most of the time when it comes to hardening an existing #wordPress installation or site, we are all used to listen to the same old tunes.
- run update to the latest version
- remove unused PlugIns
- run update on used PlugIns
- check twice if you need the PlugIn for real (else get rid of it)
- disable PlugIns that run out of updates or look forward to replace them
- minimize user permissions (not all yout users need to get admin privileges)
- sort out users (users that no longer need access have to be removed)
- use 2FA (google authenticator does the trick pretty well)
- protect your login page
- limit login attempts
But here are commin the new tunes …..
Disable PHP error display:
a simple edit of the site’s wp-config.php file with this code should do the trick
define ( 'WP_DEBUG' , false); Disable PHP execution in untrusted folders:
this is a pretty new one for me, that you can guard against it with a simple access control file.
just a little code is needed in .htaccess
We have to test this well, because I think, you can pretty fast overusing this restrictions, and most of WordPress involves PHP execution.
<FilesMatch "\.(php|php\.)$">
Order Allow,Deny
Deny from all
</FilesMatch