Wordpress Security Prevent Hacking

January 28, 2023

Click Disable XML-RPC in WordPress Plugin Install and Turn on Firewall

Copy the below code in the .htaccess file from the line

            
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
allow from 110.226.179.75
</Files>

Copy the below code in the .htaccess file from the line

            

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]


 

##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START

#QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test

#Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives

RewriteCond %{QUERY_STRING} !^$

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{QUERY_STRING} union [NC,OR]

RewriteCond %{QUERY_STRING} select [NC,OR]

RewriteCond %{QUERY_STRING} cast [NC,OR]

RewriteCond %{QUERY_STRING} declare [NC,OR]

RewriteCond %{QUERY_STRING} drop [NC,OR]

RewriteCond %{QUERY_STRING} md5 [NC,OR]

RewriteCond %{QUERY_STRING} benchmark [NC,OR]

RewriteCond %{QUERY_STRING} table [NC,OR]

RewriteCond %{QUERY_STRING} column [NC,OR]

RewriteCond %{QUERY_STRING} distinct [NC,OR]

RewriteCond %{QUERY_STRING} substr [NC,OR]

RewriteCond %{QUERY_STRING} concat [NC,OR]

RewriteCond %{QUERY_STRING} schema [NC,OR]

RewriteCond %{QUERY_STRING} hex [NC,OR]

RewriteCond %{QUERY_STRING} truncate [NC,OR]

RewriteCond %{QUERY_STRING} convert [NC,OR]

RewriteCond %{QUERY_STRING} exec [NC,OR]

RewriteCond %{QUERY_STRING} passthru [NC,OR]

RewriteCond %{QUERY_STRING} system [NC,OR]

RewriteCond %{QUERY_STRING} popen [NC,OR]

RewriteCond %{QUERY_STRING} proc [NC,OR]

RewriteCond %{QUERY_STRING} load [NC,OR]

RewriteCond %{QUERY_STRING} between [NC,OR]

RewriteCond %{QUERY_STRING} null [NC,OR]

RewriteCond %{QUERY_STRING} delay [NC,OR]

RewriteCond %{QUERY_STRING} char [NC,OR]

RewriteCond %{QUERY_STRING} sleep [NC,OR]

RewriteCond %{ QUERY_STRING } schema [NC,OR]

RewriteCond %{QUERY_STRING} unhex [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END


 

##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- START

RewriteCond %{QUERY_STRING} !^$

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{QUERY_STRING} sanitize [NC,OR]

RewriteCond %{QUERY_STRING} eval [NC,OR]

RewriteCond %{QUERY_STRING} base64 [NC,OR]

RewriteCond %{QUERY_STRING} echo [NC,OR]

RewriteCond %{QUERY_STRING} @set [NC,OR]

RewriteCond %{QUERY_STRING} @ini [NC,OR]

RewriteCond %{QUERY_STRING} dirname [NC,OR]

RewriteCond %{QUERY_STRING} decode [NC]

RewriteRule ^(.*)$ / honeypot.php/ [NC,L]

 ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- END
 
 
 

##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START

#QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test

#Excluded "%20", "%2F", "%26", "%3A", "%3D"  due to use in site URL variables

RewriteCond %{QUERY_STRING} !^$

RewriteCond %{REQUEST_URI} ! honeypot.php/

RewriteCond %{QUERY_STRING} %00 [OR]

RewriteCond %{QUERY_STRING} %0A [NC,OR]

RewriteCond %{QUERY_STRING} %0D [NC,OR]

RewriteCond %{QUERY_STRING} %21 [OR]

RewriteCond %{QUERY_STRING} %22 [OR]

RewriteCond %{QUERY_STRING} %23 [OR]

RewriteCond %{QUERY_STRING} %24 [OR]

RewriteCond %{QUERY_STRING} %25 [OR]

RewriteCond %{QUERY_STRING} %27 [OR]

RewriteCond %{QUERY_STRING} %28 [OR]

RewriteCond %{QUERY_STRING} %29 [OR]

RewriteCond %{QUERY_STRING} %40 [OR]

RewriteCond %{QUERY_STRING} %60 [OR]

RewriteCond %{QUERY_STRING} %2A [NC,OR]

RewriteCond %{QUERY_STRING} %2B [NC,OR]

RewriteCond %{QUERY_STRING} %2C [NC,OR]

RewriteCond %{QUERY_STRING} %2D [NC,OR]

RewriteCond %{QUERY_STRING} %3B [NC,OR]

RewriteCond %{QUERY_STRING} %3C [NC,OR]

RewriteCond %{QUERY_STRING} %3E [NC,OR]

RewriteCond %{QUERY_STRING} %5B [NC,OR]

RewriteCond %{QUERY_STRING} %5C [NC,OR]

RewriteCond %{QUERY_STRING} %5D [NC,OR]

RewriteCond %{QUERY_STRING} %5E [NC,OR]

RewriteCond %{QUERY_STRING} %5F [NC,OR]

RewriteCond %{QUERY_STRING} %7B [NC,OR]

RewriteCond %{QUERY_STRING} %7C [NC,OR]

RewriteCond %{QUERY_STRING} %7D [NC,OR]

RewriteCond %{QUERY_STRING} %7E [NC,OR]

RewriteCond %{QUERY_STRING} > [OR]

RewriteCond %{QUERY_STRING} < [OR]

RewriteCond %{QUERY_STRING} ;

RewriteRule ^(.*)$ / honeypot.php/ [NC,L]

 ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END
 
 # Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>


# Deny access to sub directory
<Files accounts/*>
    deny from all
</Files>

Coded by Mukul Gupta

Wordpress Security Prevent Hacking

Copy the below code in the .htaccess file from the line

Copy the below code in the .htaccess file from the line

GST: 27AOCPB3017J

Mumbai - Maharashtra

Jodhpur - Rajasthan

Kanpur - Uttar Pradesh

Contact Details

Follow Us

Important Links

Help