5 important tips to protect WordPress

Today, after a long absence from the blogosphere, I want to touch on some tips that will help you to increase the protection of WordPress well. You have many sites in the server) It is not far-fetched, like the situation I am in now, the important thing is that I took some precautions that may help you. Now we get to the heart of the matterFirst, before you apply any of these tips, you should know that there is a difference between hosting. Each hosting has its own settings. Some of these tips may cause problems such as forbidden 403 error or 500 internal server error. For this, you should be careful and take a backup copy of site files, not the rule because It’s only about files

1 – Disable the plugins and templates editor

In WordPress, you can disable the template editor and plugin with a simple code, but the question is why disable it? It will be disabled for two reasons:

The first reason: It prevents those who hacked the WordPress admin account from modifying templates and plugins, and in this way it ensures that template files and plugins are not tampered with.

The second reason: that you do not need these editors at all, because they are very simple, and I do not think that someone uses them to edit their templates or add-ons, and you can dispense with them using the code editor in the cpanel or the text editor Notepad++

Protect template editor and plugins

The important thing is if you want to disable it, just add the following code to the wp-config.php file, and this prevents any exploitation of the Editor’s themes.

define( 'DISALLOW_FILE_EDIT', true );

2 – Protect by htaccess

Here we will show some ways that also help you to protect WordPress, and of course I will only show the important things that will not cause you any problems with your site. There are many ways, but they are not guaranteed because of the different hosting settings

htaccess and wp-config.php protection

Here we will protect these files from being read by means of loopholes in plugins or shell files. For vulnerabilities, they may be auth pypass or local file include. For example, if you find a loophole in a specific plugin that allows files to be read in the following way:


Here, the effective role of htaccess will be to prevent reading the file and displaying the forbidden 403 error. I mean, there is no need to be afraid in case the extension is infected, but you will be negligent in upgrading your extensions whenever there are updates for it.

The code we will use to protect wp-config.php and htaccess:

<Files .htaccess>
order allow,deny
deny from all
satisfy all
<Files wp-config.php>
order allow,deny
deny from all
satisfy all

Do not forget if you have subdomains with another version of WordPress installed to do these steps for them as well

Block browsing of site folders

Folder Protection

This method has an important role, which is to prevent any visitor trying to browse a specific folder through the browser. Here, a 403 error page will be displayed for those who try to browse any folder, and their importance lies in the case that you put important files in a specific folder and you do not want someone to get them, and the matter is very simple. All you have to do is Add this code in the htaccess file:

Options -Indexes 

Prevent files from being executed in a specific folder

If you do not pay attention to all the tips that I mentioned and which I will mention after this, God willing, do not waste the application of this method. The method depends on preventing any script, whether php, cgi or perl, from running in a specific folder. I mean, this method will help you in the event that someone accesses the admin account in WordPress here, even if he tries to upload php, cgi or perl files through the media, it will not work and there are two ways to prevent files from being executedNote, you must first create an .htaccess file inside the uploads folder, often on the following path to your site:


The first way is to prevent cgi-script from running in a specific folder by specifying the formats of these files in the .htaccess file as follows:

Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

By the way, you can use Options -ExecCGI without specifying files with AddHandler and any dangerous file will be disabled

The second method is to display specific file formats as plain text (plain-text). In this case, if the php file is uploaded and viewed from the browser, it will display the php codes as you want to edit the php file. All you have to do is add the following code to your .htaccess file:

AddType text/plain .php .pl .py .jsp .asp .htm .shtml .sh .cgi

The second method is the best because the first method will display many errors in the error_log file, for me the first is better, and you choose what you want and what suits you

Prevent the implementation of a series of potential snooping

As we know, many hackers use some methods and tools to analyze the vulnerabilities in your site. Here we will prevent them before penetrating the site. Here we will use this code:

RewriteCond %{QUERY_STRING} ^(.*)(%3C|RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)http(%3A|:)(/|%2F){2}(.*)$ [NC,OR] ## Please block this rule, It can cause some routing issues ##
RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(SELECT(%20|\+)|UNION(%20|\+)ALL|INSERT(%20|\+)|DELETE(%20|\+)|CHAR\ (|UPDATE(%20|\+)|REPLACE(%20|\+)|LIMIT(%20|\+))(.*)$ [NC]
RewriteRule (.*) - [F]

As you can see in the code, it contains some code that indicates some hacking methods such as XSS and SQL-Injection.

