Skip to main content

WordPress

Common WordPress Installation Steps

Common WordPress Installation Steps

  • Install WordPress

  • Install the Theme => Create Child theme then activate it

  • Protect the website by Basic Authentication while the website under construction

  • do all your modification

  • you can now change the theme name into any name 'xxx' then modify the child them to put 'xxx' as parent theme

  • Install some important plugins

Block wp-includes folder and files Wordpress

To hide sensitive files in the wp-includes folder, add the following code to the .htaccess file in the root of your site:

 

# Block wp-includes folder and files
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>

Prevent execute PHP file in wp-content/uploads directory

wp-content/uploads directory

your wpcontent/uploads directory should be considered a potential entry point and can be exploited for number of wordpress hacks . The biggest potential threat is the uploading of PHP files.

If you can browse /wpcontent/plugins/ – the enumeration of plugins and versions becomes much easier! Exploiting this can allow an attacker to obtain sensitive information that could aid in further attacks.