Block xmlrpc attacks via .htaccess

XMLRPC is a protocol that is enabled by default in WordPress. However, since version 3.5 the option to disable this function was removed from the WordPress backend. Since this protocol is prone to attacks, which can be used to try several hundreds of username and password combinations in one single request, it’s paramount to disable this.

You could do this through a plugin, but a more efficient way would be to add following RewriteRule to your .htaccess:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]

Hiding your htaccess file

A great way to improve your security is hiding your htaccess file, since this file usually contains quite some information that can be indicative of the structure of your website or the content management system that was used to create the site. This can be done by taking two distinctive steps:

1. htaccess file permissions

First you’ll need to set the file permissions of your .htaccess to 644.

2. Add this to your .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

Prevent PHP execution in wp-content/uploads

Prevent PHP Execution in wp-uploads and improve WordPress Security

When hackers are able to ascertain your WordPress credentials, there’s a good chance they’ll try and upload a backdoor into your WordPress website via the backend. A backdoor is a script, usually PHP, that allows them to perform actions on your website/webspace (such as creating malicious files, resetting permission, …). So it is paramount to prevent PHP execution all together. This way you can limit the actions a hacker can perform if your credentials do get compromised.

How to prevent PHP execution:

To ensure no .php files can be executed, I’d suggest you create a .htaccess file in /wp-content/uploads containing following code:

Continue reading →