Prevent the hacker from applying commands in case you have already been hacked

This will benefit you in the event that the ax falls in the head, that is, if the hacker accesses your site and uploads scripts to execute commands (the code is malicious, I don’t know when I tell him this name 🙂 In fact, it is known to paralyze Arabs and even foreigners) in this case this code will prevent the implementation of many commands . But it may cause you problems with WordPress, you should test it and delete the rules that cause you problems

The code can be found in a text file here

Don’t forget to change /home/ user / with your username in cpanel before copying the code into the .htaccess file

3 – Hide PHP errors

As for hiding software errors, its purpose is to protect your username, especially for cpanel users, as we know that the username is the site path, for example:

/home/ moad

The latter may be used in what is known as (BruteForce) to crack your hosting password. The important thing is that there are three ways to hide these software errors, and I tried all of them and one method worked for me, which I will mention to you and mention the other methods as well, although I tried to use them but it did not work for me

The methods that I will mention here have been found on Perishable Press

The first method is using php.ini

Note: This method is not exclusive to WordPress. You can use it for any site that uses any script, such as Joomla

This is the only method that worked for me on hosting hostgator and it is easy to apply now. All you have to do is follow the following steps:

First, create a file named php_error.log, where this file will write all errors that occur on the site inside it without displaying them in the browser, and do not forget to give it permission 644 to allow writing on it

Secondly, we create a php.ini file, which disables these errors and sends them to the file that we created before php_error.log. Copy the following code into the php.ini file:

display_startup_errors = false
display_errors = false
html_errors = false
log_errors = true
ignore_repeated_errors = false
ignore_repeated_source = false
report_memleaks = true
track_errors = true
docref_root = 0
docref_ext = 0
error_reporting = 999999999
log_errors_max_len = 0
error_log = /home/user/public_html/php_error.log

Now change the user in line 14 to your username, or in other words change the path to the path where the php_error.log file is located. After that, save the file

Third, we add a rule to the htaccess file so that errors are hidden in all site folders and even subdomains will be covered by the mask. Here we will use the suPHP model, but not all hosts are enabled, if you do not have it activated, you will get a 500 inetrnal server error, in this case you will have to copy the php.ini file in all the folders of your site, and it is difficult, of course, try the solutions that we will mention later. Now all you have to do is add the following code to your .htaccess file:

suPHP_ConfigPath /home/user/public_html

Fourth, after completing the previous steps, we will protect the php.ini and php_error.log file by adding rules to protect the .htaccess file as follows:

<Files php.ini>
order allow,deny
deny from all
satisfy all
<Files php_error.log>
order allow,deny
deny from all
satisfy all

The second way to hide errors with htaccess

This method depends on the htaccess file only, but I do not think that it will be used in shared hosting, as I have read on one of the important sites. The method is easy if you want to hide errors. All you have to do is add the following rules to the htaccess file:

php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off

If you want to log errors in a specific file, create a file named php_error.log and add the following rules in the htaccess file:

php_flag log_errors on
php_value error_log /home/user/public_html/php_error.log

If you work with the method without problems, do not forget to protect the php_error.log file by adding the following rule:

<Files .htaccess>
order allow,deny
deny from all
satisfy all

The third method is via wp-config.php

This method also did not work for me, and it depends on the inclusion of normal php codes and not only for WordPress, meaning we can use them in any script. All you have to do is add the following codes to the wp-config.php file and you are lucky if it works:

@ini_set('display_errors', 'Off');

The important thing is not to forget to change the user to your username, or in other words, put the full path to the file php_error.log

This is all about hiding php code errors. I advise you to try the last methods before using the first method using php.ini.

4 – Prevent login attempts by Brute-Force

Here we will protect the WordPress dashboard by preventing hackers from executing the bruteforce process to get the password of the WordPress admin script and there are many plugins for this purpose.

WordPress plugin page: http://wordpress.org/extend/plugins/login-lockdown/

Addition settings:

Login LockDown - WordPress Magazine

As you can see from the picture, these are the settings that I use

Max Login Retries: The number of attempts to log in should be 3

Retry Time Period Restriction: Here we specify how long three login attempts from the same (IP) we specified above can be.

Lockout Length: Here we prevent or block the login of the (IP) who made the three failed attempts for an hour

Lockout Invalid Usernames ? This feature will also be blocked in case the user name is wrong

Mask Login Errors ? Here we hide login errors

That’s all there is to it for this add-on

last tips

  1. Do not use cpanel password in wp-config.php files to connect to databases
  2. Do not put important folders or files in robots.txt file
  3. Don’t skimp on upgrading WordPress and plugins

end of transmitter

There are other ways to protect that I did not mention, such as creating a password for the wp-admin folder, as many brothers on the Internet have touched on it. Here we have completed this humble explanation and excuse me for the delay in displaying posts, time has become very tight these days. If there is any inquiry or lack of explanation, please comment? And don’t forget to subscribe to our mailing list, thank you very much

Leave a Comment