Skip to main content

WordPress

Block wp-includes folder and files Wordpress

To hide sensitive files in the wp-includes folder, add the following code to the .htaccess file in the root of your site:

 

# Block wp-includes folder and files
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>

Prevent execute PHP file in wp-content/uploads directory

wp-content/uploads directory

your wpcontent/uploads directory should be considered a potential entry point and can be exploited for number of wordpress hacks . The biggest potential threat is the uploading of PHP files.

If you can browse /wpcontent/plugins/ – the enumeration of plugins and versions becomes much easier! Exploiting this can allow an attacker to obtain sensitive information that could aid in further attacks.

How do I prevent user enumeration on my WordPress site?

WordPress leaks usernames in several ways. In truth there is no way to fully prevent user enumeration, particularly if your website makes use of authors pages. However, you can certainly reduce the attack surface and make user enumeration harder by following the below steps:

  • Disable the WordPress REST API if you are not using it,
  • Disable WordPress XML-RPC if you are not using it,
  • Configure your web server to block requests to /?author=<number>,
  • Don’t expose /wp-admin and /wp-login.php directly to the public Internet.

Cloudflare Firewall Rules for Securing WordPress

Cloudflare Firewall Rules for Securing WordPress This guide is aimed at security-minded webmasters who run a WordPress site or blog on a Cloudflare-enabled domain. On the free plan, Cloudflare grants five firewall rules that are empty by default. By adding WordPress-specific rules I describe on this page, you can secure your site and block attacks before they even reach your web host's server. now you can pass anyone if you are using it somehow