Password Protecting WordPress wp-admin Folder

Protecting wp-admin folder with HTTP authentication adds an additional protection layer for your server. Password protecting the admin area makes it harder to brute-force access (it’s also possible to password protect only wp-login.php).

For hardening the wp-admin folder, create a .htpasswds file for storing the password of the additional authentication (for creating the file manually, you can use this htpasswds generator for example).

Create a .htaccess file to the wp-admin folder. Note that password protecting the whole wp-admin folder breaks any code that uses ajax on front-end, therefore make sure to allow /wp-admin/admin-ajax.

The content of the .htaccess file:

AuthUserFile /path/to/.htpasswd
AuthType basic
AuthName “Restricted”
require valid-user

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Hiding the WordPress Version

If a weakness is found in the WordPress version 4.2 and it’s patched in the version 4.2.2, the sites determined to be running on the older version can be targets for attacks.

There are a few places from where the WordPress version can be detected:

– generator meta tag in the header (<meta name=”generator” content=”WordPress 4.2.2″ />)
– RSS feed
– Stylesheets and scripts without specified version will add the WP version as default (stylesheet.css?ver=4.2.2)
– default readme file

# For hiding the WordPress version from the header and from the RSS feed, all you need to do is add the following code to your functions.php

function wpsos_remove_wp_version() {
    return '';
}
add_filter('the_generator', 'wpsos_remove_wp_version');

# For hiding the WordPress version from the stylesheet and script links, you can modify links and remove the version, before displaying them in browser by adding the following lines to functions.php

function wpsos_remove_wp_version_links( $src ) {
    global $wp_version;
    //If the version is set in the link and equals the current WP version
    if ( strpos( $src, 'ver=' . $wp_version ) ) {
        //Remove the version arg from the link
        $src = remove_query_arg( 'ver', $src );
}
    return $src;
}
add_filter( 'script_loader_src', 'wpsos_remove_wp_version_links' );
add_filter( 'style_loader_src', 'wpsos_remove_wp_version_links' );

# The default readme.html with information about the WordPress version can be found in http://yoursitename.com/readme.html. In case the file is there, remove it.

Note: it’s still highly recommended to always update to the latest version of WordPress!

WordPress Plugin: Add or Remove Www

The WordPress plugin Add or Remove Www seeks to solve a common problem: preventing redirects from a www- version to a non-www version of a site — or vice-versa.

Add or Remove Www lets you easily configure your WordPress site to always (or never) use the www. subdomain in all links of the posts and pages.

It’s common that you’ll create a content link or include an image, linking to http://YourSiteNameHereForExample.com/imageExample.jpg — but your server then redirects that to http://www.YourSiteNameHereForExample.com/imageExample.jpg . That adds in an extra server request and delay to the user.

Instead of going through every image and link, one by one, making sure they’re all consistent, Add or Remove Www changes the links.

Note: the version 1.0 does NOT change all the previously existing URLs, it affects all the content and image URLs that are saved/modified after saving activating the plugin and choosing the suitable option.

We plan on adding more options to be edited — if you have any other suggestions, please let us know! You can contact us via http://wpsos.io.

The installation and use is very straightforward. You should:

1. Upload the folder `add-or-remove-www` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. From the ‘Settings’ menu, there should be a new option, called ‘Add Or Remove Www’

As of version 1.0, you can choose between two options: using the URLs with or without www. The option affects all the post and page URLs, including image URLs.
Note: the version 1.0 does NOT change all the previously existing URLs, it affects all the content and image URLs that are saved/modified after saving the option.

WordPress Plugin: Tweak Hidden Options

Tweak Hidden Options is a safe and easy-to-use way to modify various WordPress options that WordPress doesn’t link to from the standard WordPress interface.

All options are provided in safe select-down options, without any user-input data, so that it is perfectly safe for any user to use.

We plan on adding many more options to be edited — if you have any other suggestions, please let us know! You can contact us via http://wpsos.io/

The installation and use is very straightforward. You should:

1. Upload the folder `tweak-hidden-options` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. From the ‘Settings’ menu, there should be a new option, called ‘Tweak Hidden Options’

Version 1.0 supports the following options:

* comment_order,
* gzipcompression,
* image_default_align,
* image_default_size,
* image_default_link_type.

Note: changing the image options has effect only on images uploaded afterwards.