How to improve WordPress security by hiding non public facing files?

by

e.g.

curl -I http://ma.tt/blog/wp-config.php
200 OK

The wp-config.php is not public facing file, since it currently just return blank page, so why not return 404 instead. (so will not be cached by Google)

Also, for file such as readme.html, it should be hidden as it disclose your wordpress version, e.g. http://ma.tt/blog/readme.html

So, currently I have selected several files and block in the web server level, e.g.

wp-config.php
wp-config-sample.php
license.txt
readme.html
 ..

But as there are so many files, especially under the wp-admin and wp-include folders, are there any better way to do it to improve security?

3 Answers
3

I wouldn’t bother with the readme file as probably no hacker bothers to check your WP version before trying to hack into the site.
Will not bother with anything in /wp-includes and /wp-admin because I trust the core team to make that code secure in the default installation, and those file don’t contain any information which is specific to my site.

The files to protect are wp-config.php, because it contains DB access details and the /wp-content directory because theme and plugins developers are not very good at security.
for wp-config just deny access in your .htaccess

<files wp-config.php>
order allow,deny
deny from all
</files>

for /wp-content/plugins and /wp-content/theme deny access for anything which is not animage,js or css file by adding an .htaccess there with the following content. If a plugin or theme does not work with this configuration they probably don’t follow WP coding guidelines and it might be better not to use them.

<Files ^(*.jpeg|*.jpg|*.png|*.gif|*.js|*.css)>
   order deny,allow
   deny from all
</Files>

for /wp-content/uploads you can’t realy deny access as you don’t know which type of files will be uploaded there, so the best thing to do there is to simply not to allow the execution of php,perl,pyton at that directories and serve them as plain text with the following rules

<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
ForceType text/plain
</FilesMatch>

Once you are satisfied, you should probably combine everything to one .htaccess at root for better performance

Leave a Comment