Change location of wp-config.php file
Rename and move file to different location and then create new one in WP root folder. New wp-config.php file content:
<?php
include_once ('/direct/path/to/your/domain/folder/my_folder/pigeons.php');
Disallow file editing in wp-config.php
define('DISALLOW_FILE_EDIT', true);
Disable directory indexing and browsing
Add the following line to the top of root .htaccess file:
Options -Indexes
Disable WordPress XML-RPC with .htaccess
If you don’t use mobile app or remote connection to publish on WPBeginner etc. disable XML-RPC in root .htaccess file by adding following code:
<Files xmlrpc.php> order deny,allow deny from all </Files>
Disable script injections
Add the following code above # BEGIN WordPress line in root .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (\<|%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>
Disable PHP file execution in certain WordPress directories
Create .htaccess file in e.g. /wp-content/uploads/ and add following code:
<Files *.php> deny from all </Files>
Change files and folders access permissions
WordPress recommends the following settings:
755 or 750 for directories 644 or 640 for files 600 for wp-config.php (also the moved one)
Password protect your WordPress admin (wp-admin) directory
Login to server panel admin and find ftp explorer. You can add password to wp-admin folder.
Recommended plugins
What they can do? Enable: two factor authentication – 2FA, SSL protocol, remove e.g. WP version from <head>, change login URL address and limit login attemptions.
- Google Authenticator
- Really Simple SSL
- Meta Generator and Version Info Remover
- WPS Hide Login
- WPS Limit Login