Home Security How to Secure WordPress without using any plug-ins
Security - Tech - Wordpress - April 7, 2017

How to Secure WordPress without using any plug-ins

Secure WordPress without using any plug-ins – Support Version 4.7 and above

If your web site is hacked ? Its hacked  due lack of preparation, it’s not ready with security implimentation. May be you have used so many plugins and method  to made your website very secure. But you made it very heavy and created so many unwanted tables in your db. But here in this tutorial I will give some source-code that need to be impliment in your .htaccess file to give fair secuirty to your wordpress website.

Secure WordPress without any Plugins (Support Version 4.7 and above)

  • First of all through FTP login to your wordpress and edit the wp-config.php file and add this line of code any where on the wp-aconfig.php file.

    define('DISALLOW_FILE_EDIT', true);

    this above code will disable file edit through wordpress cms. For me this is very venerable.

     

  • Now the second step, mostly work through FTP. So now find .htaccess file through FTP which would be in the root of the web folder. Edit it may be in File Manage won’t visible. 
  • If you cannot find it then create it on the fly and pest the below codes. Save it and exit.
  • Congratulation your website is now secured. You can use small pluigns to limit the login.

    Security Source Code For .htaccess

    # BEGIN Site Security 
    # Security Config Details: 2
     # Protect System Files - Security > Settings > System Tweaks > System Files
       
      Require all denied
       
       Order allow,deny
       Deny from all
       
       Require all denied
       Order allow,deny
       Deny from all
      
       
       Require all denied
       Order allow,deny
       Deny from all
      
       Require all denied
              Order allow,deny
       Deny from all
      
     
    
     # Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing
     Options -Indexes
    
     
      RewriteEngine On
    
      # Protect System Files - Security > Settings > System Tweaks > System Files
      RewriteRule ^wp-admin/install.php$ - [F]
      RewriteRule ^wp-admin/includes/ - [F]
      RewriteRule !^wp-includes/ - [S=3]
      RewriteRule ^wp-includes/[^/]+.php$ - [F]
      RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F]
      RewriteRule ^wp-includes/theme-compat/ - [F]
    
      # Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
      RewriteRule ^wp-content/uploads/.*.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
    
      # Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
      RewriteRule ^wp-content/plugins/.*.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
    
      # Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes
      RewriteRule ^wp-content/themes/.*.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
    
      # Filter Request Methods - Security > Settings > System Tweaks > Request Methods
      RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
      RewriteRule ^.* - [F]
    
      # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
      RewriteCond %{QUERY_STRING} ../ [OR]
      RewriteCond %{QUERY_STRING} .(bash|git|hg|log|svn|swp|cvs) [NC,OR]
      RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
      RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
      RewriteCond %{QUERY_STRING} ftp: [NC,OR]
      RewriteCond %{QUERY_STRING} https?: [NC,OR]
      RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
      RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
      RewriteCond %{QUERY_STRING} base64_decode( [NC,OR]
      RewriteCond %{QUERY_STRING} %24&x [NC,OR]
      RewriteCond %{QUERY_STRING} 127.0 [NC,OR]
      RewriteCond %{QUERY_STRING} (globals|encode|localhost|loopback) [NC,OR]
      RewriteCond %{QUERY_STRING} (request|concat|insert|union|declare) [NC,OR]
      RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
      RewriteCond %{QUERY_STRING} !^loggedout=true
      RewriteCond %{QUERY_STRING} !^action=jetpack-sso
      RewriteCond %{QUERY_STRING} !^action=rp
      RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
      RewriteCond %{HTTP_REFERER} !^http://maps.googleapis.com
      RewriteRule ^.* - [F]
    
      # Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters
      RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC]
      RewriteRule ^.* - [F]
     
    # END Themes Security  
    
    # BEGIN WordPress
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    
    
    # END WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

The Speed of Nine Planet

Sun : Astronomically the Sun is fixed and it is the planets which are moving round Sun. Bu…