Protect your WordPress Files and Dirs Carefully

And I want to say – yes – WordPress is very safe and in ordinary situation, when you use clean WordPress install with the default Twenty Seventeen theme you have nothing to worry about (unless your password is «querty» or «12345678»).

But there are no ordinary situations in life – you may use a plugin with vulnerabily or not good enough hosting — in this case any of security tips matter and could safe your website.

Step 1. Protect wp-config.php

First of all – place your wp-config.php in the directory above your installation folder. Do not worry – WordPress will find it without problems there.

Second – in the same directory create a file named .htaccess with the following content.

It may look something like this:

On the screenshot public_html is the directory with WordPress.

Third – set file permissions (chmod) to 400. You can do it in your FTP/SFTP client usually via right click on file.

But what means 400 (or 440 and 444 as well) ? It means that nobody can edit this file. You can not even do it in your WordPress admin area (using a plugin for example).

I also recommend to set 444 chmod for every .htaccess file on your website. In addition, the official WordPess codex recommendation is 755 for all directories and 644 for files.

Step 2. Disable directory browsing

Try to open yourdomain/wp-content/plugins URL in your browser and this is something you shouldn’t see:

Usually WordPress already includes empty index.php file in /wp-content/plugins/, /wp-content/themes/ and /wp-content/uploads.

But what about all the other directories without index.php, even like /wp-content/uploads/2017?

Simple — just open .htaccess file which is in your WordPress installation folder and insert at the beginning of the file just this single line:

Now, when someone tries to access your dirs directly, he will receive «403 Forbidden».

Step 3. A special attention at uploads folder

Well, uploads directory is a very problematic place in WordPress. If it seems like your website is under attack, look into the uploads folder, I suppose you can find something interesting there.

Our task now is to disable PHP-execution there. There are two ways to implement it (I prefer the first way).

No matter what way you choose, you have to create another .htaccess in you uploads directory.

Step 4. /wp-admin/

By the password

In this method, by adding two simple files in your /wp-admin directory you will completely block everything inside it from unauthorized access.

First file is /wp-admin/.htaccess:

This is the content of the /wp-admin/.htpasswd file, each line is the user:encrypted_password. To generate the passwords you can use my tool.

[htpasswd-tool]

By the IP

Protection by the IP is better, but it doesn’t fit for me because I work from many different places and sometimes in my trips.

This code should be placed in /wp-admin/.htaccess

Issue with admin-ajax.php

The interesting thing is that when you block your /wp-admin directory, the admin-ajax.php file will be blocked as well. So, you can not run ajax scripts outside your admin area.

How to avoid this? — use custom ajaxurl instead, as an option you can add ajax.php file in your WordPress directory with the following content in it: