There are several formulas with which you can add extra protections through .htaccess
Prevent the execution of .php files in the uploads directory
The /uploads directory is usually used to store images or videos and can sometimes be exploited by malicious users who upload infected PHP code by taking advantage of WordPress image upload scripts.
A good solution is to add a .htaccess file in the uploads directory preventing access to php files:
Deny from all
You can also limit exclusive access to image documents in directories such as uploads:
Order Allow, Deny Deny from all Allow from all
To prevent some malicious code from trying to hide under names like xxxxxx.php.jpg, it can also be blocked by structure:
Order Allow,Deny Deny from all
Always redirect errors
Redirecting errors is a good practice to avoid displaying information that could give clues to a malicious individual:
ErrorDocument 404 http://www.mysite.com ErrorDocument 403 http://www.mysite.com
Deny access to certain tools like wget, curl, perl, etc.
Even if you display content publicly on your website, you may want to prevent it from being copied.
There is no way to fully protect it, but to make it more difficult we can deny access to certain tools so that they cannot scan the web and download content:
RewriteCond %{QUERY_STRING} (;||’|”|”|’|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* (/*|union|select |insert|cast|set|declare|drop|update|md5|benchmark) RewriteCond %{QUERY_STRING} ../.. RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) RewriteCond %{QUERY_STRING} . RewriteCond %{QUERY_STRING} (|’|%0A|%0D|%27|%3C|%3E|%00) RewriteRule .* –
Avoid SQL injection attacks
WordPress by default has measures to prevent this type of attack, but who knows if any of your plugins may have a hole in this aspect?
In case it is the case, you can use the following code to prevent some SQL injection attacks.
RewriteCond %{QUERY_STRING} (;||’|”|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|cast| set|declare|drop|update|md5|benchmark) RewriteCond {QUERY_STRING} ../.. RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) RewriteCond {QUERY_STRING} . RewriteCond %{QUERY_STRING} (|’|%0A|%0D|%27|%3C|%3E|%00) RewriteRule .* –