Securing WordPress Installation & Boosting WordPress Website Performance with Easy .htaccess Code Settings or hacks (Note: This are the setting – hacks that I deployed on my website too)

I am writing it down to help you secure your website & boost your WordPress website performance with this simple .htaccess hacks

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to secure wp-include only files

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
# RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to limit direct access to wp-comments-post to limit spamming

# Block SPAM Comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*your-website-name.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to Disable directory browsing

# Disable directory browsing
Options All -Indexes

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to Protect wp-config.php

# Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to Protect .htaccess file file

# Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to Prevent Script Injection

# Prevent Script Injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

 
Implement or copy pate this code in .htaccess in your root of WordPress installation to Prevent hacks & hacking of your website

# Prevent hacks
RewriteEngine On
# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

 
Hope it helps…!!!

 
Thanks & Regards
Mandar Apte

Leave a Reply

Your email address will not be published. Required fields are marked *