Security Harden your WordPress .php Code and more.

First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.

The Firewall Challenge:::
There are many plugins and services that can act as a firewall for your website. Some of them work by modifying your .htaccess file and restricting some access at the Apache level, before it is processed by WordPress. A good example is iThemes Security or All in One WP Security. Some firewall plugins act at the WordPress level, like WordFence and try to filter attacks as WordPress is loading, but before it is fully processed. Besides plugins, you can also install a WAF (web firewall) at your web server to filter content before it is processed by WordPress. The most popular open source WAF is ModSecurity.

A firewall:::
Must be added between your hosting company and the Internet (security in the middle), by modifying your DNS records to pass-through the firewall. That causes all traffic to be filtered by the firewall before reaching your site. A few companies offer such service, like CloudFlare, Sucuri and Incapsula.

Plugins that need write access:::
If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.
Code execution plugins:::

— As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins which allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack. A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.

Security Themes

Keep in mind some general ideas while considering security for each aspect of your system:

Limiting access:::
– Making smart choices that reduce possible entry points available to a malicious person.

– Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.

Preparation and knowledge:::
– Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

Trusted Sources:::
– Do not get themes from untrusted sources. Restrict yourself to the repository or well known companies. Trying to get themes (or plugins) from the outside may lead to issues.

Vulnerabilities on Your Computer:::
– Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer. Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we also recommend using tools like no-script (or disabling javascript/flash/java) in your browser.

Vulnerabilities in WordPress:::
– Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
Updating WordPress

Main article: Updating WordPress:::
– The latest version of WordPress is always available from the main WordPress website at Official releases are not available from other sites — never download or install WordPress from any website other than Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure.

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date. If you are an administrator in charge of more than one WordPress installation, consider using Subversion to make management easier.

Reporting Security Issues:::
– If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues. If you think you have found a bug, report it. See Submitting Bugs for how to do this. You might have uncovered a vulnerability, or a bug that could lead to one.

Web Server Vulnerabilities:::
– The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you. If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.

Network Vulnerabilities:::
– The network on both ends — the WordPress server side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network. Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.

– Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords. WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

Things to avoid when choosing a password:::
–  Any permutation of your own real name, username, company name, or name of your website.
[a]: A word from a dictionary, in any language.
[b]: A short password.
[c]: Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server. In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.

– When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them. Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

. _
. _

[#2]: Optimize WordPress Performance with the wp-config.php File: “Hardcode your Blog Address and Site Address”
. _

[#3]: 10 Steps To Secure Your WordPress Site – A Blog Post By Our Linux L3 Support Admin, Praveen
. _
[#3]: All CloudLinux innovations, such as CageFS, aim to improve security and stability on servers. So where other operating systems will allow entire servers full of customers to go down, CloudLinux stays stable by isolating the impact to the offending tenant.
. _
[#4]: Block URLs with robots.txt – Learn about robots.txt files
. . _
[#5]: Robots meta tag and X-Robots-Tag HTTP header specifications
and Block URLs with robots.txt – Test your robots.txt with the robots.txt Tester

. _
[#6]:  OAuth 1.0 for Google Accounts is going away
Some applications and websites use OAuth 1.0 for authentication when you’re signing in, and to access data that you’ve given them permission to access. OAuth 1.0 has been superseded by OAuth 2.0. Starting April 20, 2015, OAuth 1.0 will no longer work for Google Accounts. If you’ve seen a warning that’s brought you to this page, it means that you’re using an application or website with OAuth 1.0 and may be affected by this change. For more information, we recommend you visit that application’s help center, or contact its support team.If you’re a developer of an application that uses OAuth 1.0, please migrate to OAuth 2.0 by the shutdown date. Learn how to. To Add: OAuth-1.0 is flawed, become a major security breach back door for hackers, so fix it, code-authors change you plugins to OAuth-2.0, or consequences.
migrate to OAuth 2.0, and about the OAuth 1.0 end of life scheduleScreenshot from 2015-03-25 10:54:13-01
[#7]: File Permissions:::
– Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment. It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

Here is one possible permission scheme:::
– All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.
The WordPress administration area: all files should be writable only by your user account.
The bulk of WordPress application logic: all files should be writable only by your user account.
User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
Plugin files:
All files should be writable only by your user account. Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Changing File Permissions:::
If you have shell access to your server, you can change file permissions recursively with the following command:
Directories: find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \
Files:          find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
. _
[# 8]: Securing wp-includes:::
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

  • —————————–
  • Block the include-only files.
  • RewriteEngine On
  • RewriteBase /
  • RewriteRule ^wp-admin/includes/ – [F,L]
  • RewriteRule !^wp-includes/ – [S=3]
  • RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
  • RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
  • RewriteRule ^wp-includes/theme-compat/ – [F,L]
  • BEGIN WordPress
  • —————————–
  • Note that this won’t work well on Multisite, as
  • RewriteRule ^wp-includes/[^/]+.php$ – [F,L] would
  • prevent the ms-files.php file from generating images.
  • Omitting that line will allow the code to work, but offers less security.
  • —————————–

. _
[#9]: Securing wp-config.php:::
You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.  Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). if you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:


order allow,deny
deny from all


. _
. _


They have no dreams.

I have read, I have heard and now I have written nothing in regards these creatures called me-men until this very moment where you read these words. The most odd ones hang at bars into their elder yours with scares of a bar stool social media sculpted into their faces convincing new arrivals they traveled the world a thousand times since…. but what of them; these men? I usually recognize these creatures as locals that never leave the city-block in which they were born, grew up and now live into their nearing graves.

Self made prison in a huge square block as if a castle of four walls wide and high struggling a tug of war inner conflicts in an odorous mundane bar stench routine that never appears to change. Always there 09:00-17:00 or more till closing. Me men never leave the town in which they were born out-into let alone traveling too far outside their private Idaho box. Such a worldly man, (smelling like hops and ale), is what many rave about what makes the GQ man these days secluded after their 3rd beer and 2nd shot of Kraken Whiskey. The old man complains No-one never seems to look at the divorce rates through the ceiling high of these traveling male prostitute professionals with their brief cases, tie and suits smelling like a James Bond Rolls Royce limited edition.

The Red-Pill hot summer night fantasy living through bar-hops blue-tube dreams base their life on these dreams, ( claims the old man). The old man stands up and yells; “We been cheated”, the old man chatters. “We been cheated and never told what truly lays outside these four walls”. His voice declines in tones as he speaks again; “It is safer in here they can’t get us from in here.” I want my soul back, I want it back now, they stole my mind the blue-tube and these pubs”. I think I have said enough about this thing we call a man, or men have you met that just sat and withered away to nothing like me.

As a young man of twenty-three years old and I seriously thought. “This is not the life for me”. I drank my last brew and walked out of the bar scene and never returned since. That haunted me and till this day and sometimes I wake in a cold sweat from horrid dreams with this old man in them and that was thirty-seven years ago.


He always complains, but never leaves his house.

I know of a young man who lives right next to me in the city of fargo North Dakoda where the men and women have a code of ethics and morality. This young fellow is very handsome lives with one dog and two cats and never has company. All sexual prefferences say he is nice fellow, but refuses to have sex with any one. Town doctor says nothing wrong with him, told me to answer honestly if anyone asks when he is not around and even signed off on it, so the town doctor would have no troubles speaking freely. The fellow looks like a male model, very different. Some people say he was abused as a child and have scared him so deeply he just can’t get close to anyone.