WordPress Security Tutorial Complete Guide (2022)

There are several formulas with which you can add extra protections through .htaccess

Prevent the execution of .php files in the uploads directory

The /uploads directory is usually used to store images or videos and can sometimes be exploited by malicious users who upload infected PHP code by taking advantage of WordPress image upload scripts.

A good solution is to add a .htaccess file in the uploads directory preventing access to php files:

Deny from all

You can also limit exclusive access to image documents in directories such as uploads:

Order Allow, Deny Deny from all Allow from all

To prevent some malicious code from trying to hide under names like xxxxxx.php.jpg, it can also be blocked by structure:

Order Allow,Deny Deny from all

Always redirect errors

Redirecting errors is a good practice to avoid displaying information that could give clues to a malicious individual:

ErrorDocument 404 http://www.mysite.com ErrorDocument 403 http://www.mysite.com

Deny access to certain tools like wget, curl, perl, etc.

Even if you display content publicly on your website, you may want to prevent it from being copied.

There is no way to fully protect it, but to make it more difficult we can deny access to certain tools so that they cannot scan the web and download content:

RewriteCond %{QUERY_STRING} (;||’|”|”|’|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* (/*|union|select |insert|cast|set|declare|drop|update|md5|benchmark) RewriteCond %{QUERY_STRING} ../.. RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) RewriteCond %{QUERY_STRING} . RewriteCond %{QUERY_STRING} (|’|%0A|%0D|%27|%3C|%3E|%00) RewriteRule .* –

Avoid SQL injection attacks

WordPress by default has measures to prevent this type of attack, but who knows if any of your plugins may have a hole in this aspect?

In case it is the case, you can use the following code to prevent some SQL injection attacks.

RewriteCond %{QUERY_STRING} (;||’|”|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|cast| set|declare|drop|update|md5|benchmark) RewriteCond {QUERY_STRING} ../.. RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) RewriteCond {QUERY_STRING} . RewriteCond %{QUERY_STRING} (|’|%0A|%0D|%27|%3C|%3E|%00) RewriteRule .* –