Notes

Securing Wordpress

Edit on GitHub

System Administration
2 minutes

File Permissions

The default permission scheme should be:

  • Folders 755
  • Files 644

Avoid having any file or directory set to 777. 777 means global access. Usually only cache files have this permission.

Via command line you can run the following commands to change permissions recursively:

1# For Directories:
2find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
3
4# For Files:
5find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Secured File Permissions for specific files

You should set these permissions

600 -rw-------  /home/user/wp-config.php
604 -rw----r--  /home/user/cgi-bin/.htaccess
600 -rw-------  /home/user/cgi-bin/php.ini
711 -rwx--x--x  /home/user/cgi-bin/php.cgi
100 ---x------  /home/user/cgi-bin/php5.cgi

Run these commands to set them. Might have to re-check the paths for php/cgi files…

1chmod 604 .htaccess; 
2chmod 600 wp-config.php;
3chmod 600 php.ini cgi-bin/php.ini; 
4chmod 711 cgi-bin/php.cgi;
5chmod 100 cgi-bin/php5.cgi;

Limiting file access rights

Add the following to .htaccess

 1# SECURING wp-config.php
 2# http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php
 3<files wp-config.php>
 4order allow,deny
 5deny from all
 6</files>
 7
 8# SECURING wp-includes
 9# http://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes
10# Block the include-only files.
11<IfModule mod_rewrite.c>
12RewriteEngine On
13RewriteBase /
14RewriteRule ^wp-admin/includes/ - [F,L]
15RewriteRule !^wp-includes/ - [S=3]
16RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
17RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
18RewriteRule ^wp-includes/theme-compat/ - [F,L]
19</IfModule>
20
21# SECURING xmlrpc.php
22# https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
23# Prevent Brute forcing via xmlrpc.php by allowing ONLY localhost access xmlrpc.php 
24# (some other plugin using xmlrpc e.g. Yoast might have an issue, check the log files, read up)
25<files xmlrpc.php="">
26Order Deny,Allow
27Deny from all
28Allow from 192.0.64.0/18
29Satisfy All
30ErrorDocument 403 http://127.0.0.1/
31</files>