In a previous article we told you how to hide the version of WordPress, close the site for adding a hotlinks, how to protect the directories and the admin panel of your site. Today we share with you some more secrets security site on WordPress.

1. Install.php in WordPress.
As you know install.php (in folder wp-admin) is one of the most important file for installing WordPress. But after that you installed this CMS this file will be unnecessary file more. So, must to protect it or delete it. Do not be worry to delete this file! For updating WordPress you will not have problem because this file is in WordPress and you can easily add it to host when you want to update. But do not forget if do not delete or do not protect this file you will be goal for bad program and hacker! We have 3 different way that you can save site from attack to this file :

  • First way is easy and the most useful way, delete this file. You do not need it.
  • Via .htaccess: you must to put this .htaccess file to folder wp-admin and protect install.php in folder wp-admin but if your host allow .htaccess:
    # PROTECT install.php
    <Files install.php>
    Order Allow,Deny
    Deny from all
    Satisfy all
    </Files>
  • If you do not want to delete this file or your host do not allow .htaccess you can easily change name of this file to another! For example, change name install.php to mysafe-install.php. By this way you will a little more save it! And you can put this install.php to your host:
    <?php header("HTTP/1.1 503 Service Temporarily Unavailable"); ?>
    <?php header("Status 503 Service Temporarily Unavailable"); ?>
    <?php header("Retry-After 3600"); // 60 minutes ?>
    <?php mail("your@email.com", "Database Error", "There is a problem with teh database!"); ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Error Establishing Database Connection</title>
    </head>
    <body>
    <img src="images/wordpress-logo.png" />
    <h1>Error Establishing Database Connection</h1>
    <p>We are currently experiencing database issues. Please check back shortly. Thank you.</p>
    </body>
    </html>

After this you have two file install.php and mysafe-install.php.

2. No Referrer!
Wordpress is blog, it is target for all spammer that want to post to your site advertising, hotlink, picture, or another things. If you do not want this spam must to use plugin or use .htaccess file in main directory. For test your site that is open or not please see resource.
And write URL as same as sample http://www.yoursite.com/wp-comments-post.php.
As you see your site is target for spammer! You can close it by put code to .htaccess file to your host ( if your host do not allow you can use plugin as same as Аkismet that is default in WordPress ):

# block comment spam 
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yousite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^ http://example.com/$ [R=301,L]

OR

# BLOCK NO-REFERRER SPAMS 
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_REFERER} !.*example.com.* [NC]
 RewriteCond %{REQUEST_URI} /wp\-comments\-post\.php [NC]
 RewriteRule .* http://example.com/ [R=301,L]
</IfModule>

Have attention that change example.com to your site address ( full address ), do not need http:// or www.

By this method when spammer try to post to your site spam , see redirected to http://example.com/ and this is good for us.

3. Block Bots.
How we can protect site from bad bots? We propose to you that use this code in .htaccess file if for your host it is acceptable:

# BLOCK BAD BOTS
<IfModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid|badbot)   keep_out
 SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder) keep_out
SetEnvIfNoCase User-Agent (badbot)   keep_out
 <Limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </Limit>
</IfModule>

You can add another bad bot system in line by use new line, for example we added badbot to line. You can add any system that you know is bad bot system .

We hope that this article help to you that save your site more! Please be connected with GKS Web Studio know more about security of your site.