How to Protect WordPress Themes, Plugins, Includes and Content Folders
For those who want to harden their WordPress site and take security one step further, this article will show you how to protect WordPress themes, plugins, includes and content directories.
If your WordPress site has been hacked, I suggest you read my article, How to Fix a Hacked WordPress Site, before continuing.
Disable Plugin and Theme Update and Installation
This simple wp-config.php mode will block users and hackers from being able to use the plugin and theme installation/update functionality from the WordPress admin area. Just add the following code to the WordPress wp-config.php file.
/** Disable File Modifications define( 'DISALLOW_FILE_MODS', true );
Setting this constant also disables the Plugin and Theme editor (i.e. you don’t need to set DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT, as on its own DISALLOW_FILE_MODS will have the same effect).
You will still be able to enable/disable installed themes and plugins as normal.
Protect Includes and Content Directories
To install a backdoor, hackers will modify existing files such as the core WordPress code and/or installed theme and plugin code. Luckily, a security monitoring service such as Sucuri will flag these attempts.
Hackers, for obvious reasons, will try to hide their backdoor access files in the /wp-includes/ or /wp-content/uploads/ folders.
Their files are usually .php files with names that make them look like WordPress core files, plugin or theme files, so spotting them can be quire tricky.
Luckily there is a trick you can employ to prevent these extraneous files being executed and improve your WordPress security. Disable PHP execution in selected WordPress folders.
Create a blank text file called .htaccess. Copy and paste the following code into the file:
<Files *.php> deny from all </Files>
Now upload this .htaccess file to your /wp-includes/ and /wp-content/uploads/ folders.
Important: If you already have .htaccess files in these folders do not overwrite them. Edit their contents and add the code instead.
What does the code do? This code denies access to any PHP file from external server sources, i.e., no-one can call a .php file from their browser.
If you get an Error 500 when accessing pages after installing the above mod, it means there is a problem with the .htaccess file. This can be anything from a simple spelling mistake to a syntax error. If you receive a 500 error after making a change to the .htaccess file, double check your changes.
Making the above changes will reduce the risk of damage to your site in the event that a hacker gains access to your WordPress dashboard. Remember, it’s always a good idea to make a backup copy of any original files before you start making changes this WordPress security hardening tip.
If you are conscious about your WordPress security, then I suggest you purchase Sucuri monitoring service and look into managed WordPress hosting from suppliers such as WPEngine who provide for mission critical, WordPress optimised sites around the world.
If you have any comment, corrections or items you think should be added to, ‘Protect WordPress Themes, Plugins, Includes and Content Folders’, please do not hesitate to let me have them in the comment box below.