Locking down WordPress

From Thom's wiki
Jump to navigation Jump to search

Secure your site using SSL

Secure your site using SSL Part II

If you are able to access the Apache (virtual)host configuration, you can harden the security of your site even more.


After the ServerName and optional ServerAlias section add the following line:

 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

This "Strict-Transport-Security" makes sure that you and others are unable to access your site if your SSL certificate is invalid.


 SSLEngine on
 SSLProtocol             all -SSLv3 -TLSv1
 SSLCipherSuite          ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
 SSLHonorCipherOrder     on




Disable access to /wp-admin/

Disable access to /wp-admin/ via Apache config

This is the preferred way if you have complete control over your webserver.


Disable access to /wp-admin/ via .htaccess

In your root directory add the following to your .htaccess file


Disable access to XML-RPC

Disable access to XML-RPC via .htaccess

In your root directory add the following to your .htaccess file

 # Block WordPress xmlrpc.php requests
 <Files xmlrpc.php>
   order deny,allow
   deny from all
   allow from x.x.x.x
 </Files>

The "allow from" line is optional. This is the way to have trusted IP addresses access your site via XML-RPC.