htpw

.htaccess to protect WordPress

Description

htpw is a project to increase the security of your WordPress installation without installing external plugins to preserve memory, space and integrity of the cms installation.

It doesn't introduce invasive rules (XSS or Injection protection) to avoid creating malfunctions with external plugins.

Functionality

htpw introduces protection against:

• Protect log files;
• Protect system files;
• Disable directory listening;
• Implementation of Security Headers;
• Block malicious or suspicious user agent;
• Disable the execution of PHP code in the Upload directory;
• Disable the execution of PHP code in the Plugins directory (rule by default disabled);
• Disable the execution of PHP code in the Themes directory;
• Block XML-RPC requests except JetPack or Akismet connections.

Installation

Add to the bottom of your .htaccess file the contents of the htaccess file.

htpw works if your webserver is Apache (not NGINX).

Testing

If you want to test if the new rules work and protect your WordPress site you can use WPScan (WordPress Security Scanner), if the default scan fails htpw is working!

You can install WPScan on your PC or use it online, online scan failed example:

Troubleshooting

• If you use a CDN service (like Cloudflare) remember to install the mod_remoteip apache module

Credits

• Andrea Draghetti is the creator of the project;
• iThemes Security for some htaccess rules.

License

GNU General Public License v3.0