To prevent someone from viewing the indexes you have to protect the wp-includes directory, for this you need to edit the htaccess file. In a previous article “How to hide WordPress Powered WebSites” , I have mention how we can protect wp-includes directory, here are the few WordPress hardening tips and tricks to secure it from hackers and attackers. By adding an extra layer of protection where scripts are generally not intended to be accessed by any user. There is a best way provided by WordPress community is to block those scripts using mod_rewrite in the .htaccess file.
Note: make sure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags. If you don’t know how to edit .htaccess file, contact us, we can do it for you free of charge.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
Important Note: this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] if you updating your multisite, It would prevent the ms-files.php file (multi site) from generating images. You can remove this line but its security risk.
In case of your website being compromised, stay calm. First of all try to reset your admin password, and than scan your website for malicious content, try to contact your host for help on putting everything back to normal. We are provide the Free Professional WordPress Security Service.
- Block malicious IPs automatically & manually.
- Prevent from keylogging with virtual keyboard.
- Hide wp admin and change wp login url.
- Protect from brute-force login attack.
- Supervise login activities. Screenshot
- Alert via email with login attacks. Screenshot
- Detect admin and change username.Screenshot
- Change the ID on the user with ID 1.
This tool is great especially if you are inheriting code from another user. You quickly can tell what WordPress template is being used, what sidebar is being called in and what custom fields you have access to.
On top of that, is one of its greatest features. A site analysis report card. This analysis will go through hundreds of checks to determine your grade. You either will pass, fail or get a warning. If you fail or get a warning, it will tell you want to do to bring up your score.