Here are some security measures that can be taken simply by including the settings in HTACCESS.


What is HTACCESS?

This is a file in the WordPress installation folder that writes the server settings. In WordPress it is used to set permalinks, but it can also be used to write server settings as a security measure.

You can access the server with FTP software, download it, edit it, and re-upload it to adapt the settings.

Prohibit the display of Index listings

Index list is a server function that automatically outputs a list of files contained in a folder when accessed with a browser if there is no index.php or index.html in the folder.

This list can be picked up by search engines, which can lead to vulnerable plugin folders in search results, or be useful for hackers to find out what kind of files are on the server.

Add the following line to the ↓HTACCESS file

IndexIgnore *

Disable output of author information

WordPress has a theme that displays the user name and other information of user number 1 (administrator) when accessed by appending ?author=1 in addition to the site domain.
For sites that allow membership registration, accessing the site with different values above will expose the IDs of various logged-in users.

To prevent this, the following configuration is used to block the author= string if it is included in the URL.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^author/(.*) - [R=404,L]
RewriteCond %{QUERY_STRING} author=(.*)
RewriteRule ^$ - [R=404,L]
</IfModule>

Disable execution of PHP programs in the Upload folder

The wp-content/uploads folder is primarily a folder that holds data for images embedded in content.

Unauthorized tampering (backdoors) or malware can write malicious PHP programs in the wp-content/upload folder. Prohibit external access to this program.

The following is a setting to disallow external access only to files in the wp-content/uploads folder and with the php extension.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.*wp-content/uploads/.*\.php.*$ - [F,L].
</IfModule>

Disallow direct access to PHP programs in the wp-include folder

The wp-include folder is a folder that contains a group of programs used by programs to load various WordPress functions.

The php files in this folder are not directly accessed from the outside, so you can prohibit direct access to them from the outside.

This makes it possible to prevent subsequent hacker activity even if some malware (backdoor) is embedded in the wp-includes folder, or to prevent another hacker from taking advantage of this backdoor.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.*wp-admin/includes/ - [F,L].
RewriteRule ! ^.*wp-includes/ - [S=3].
RewriteRule ^.*wp-includes/[^/] \.php$ - [F,L]
RewriteRule ^.*wp-includes/js/tinymce/langs/. \.php - [F,L]
RewriteRule ^.*wp-includes/theme-compat/ - [F,L].
</IfModule>

Suppress comment spam

If you receive a large number of spam comments in the comments section of WordPress, you can suppress the spam comments by simply adding the following to HTACCESS.

Comment spam is written mechanically by hackers using programs on a very large number of sites. With the following HTACCESS settings,
Access to comment writing programs.
Access to the comment writing program, and
Accessors that are missing browser type and version information.

or ・Accesses with missing browser type or version information.

Replace “your site’s domain” with your site’s domain.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} ! (^.*\⌘:⌘/your-site-domain) [NC,OR].
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://127.0.0.1 [L]
</IfModule>

In addition, we also prohibit comments from being posted by users who use a proxy server, which is a mechanism for accessing the site through a proxy server and hiding the source of their access.
The HTACCESS setting below is a setting that blocks comments from being posted when information specific to the proxy server is included in the accessor.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^POST
RewriteCond %{HTTP:VIA} ! ^$ [OR].
RewriteCond %{HTTP:FORWARDED} ! ^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} ! ^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} ! ^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_HOST} ! ^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} ! ^$ [OR].
RewriteCond %{HTTP:XPROXY_CONNECTION} ! ^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} ! ^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} ! ^$
RewriteRule wp-comments-post\.php - [F].
</IfModule>

*All settings here are
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
You can easily export to HTACCESS from the WordPress admin page by using

Related Posts:

  1. WordPress security, prevent SQL injection with HTACCESS
    We will explain how to prevent SQL injection to improve WordPress security....
  2. What to do for your site users when WordPress is hacked, tampered with, or hijacked.
    This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site)...
  3. How to prevent spam comment posting by robots from HTACCESS files
    Comment spam (invalid string parties or links written in comments) is a very annoying problem if you have the comment function enabled in WordPress. In this article, we will explain how to prevent spam written via robots (which automatically write comments) from HTACCESS files....
  4. What to do if you can no longer rewrite or delete HTACCESS due to wordpress tampering
    Here is what to do when you can no longer rewrite or delete HTACCESS due to WordPress malware infection (tampering)....
  5. HTACCESS and Index.php files tampered with again in an instant in WordPress
    We would like to introduce a case of WordPress tampering in which the HTACCESS and Index.php files were instantly tampered with again, even after the malware was removed. Tampering that resurfaces even after deleting and deleting This malware is a backdoor that is planted in other websites on the server. Each time the site is accessed, the malware examines the...
  6. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site....