You must be careful when moving to this level. Make a backup of your site just prior to attempting these, in case of a complete crash. At least backup the file you are editing before you edit it. Even better is to test these on a development site, rather than on a live site.

Limit Login and Admin by IP

If you want to allow only certain IP's to log in or to access the admin area of your WordPress site then you must edit the .htaccess files in your root installation and in your admin folder with this code:

order deny,allow

deny from all

allow from xxx.xxx.xxx.xxx

allow from xxx.xxx.xxx.xxx

allow from xxx.xxx.xxx.xxx

Of course, you should replace the x's with the numbers from the IP addresses you want to give access to.

Turn off File Editing Through Dashboard

If a hacker can gain access to your WordPress site, but not to your FTP, they can still alter your files through the file editor built into WordPress. You should disable this in order to harden the security a bit more. In your wp-config.php file place this code:

define('DISALLOW_FILE_EDIT', true);

No one will be able to edit any of the theme files, plugin files, or any other files through the dashboard.

Trace and Track

XST (HTTP Trace) attacks take advantage of cookies, returned header requests, and more in order to contribute to XSS (cross site scripting) attacks. Shut this down with:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRACE

RewriteRule .* - [F]

Block Proxies

You may want to block access to your site by proxy servers. If this is the case, you will want to perform some light magic on your root WordPress installation's .htaccess file like in the following:

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{HTTP:VIA} !^$ [OR]

RewriteCond %{HTTP:FORWARDED} !^$ [OR]

RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]

RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]

RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]

RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]

RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]

RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]

RewriteCond %{HTTP:X-FORWARDED-FOR} !^$ [OR]

RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ [OR]

RewriteCond %{HTTP:FORWARDED-FOR} !^$ [OR]

RewriteCond %{HTTP:X-FORWARDED} !^$

RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-01.domain.tld(.*)

RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-02.domain.tld(.*)

RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-03.domain.tld(.*)

RewriteRule ^(.*)$ – [F]

</IfModule>

The HTTP_REFERER tells which proxies should be allowed.

If you want to stop proxy servers that are sophisticated, you will have to add a line of Php code to the beginning of your header.php file:

<?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) die(“Proxy access not allowed”); ?>

Header Outputs

Now we come to clearing out information from your header outputs. Be careful in testing these, since some of them could break something. Use at your own risk, but test on a dev site first.

remove_action(‘wp_head’, ‘feed_links’, 2);

remove_action(‘wp_head’, ‘feed_links_extra’, 3);

remove_action(‘wp_head’, ‘rsd_link’);

remove_action(‘wp_head’, ‘wlwmanifest_link’);

remove_action(‘wp_head’, ‘index_rel_link’);

remove_action(‘wp_head’, ‘parent_post_rel_link’, 10, 0);

remove_action(‘wp_head’, ‘start_post_rel_link’, 10, 0);

remove_action(‘wp_head’, ‘adjacent_posts_rel_link_wp_head’, 10, 0);

remove_action(‘wp_head’, ‘wp_generator’);

remove_action(‘wp_head’, ‘wp_shortlink_wp_head’, 10, 0);

remove_action(‘wp_head’, ‘noindex’, 1);

Monitoring

There are many monitoring plugins for WordPress that will achieve this for you at a moderate level of confidence. Many of them have functions such as locking out IP addresses that have failed login attempts. Consider the following for testing on your dev site:

  • Mute Screamer
  • Word Fence
  • WSD Security

Whichever one you choose, you will want to take time to understand the options and configure it appropriately. Do not forget to test on your dev site prior to deploying on your live site.

To get more control over intrusion detection on the entire server, use a solution such as OSSEC, which is an Open Source Host-based Intrusion Detection System. You must have access to root on your server to adequately utilize this additional layer of protection.

The Final Word

Security is an ongoing battle. You will continue to educate yourself and employ new strategies against new approaches to hacking as long as you administrate a WordPress site. Hackers never give up. So you should not either. Subscribe to RSS feeds from WordPress security sites you trust so you can keep up on the newest, most effective strategies.