by adding the following code to your .htaccess file:
<Files wp-config.php> Order deny,allow Deny from all </Files>
Many WordPress websites already disable author archives completely or change the author URL slugs to something other than the username. This helps with security because then potential attackers cannot see what your authors use as their login username. But if you haven’t secured your author archives then a malicious attacker can use a specific URL query string to find out your user’s usernames:
https://www.yourdomain.com/?author=1
By default this URL will redirect to your author archive at https://www.yourdomain.com/author/your-username/ for your user id 1 – which is often your admin user. Unless the author slug has been changed (which is highly recommended), this gives the attacker the username of the user. Let’s block this by adding the following code to your .htaccess so that anyone using the ?author=1 string to scan your site will be harmlessly redirected to the homepage:
<IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ^author=([0-9]*) RewriteRule .* https://www.yourdomain.com/? [L,R=302] </IfModule>
As mentioned in the previous tip, you can change your author archive slugs so that potentially malicious people can’t see what your author usernames are. Add the following code to your theme functions.php and rebuild your permalinks. Make sure your users have a nickname set and then your author archives will use that instead of their username:
add_action( 'user_profile_update_errors', 'set_user_nicename_to_nickname', 10, 3 ); function set_user_nicename_to_nickname( &$errors, $update, &$user ) { if ( ! empty( $user->nickname ) ) { $user->user_nicename = sanitize_title( $user->nickname, $user->display_name ); } }
The WordPress admin area has a easy way to edit your theme and plugin files just by going to Editor under the Appearance/Plugins menu items. This also makes it very easy for a malicious attacker to edit your theme files if they gain access to your WordPress website. Don’t make it easy for them and disable the file editing by adding the following line to wp-config.php. You will still be able to edit your theme and plugin files via FTP:
define('DISALLOW_FILE_EDIT', true);
Looking for more tips on hardening WordPress and other website security tweaks? Check out our developer resource code.hostasean.com for more code snippets and also our own WordPress plugins. Let us know in the comments if you are having any problems or have any more tips.