Load all files from folder in theme – Security concerns?

Only so much security can be added at the php layer. To gain even more security, modify the .htaccess file, disabling directory browsing, disabling XML-RPC, and deny access to WP-specific files.

    <files .htaccess>
        Order allow,deny
        Deny from all
    </files>
    <files readme.html>
        Order allow,deny
        Deny from all
    </files>
    <files readme.txt>
        Order allow,deny
        Deny from all
    </files>
    <files install.php>
        Order allow,deny
        Deny from all
    </files>
    <files wp-config.php>
        Order allow,deny
        Deny from all
    </files>

    # Rules to disable XML-RPC
    <files xmlrpc.php>
        Order allow,deny
        Deny from all
    </files>

    # Rules to disable directory browsing
    Options -Indexes

Don’t want ../pxs/wp-content/uploads/ open to the web, after all. What if you uploaded a contract with significant details or something?

Banning the HackRepair.com Blacklist in your .htaccess file is a good idea too. Here’s what the beginning of that’d look like:

    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Acunetix [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^binlar [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Bolt\ 0 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot\@yahoo\.com [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^BOT\ for\ JCE [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^casper [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^checkprivacy [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [NC,OR]

Related Posts:

  1. What are nulled themes?
  2. Extra themes – ok or bad?
  3. Is that a malicious code?
  4. Is a very simple theme secure enough?
  5. WP Snippet to Hide Theme Editor In Dashboard Only Works On LocalHost Site
  6. Is there significant risk in not keeping a theme updated? [closed]
  7. How to display post meta data in secure manner
  8. hardened wordpress linux install
  9. suspicious boolean.php file in wp web root [closed]
  10. Can wordpress theme folder name be changed freely and nothing technically happens
  11. How to change the language for the front-end only?
  12. How do I add support to my theme for custom menus?
  13. How do I white label my self-hosted site created by wordpress?
  14. Switching themes without losing widgets?
  15. How to use media upload on theme option page?
  16. Multiple image logo for theme
  17. How do i structure my theme folder to avoid one huge list of files
  18. Loading template files from a subfolder in my theme?
  19. Hide Twenty Eleven Theme From Themes Page
  20. How to use scss in wordpress theme?
  21. How to get Ajax into a theme – without writing a plugin?
  22. Is it mandatory to have a link to the theme designer?
  23. WordPress as Backend, Laravel Front End: How to connect Routes?
  24. Updating custom theme that is built from scratch
  25. single.php change into a modal popup bootstrap wordpress
  26. Exclude stylesheet from admin
  27. How to tell a theme to use different .mo and .po files?
  28. Can I apply a WP theme to a specific custom page template?
  29. get_header(‘header2’) not working properly in child themes
  30. How do you remove Link backs on Theme settings page?
  31. Is it possible to use child theme of child them?
  32. Theme broken after upgrading to WordPress 4.5, missing stylesheet?
  33. Do not show excerpt in post content
  34. Do we have rights to edit the source of the templates which are in wordpress.org?
  35. What’s the order of loading wordpress elements?
  36. How to add pagination to my code?
  37. Creating new templates in child themes breaks layout
  38. How do I tell how popular a theme is?
  39. Force theme or disallow theme change
  40. How to put a Worpdpress theme in spanish (having the po file)?
  41. How to run WordPress from other location on the same domain
  42. Custom options below pages/posts editor?
  43. Fatal error with a theme
  44. WordPress theme options and insert default value for serialize data
  45. How to change only one javascript function in wordpress child theme?
  46. Woocommerce StoreFront Showing Incorrect Subtotal in Customer Total
  47. Depending on third party plugins for theme functionality
  48. What is the correct way to integrate wordpress with another php application?
  49. How can you showcase premium themes to clients without having to pre-purchase the theme?
  50. Functions containing parameter ‘yourtheme’
  51. The Cost of Installing Custom Themes
  52. Can I create a child theme from a premium theme without losing my posts and page etc that I already have?
  53. Cant remove white space on my wordpress [closed]
  54. wordpress theme install failing
  55. WordPress suddenly creating theme errors
  56. Re-skinning Site
  57. How to reset a custom theme
  58. get_the_post_thumbnail() produces different HTML on same arguments
  59. Why submenu item’s background color is not changing by css?
  60. .PO file is found but I don’t see translations: how to debug the problem?
  61. Cannot figure out what element header color is in wordpress theme [closed]
  62. How to edit the font color of the H1 on a single page?
  63. An unexpected error occurred when add theme
  64. Searching for themes that post full article on home page by default
  65. Cannot see theme in my search
  66. Posts & page twice display
  67. What login/password do I need to install a wordpress theme?
  68. Index page is not working
  69. get_pages Not accepting my query
  70. Custom fields in post later used in loop
  71. How to create a theme that can be updated by people using the theme on their site
  72. Functions.php error – when trying to change the theme
  73. Make a menu item unselectable
  74. Set custom directory in theme for page templates
  75. how do you add a gallery to the homepage without using a post or page?
  76. How to change WordPress theme outside of admin? Can’t access dashboard
  77. fixing page URL’s
  78. Change name of WP content > Themes folder
  79. How to get dynamic template-function generated CSS into HEAD?
  80. Password Protected Page + Showing Different Page If Not Authenticated/Authorized
  81. Determine Featured Image Size in header
  82. Premium theme – hardcoded url?
  83. Any Mobile Theme Switcher – Theme not complete (Stylesheet missing)
  84. Categorising themes by folders in backend
  85. My site looks different when activating new theme
  86. Child theme after CSS modification
  87. How to create an Single-Portfolio page?
  88. Page structure using The Customizer Api
  89. theme 2016 – customize css – nothing happens
  90. Can’t upload the theme
  91. Divi theme including javascript
  92. “Parse error: syntax error, unexpected” and the WordPress Theme Editor no longer working!
  93. Installing themes from an external website [closed]
  94. Best Practice Jumbotron Image for WordPress ~ Responsive
  95. How to make a page extend full screen [closed]
  96. Should you directly edit Template Parts and Templates from themes?
  97. Remove ALL HTML from single page
  98. Absolute and relative paths
  99. Get header/footer list for a theme
  100. Help!!! Old theme doesn’t load scripts and conflitcs with plugins