Day 22: 7 Code Snippets to Improve WordPress Security

7 Code Snippets to Improve WordPress Security

There are many different ways to improve WordPress Security and we’ve talked about some of them. Here are some WordPress code snippets that will help improve your WordPress website’s security.

Prevent the Login Info From Being Displayed

Place the following in your WordPress theme’s functions.php file to prevent users from seeing the log-in error messages.

add_filter('login_errors',create_function('$a', "return null;")

Keep Directories from Being Browsable with .htaccess

Most website directories are browsable by default, which is a very useful feature for many websites. But for a WordPress website, this can allow hackers to poke around and find potential vulnerabilities in your WordPress install.

Add the following to your site’s .htaccess. The .htaccess files is a hidden file and likely your FTP client won’t show hidden files by default, so be sure to view hidden files. And be careful – breaking your .htaccess file will break your website. It is a good idea to backup your previous htaccess file to use to recover incase you break your website.

Options All -Indexes

Use .htaccess to Protect the wp-config File

Your WordPress install’s wp-config file contains extremely sensitive information about your WordPress database. htaccess will keep hackers from learning how to access your wp-config files and subsequently your WordPress database.

<files wp-config.php>
order allow,deny
deny from all
</files>

Hid the WordPress Version

We’ve talked about The Correct Way to Remove the WordPress Version to Increase Security and it’s extremely simple. Just add the following to your WordPress theme’s functions.php file.

function remove_wp_version() { return ''; }
add_filter('the_generator', 'remove_wp_version');

Perishable Press’ .htaccess 5G Blacklist 2012

The 5G Blacklist helps reduce the number of malicious URL requests that hit your website.

The 5G Blacklist is a simple, flexible blacklist that checks all URI requests against a series of carefully constructed htaccess directives.

The 5G works beautifully with WordPress, and should help any site conserve bandwidth and server resources while protecting against malicious activity.

Perishable Press’ 5G Blacklist 2012

Protect Your WordPress Blog from Script Injections

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Help Prevent “Content Scrapers”

It is common for for other people to steal your content and post it on their own blog. Most of the time they’ll even use your own images, sapping your bandwidth. This .htaccess snippet will serve them up with an image of your choosing calling them out on being thieves and saving bandwidth.

RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Make sure to replace “mysite” with your website’s URL and “/images/nohotlink.jpg” to the path of your image.

31 Days to a Better WordPress Blog

This post is apart of the 31 Days to a Better WordPress Blog series. Be sure to subscribe via RSS, follow on Twitter, follow on Facebook, or circle us on Google+ to keep up with wpLifeGuard’s latest WordPress and blogging tips and tricks.

Follow wpLifeGuard

« Back to Blog