Guide to WordPress Security and Hardening

This guide outlines various methods for securing a WordPress website. It’s a compilation of Best Practices I’ve found over the years, and I use it as a reference myself when setting up a new site.

Restrict Access to Sensitive WordPress Files

The following directives will block outside access to any wp-config.php, php.ini, php5.ini, readme.html, and error_log file on your site. Just add this block of text to your .htacess file at the root of your WordPress website.  Generally the .htaccess file is in the Public_HTML directory.


<FilesMatch “^(wp-config\.php|php\.ini|php5\.ini|readme\.html|error_log)”>
Order Allow,Deny
Deny from all