1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing wordpress without plugins

Discussion in 'Blogging' started by Capo Dei Capi, Apr 15, 2015.

  1. Capo Dei Capi

    Capo Dei Capi BANNED BANNED

    Joined:
    Oct 23, 2014
    Messages:
    754
    Likes Received:
    1,732
    I've been doing some research into wordpress security and I think I found the one of the best ways to secure a wordpress site without using plugins like wordfence or limit login attempt since they can use resources on a site.

    The following from two sites I found seem like they work together to make a really secure wordpress without using any resource hogging plugin, if used with a really strong secret admin name and password


    Code:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_COOKIE} !^.*secure\-dlm\-cookie=12345.*$ [NC]
    RewriteRule wp-login.php 403.html [NC,L,R=403]
    </IfModule>
    
    # Deny access to wp-config.php file
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    
    # Deny access to all .htaccess files
    <files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </files>
    
    # Block wp-includes folder and files
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>
    
    # Disable access to all file types except the following
    Order deny,allow
    Deny from all
    <Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
    Allow from all
    </Files>
    
    # Disable directory browsing
    Options All -Indexes
    http://www.wpexplorer.com/htaccess-wordpress-security/
    http://diegolamonica.info/secure-your-wordpress-login-without-freeze-your-server-with-additional-plugins/

    I personally think that using a a security token is a better option than doing a ip restriction since your IP may change over time, but if you have a static ip such as a private vpn than that may be a better option. As for admin login I find that using 36 character name <AZ><az> and 40 character password <AZ><az><09><symbols> while using a different nickname to display to the public will pretty much prevent a brute force attack.
     
    Last edited: Apr 15, 2015
  2. CyberAlien

    CyberAlien Regular Member

    Joined:
    Apr 14, 2010
    Messages:
    498
    Likes Received:
    237
    It looks to me like that just protects the admin area, which doesn't take into account stuff like SQL exploits. Keeping someone out of the admin area doesn't matter if they get direct access to the database ;)
     
    • Thanks Thanks x 1
  3. Manny

    Manny Registered Member

    Joined:
    Jun 1, 2008
    Messages:
    97
    Likes Received:
    7
    CyberAlien is correct. Gonna need more. Good share though!
     
  4. Capo Dei Capi

    Capo Dei Capi BANNED BANNED

    Joined:
    Oct 23, 2014
    Messages:
    754
    Likes Received:
    1,732
    So doing 4,6,7,14 from the following guide will complete the security without a plugin?

    http://www.mastermindblogger.com/14-ways-to-prevent-your-wordpress-blog-from-being-hacked/
     
  5. creationsd

    creationsd Newbie

    Joined:
    Nov 23, 2015
    Messages:
    5
    Likes Received:
    0
    The article you quoted may be a little bit old, this one is quite more fresh than that one.

    <can't link> run a google search for "prevent wordpress hacking" and look for DART Creations.

    Really and truly, you will need some security plugins to make sure you don't leave any vulnerabilities on your WordPress site. This is because these plugins focus on rooting out any known vulnerabilities. If you site becomes popular, you're going to run into hundreds of daily crawlers searching for vulnerabilities. A security plugin will make sure these are catered for.

    A good hosting server which proactively blocks 0-day vulnerabilities is also a good idea. Make sure you're not on the cheapest host around who don't give a damn whether sites hosted on their servers are hacked to kingdom come. Look around for a good host which specifically focuses on this type of security, because a nasty 0-day hack will bite you really hard.