Saturday, January 23, 2021
Home #OpNAMFS Locking Down Your WordPress Website

Locking Down Your WordPress Website

I field about 3 calls a week from Companies whom have WordPress (WP) as their CMS (that’s Content Management System for you keyboard bandits). Generally, these folks have no idea what does what and are hacked on a regular basis. WP is a killer CMS and rightfully so. Virtually anything you want to do is FREE; themes, plugins, etc. There are roughly 60 Million folks using it as I type. With that said, one of the biggest problems is that non coding types make several grave mistakes.

The biggest mistake I see day in and day out is that no one changes their Username from Admin to something else. This, combined with a bullshit password makes hacking your website a breeze.

The other item that most folks have no clue about is that there is a file called .htaccess which is generated when you install WP. So, the first thing we need to do is locate our directory where our WP is installed. Generally, it is in your public_html. If you took the time to get a decent webhost, you have something called cPanel. On that note, if you are paying more than $46 per year INCLUDING the Domain Registration, you really should drop me a line. Anyway, find your .htaccess and open it with your code editor. It will look something like this,

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]


# END WordPress

The first thing we are going to do is protect our wp-config.php file. Now, from here on out we are going to add ALL OF OUR CODE ABOVE THE # END WordPress. Got it?! Learn it, live it, know it!!! So, here we go,

# Protect WP Config

<files wp-config.php>

order allow,deny

deny from all


The next thing we are going to do is prevent directory browsing. You have NO IDEA how much data I harvest that way! Now, a point about coding here. I like things to look clean so I always put a carriage return (hit the enter key) after the end of my last line item of code. So, we add this after the carriage return which is after </files>

# directory browsing

Options All -Indexes

Hot linking is a pain in the ass and although I have hijacked many a troll site by misdirection, we want to shut that down on your site. So, remember the carriage return after Options All -Indexes and then add,

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

The third paragraph has ?YourDomain [NC]. You will want to add your domain name here WITHOUT the http:// or www. Pretty simple. So, now we want to do is protect the file itself! So, carriage return after … [NC,F,L] and add,

<files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all


The final line should be # END WordPress. Now, for those of you whom want to push the envelope a bit, it is generally a good idea to lock down the wp-content folder. Simply create a .htaccess file in cPanel and add the following into it,

order deny,allow

deny from all

<files ~ “.(xml|css|jpe?g|png|gif|js)$”>

allow from all


If you are having issues with anything; if you are perhaps a bit overwhelmed, simply drop me a line. I Consult to many of the Industry Players. If you are actually getting ready to set up your website or perhaps are tired of paying the ONE HUNDRED DOLLARS PLUS a year, give me a holler as well. Remember, nothing is fool proof. Backup is the key to longevity and prevention better than cure!

Paul Williams
Linux addict buried deep in the mountains of East Tennessee.


Most Popular