Here are some security measures that can be taken simply by including the settings in HTACCESS.


What is HTACCESS?

This is a file in the WordPress installation folder that writes the server settings. In WordPress it is used to set permalinks, but it can also be used to write server settings as a security measure.

You can access the server with FTP software, download it, edit it, and re-upload it to adapt the settings.

Prohibit the display of Index listings

Index list is a server function that automatically outputs a list of files contained in a folder when accessed with a browser if there is no index.php or index.html in the folder.

This list can be picked up by search engines, which can lead to vulnerable plugin folders in search results, or be useful for hackers to find out what kind of files are on the server.

Add the following line to the ↓HTACCESS file

IndexIgnore *

Disable output of author information

WordPress has a theme that displays the user name and other information of user number 1 (administrator) when accessed by appending ?author=1 in addition to the site domain.
For sites that allow membership registration, accessing the site with different values above will expose the IDs of various logged-in users.

To prevent this, the following configuration is used to block the author= string if it is included in the URL.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^author/(.*) - [R=404,L]
RewriteCond %{QUERY_STRING} author=(.*)
RewriteRule ^$ - [R=404,L]
</IfModule>

Disable execution of PHP programs in the Upload folder

The wp-content/uploads folder is primarily a folder that holds data for images embedded in content.

Unauthorized tampering (backdoors) or malware can write malicious PHP programs in the wp-content/upload folder. Prohibit external access to this program.

The following is a setting to disallow external access only to files in the wp-content/uploads folder and with the php extension.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.*wp-content/uploads/.*\.php.*$ - [F,L].
</IfModule>

Disallow direct access to PHP programs in the wp-include folder

The wp-include folder is a folder that contains a group of programs used by programs to load various WordPress functions.

The php files in this folder are not directly accessed from the outside, so you can prohibit direct access to them from the outside.

This makes it possible to prevent subsequent hacker activity even if some malware (backdoor) is embedded in the wp-includes folder, or to prevent another hacker from taking advantage of this backdoor.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.*wp-admin/includes/ - [F,L].
RewriteRule ! ^.*wp-includes/ - [S=3].
RewriteRule ^.*wp-includes/[^/] \.php$ - [F,L]
RewriteRule ^.*wp-includes/js/tinymce/langs/. \.php - [F,L]
RewriteRule ^.*wp-includes/theme-compat/ - [F,L].
</IfModule>

Suppress comment spam

If you receive a large number of spam comments in the comments section of WordPress, you can suppress the spam comments by simply adding the following to HTACCESS.

Comment spam is written mechanically by hackers using programs on a very large number of sites. With the following HTACCESS settings,
Access to comment writing programs.
Access to the comment writing program, and
Accessors that are missing browser type and version information.

or ・Accesses with missing browser type or version information.

Replace “your site’s domain” with your site’s domain.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} ! (^.*\⌘:⌘/your-site-domain) [NC,OR].
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://127.0.0.1 [L]
</IfModule>

In addition, we also prohibit comments from being posted by users who use a proxy server, which is a mechanism for accessing the site through a proxy server and hiding the source of their access.
The HTACCESS setting below is a setting that blocks comments from being posted when information specific to the proxy server is included in the accessor.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^POST
RewriteCond %{HTTP:VIA} ! ^$ [OR].
RewriteCond %{HTTP:FORWARDED} ! ^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} ! ^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} ! ^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_HOST} ! ^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} ! ^$ [OR].
RewriteCond %{HTTP:XPROXY_CONNECTION} ! ^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} ! ^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} ! ^$
RewriteRule wp-comments-post\.php - [F].
</IfModule>

*All settings here are
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
You can easily export to HTACCESS from the WordPress admin page by using