A simple script to secure your WordPress installation.
npx @jorenrothman/secure-wordpressHere are the rules that are applied to your .htaccess file.
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Deny access to all dot files
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>
# Deny access to wp-config.php file
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# Deny access to .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Deny access to all sql files
<FilesMatch "\.(sql)$">
Order allow,deny
Deny from all
</FilesMatch>
# Deny access to server config files
<FilesMatch "^.*(error_log|php.ini|\.[hH][tT][aApP].*)$">
Order allow,deny
Deny from all
</FilesMatch>
Added in the uploads folder
# Kill PHP Execution
<Files *.php>
deny from all
</Files>
