How can you protect your WordPress installation? Here are some best practices to protect against attackers. It's no rocket science.
Filter name: sensitive-files
Insert the following code in your .htaccess file:
<FilesMatch "(^\.|wp-config(-sample)*\.php)">
order deny,allow
deny from all
</FilesMatch>This code prohibits access to WordPress configuration files and sensitive system files e.g. .htaccess, .htpasswd, .ssh and others.
If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
<FilesMatch "(repair|wp-mail)\.php">
order deny,allow
deny from all
</FilesMatch>Putting it all together:
<FilesMatch "(^\.|(repair|wp-mail|wp-config(-sample)*)\.php)">
order deny,allow
deny from all
</FilesMatch>Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. Must be placed in /wp-content/.htaccess
<FilesMatch "\.(log|txt)$">
order allow,deny
deny from all
</FilesMatch>Filter name: wp-login
If possible, set up an access protection for the WordPress login page. Create a .htpasswd file (htpasswd Generator will help you) and paste this code snippet in your .htaccess file:
<Files wp-login.php>
AuthName "Welcome to admin area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
</Files>Secure your Admin area or - better - the complete WordPress site. Thanks Let's EncryptHTTPS is now really easy. Ask your hoster.
Filter name: fpd-vulnerability
The Full Path Disclosure (FPD) vulnerability allows the hacker to identify the file/root path. To turn the actual display of errors off, add the following snippet to the .htaccess file:
<IfModule mod_php5.c>
php_flag display_errors off
</IfModule>Modify mod_php5.c to mod_php7.c if PHP7 is installed on your server.
Filter name: directory-listing
Depending on the Apache configuration your visitors can get a directory listing of all the files in a folder. To prevent this mistake add the following line to your .htaccess file:
Options -Indexes