From 48920df13ebd53bc931efea81eda5fbca1811337 Mon Sep 17 00:00:00 2001 From: sesn Date: Thu, 6 Dec 2018 00:21:04 +0530 Subject: [PATCH] added first updates --- .gitignore | 1 + README.md | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..496ee2c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store \ No newline at end of file diff --git a/README.md b/README.md index c513306..eea8aea 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,98 @@ # Wordpress-Security-Checklist + Go Live Security List + +## 1. Protect .htaccess + +```htaccess + + order allow,deny + deny from all + satisfy all + +``` + +## 2. Protect wp-config.php + +```htaccess + + order allow,deny + deny from all + +``` + +## 3. Protect /wp-contents/ + +This htaccess file needs to present inside `wp-content` folder + +```apacheconf + Order deny,allow +   Deny from all +    +   Allow from all +    +``` + +## 4. Protect Include-Only files + +```apacheconf + + RewriteEngine On + RewriteBase / + RewriteRule ^wp-admin/includes/ - [F,L] + RewriteRule !^wp-includes/ - [S=3] + RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] + RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] + RewriteRule ^wp-includes/theme-compat/ - [F,L] + +``` + +## 5. Directory Browsing + +```apacheconf + # disabling directory browsing + Options All -Indexes +``` + +## 6. Disable File Edit + +```php + define('DISALLOW_FILE_EDIT',true); +``` + +## 7. Disabling REST API for external requests + +```php +function restrict_rest_api_to_localhost() { + $whitelist = array('127.0.0.1', "::1"); + + if(!in_array($_SERVER['REMOTE_ADDR'], $whitelist)){ + die('REST API is disabled.'); + } +} +add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 1 ); +``` + +## 8. Disabling REST API using htaccess + +```apacheconf + # WP REST API BLOCK JSON REQUESTS + # Block/Forbid Requests to: /wp-json/wp/ + # WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE + RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC] + RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC] + RewriteRule ^(.*)$ - [F] +``` + +Pointing REST API to 404 page + +```apacheconf +# WP REST API BLOCK JSON REQUESTS +# Redirect to a 404.html (you may want to add a 404 header!) +RewriteRule ^wp-json.*$ 404.html +``` + +## Credits + +- https://www.cloudways.com/blog/protect-wordpress-with-htaccess/ +- stackoverflow \ No newline at end of file