So I showed you how you can help speed up WordPress using a single line of php in your header.php theme file and by adding a few simple lines to your htaccess file. Now lets concentrate on security.
As WordPress is now so widely used (60+ Million users) it has become a bit of a hacking ground for those interested in tinkering in the dark arts. Also because it’s an open source platform the structure is widely available and is well know. So this article is going to help you make your site a whole heap more secure to brute attacks by adding another few lines to your htaccess file.
Firstly you’ll want to protect your wp-config.php as it holds all the server info.
We’ll do this by denying access to everyone. Add this to the bottom of your .htaccess file.
### SECURITY ### # protect wp-config.php <Files wp-config.php> order allow,deny deny from all </Files>
Simply, this snip blocks all access to the file outside of using an ftp client.
Next you’ll want to close the door on people browsing your directories.
# block directory browsing Options All -Indexes
Next but no least, we’ll protect the htaccess file from any attacks.
# protect htaccess <Files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
For this file that’s it. Save it and upload it to your /public_html folder on your server.
We are almost done, we just need to do one last thing…
Create another htaccess file. Open notepad and save the document as .htaccess. This one is going to be added to the wp-admin folder, to block anyone trying to login to your site from an outside ip; But will also allow access to the ever important ajax used for eCommmerce sites.
The first order deny,allow is going to block access to your admin area to everyone who doesn’t have a ip that is allowed.
So in a blank .htaccess add this.
If you want to find your ip, google “what is my ip“
#Block access to admin order deny,allow allow from 22.214.171.124 #Find your ip allow from 126.96.36.199 #Add more if needed or delete. deny from all #Block everyone else #Allow Ajax, we're running a business here! <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
You can find more on Protecting WordPress Here
If spam is your problem, I have a great fix, that believe it or not actually works and is free.