Add keys to wp-config.php <Files .htaccess>
order allow,deny
deny from all
</Files>
Move wp-config.php to another location and create a new wp-config.php to include it <?php
define ('ABSPATH ' , dirname (__FILE__ ) . '/ ' );
require_once (ABSPATH . '../path/to/wp-config.php ' );Disable file editing in wp-config.php define ('DISALLOW_FILE_EDIT ' , true );Disable access to wp-includes # Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Prevent username enumeration RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Limit login attempts if necessary <?php
/**
* CLASS LIMIT LOGIN ATTEMPTS
* Prevent Mass WordPress Login Attacks by setting locking the system when login fail.
* To be added in functions.php or as an external file.
*/
if ( ! class_exists ( 'Limit_Login_Attempts ' ) ) {
class Limit_Login_Attempts {
var $ failed_login_limit3 ; //Number of authentification accepted
var $ lockout_duration1800 ; //Stop authentification process for 30 minutes: 60*30 = 1800
var $ transient_name'attempted_login ' ; //Transient used
public function __construct () {
add_filter ( 'authenticate ' , array ( $ this 'check_attempted_login ' ), 30 , 3 );
add_action ( 'wp_login_failed ' , array ( $ this 'login_failed ' ), 10 , 1 );
}
/**
* Lock login attempts of failed login limit is reached
*/
public function check_attempted_login ( $ user$ username$ passwordif ( get_transient ( $ this transient_name ) ) {
$ datasget_transient ( $ this transient_name );
if ( $ datas'tried ' ] >= $ this failed_login_limit ) {
$ untilget_option ( '_transient_timeout_ ' . $ this transient_name );
$ time$ this when ( $ untilreturn new WP_Error ( 'too_many_tried ' , sprintf ( __ ( '<strong>ERROR</strong>: You have reached authentification limit, you will be able to try again in %1$s. ' ) , $ timereturn $ user/**
* Add transient
*/
public function login_failed ( $ usernameif ( get_transient ( $ this transient_name ) ) {
$ datasget_transient ( $ this transient_name );
$ datas'tried ' ]++;
if ( $ datas'tried ' ] <= $ this failed_login_limit )
set_transient ( $ this transient_name , $ datas$ this lockout_duration );
} else {
$ datasarray (
'tried ' => 1
);
set_transient ( $ this transient_name , $ datas$ this lockout_duration );
}
}
/**
* Return difference between 2 given dates
* @param int $time Date as Unix timestamp
* @return string Return string
*/
private function when ( $ timeif ( ! $ timereturn ;
$ right_nowtime ();
$ diffabs ( $ right_now$ time$ second1 ;
$ minute$ second60 ;
$ hour$ minute60 ;
$ day$ hour24 ;
if ( $ diff$ minutereturn floor ( $ diff$ second' secondes ' ;
if ( $ diff$ minute2 )
return "about 1 minute ago " ;
if ( $ diff$ hourreturn floor ( $ diff$ minute' minutes ' ;
if ( $ diff$ hour2 )
return 'about 1 hour ' ;
return floor ( $ diff$ hour' hours ' ;
}
}
}
//Enable it:
new Limit_Login_Attempts ();
?> 