By Emin Sinanyan | Posted Apr. 28, 2017
WordPress has become the world’s most popular CMS. Because it is so popular, this is even more of a reason to enhance WordPress security if you are using it for your website. Most people understand how to make their page itself secure, but if you are not focusing on the the security of your WordPress site by limiting access to important files and folders, then you are still at risk. To do this you will not be making any changes to WordPress itself, but rather altering how WordPress runs on a server and how much access users have to its files.
STEP 1: LIMITING ACCESS TO WP-INCLUDES FOLDER
WordPress sites are comprised of a series of files and folders, each with their own unique URLs, which means if someone were to type in the correct URL they could access or alter sensitive files that run your site. One of the most common targets for this kind of hacking is the wp-includes folder, so we are going to add some additional code to the server configuration file to beef up security and prevent these kinds of threats. When we are done with this, anyone attempting to access these files gets redirected back out.
To start you will want to open up the .htaccess file for your site. You can do this through any text editor, doesn’t matter which because all we are doing is adding a little snippet of code to the file. You will notice that the file already has code in it, generated by WordPress. In one of the early lines of code, you will find a line that says # BEGIN WordPress
. Directly above this code, we are going to add the additional lines of code, which will fortify the site’s defenses by restricting access to the wp-includes folder.
# Blocking web access to the wp-includes folder <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
Afterward, you simply need to re-upload the file to the server and you’re done. While the changes here seem minor it can have a large impact on your site’s defenses. Because many of the advanced functions of WordPress are located within the wp-includes folder, they are a major target for