How to improve WordPress security by hiding non public facing files?

e.g.

curl -I http://ma.tt/blog/wp-config.php
200 OK

The wp-config.php is not public facing file, since it currently just return blank page, so why not return 404 instead. (so will not be cached by Google)

Read More

Also, for file such as readme.html, it should be hidden as it disclose your wordpress version, e.g. http://ma.tt/blog/readme.html

So, currently I have selected several files and block in the web server level, e.g.

wp-config.php
wp-config-sample.php
license.txt
readme.html
 ..

But as there are so many files, especially under the wp-admin and wp-include folders, are there any better way to do it to improve security?

Related posts

Leave a Reply

3 comments

  1. I wouldn’t bother with the readme file as probably no hacker bothers to check your WP version before trying to hack into the site.
    Will not bother with anything in /wp-includes and /wp-admin because I trust the core team to make that code secure in the default installation, and those file don’t contain any information which is specific to my site.

    The files to protect are wp-config.php, because it contains DB access details and the /wp-content directory because theme and plugins developers are not very good at security.
    for wp-config just deny access in your .htaccess

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    

    for /wp-content/plugins and /wp-content/theme deny access for anything which is not animage,js or css file by adding an .htaccess there with the following content. If a plugin or theme does not work with this configuration they probably don’t follow WP coding guidelines and it might be better not to use them.

    <Files ^(*.jpeg|*.jpg|*.png|*.gif|*.js|*.css)>
       order deny,allow
       deny from all
    </Files>
    

    for /wp-content/uploads you can’t realy deny access as you don’t know which type of files will be uploaded there, so the best thing to do there is to simply not to allow the execution of php,perl,pyton at that directories and serve them as plain text with the following rules

    <FilesMatch ".(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
    ForceType text/plain
    </FilesMatch>
    

    Once you are satisfied, you should probably combine everything to one .htaccess at root for better performance

  2. First a correction, if you block the files under wp-admin, you won’t be able to use the wordpress admin panel. Though you can block the files under “wp-admin/includes” folder

    Now the solution:-
    You don’t need to type all the names, you can use regular expressions to block a pattern of files for ex. it’s easy to write a regular expression to block all the files which reside in the wp-includes folder.

    If you don’t have other files in the same wordpress directory, then instead of blocking specific files, you can go through to the whitelist approach i.e. allow only specific files. Specifically you’ll allow only the files which reside inside the wp-admin & wp-content folder & of course the main wordpress file(index.php)

    If your themes & plugins don’t use any dynamically generated files, you can just block all php files from direct access except those in wp-admin & index.php

    Whatever approach you take, just remember to only block php files & not anything else, otherwise the browser won’t be able to load all the admin panel’s CSS & the javascript.