Password Protecting WordPress wp-admin Folder

Pro­tect­ing wp-admin fold­er with HTTP authen­ti­ca­tion adds an addi­tion­al pro­tec­tion lay­er for your serv­er. Pass­word pro­tect­ing the admin area makes it hard­er to brute-force access (it’s also pos­si­ble to pass­word pro­tect only wp-login.php).

For hard­en­ing the wp-admin fold­er, cre­ate a .htpass­wds file for stor­ing the pass­word of the addi­tion­al authen­ti­ca­tion (for cre­at­ing the file man­u­al­ly, you can use this htpass­wds gen­er­a­tor for exam­ple).

Cre­ate a .htac­cess file to the wp-admin fold­er. Note that pass­word pro­tect­ing the whole wp-admin fold­er breaks any code that uses ajax on front-end, there­fore make sure to allow /wp-admin/ad­min-ajax.

The con­tent of the .htac­cess file:

AuthUser­File /path/to/.htpasswd
AuthType basic
Auth­Name “Restrict­ed”
require valid-user

<Files admin-ajax.php>
Order allow,deny
Allow from all
Sat­is­fy any
</Files>

Hiding the WordPress Version

If a weak­ness is found in the Word­Press ver­sion 4.2 and it’s patched in the ver­sion 4.2.2, the sites deter­mined to be run­ning on the old­er ver­sion can be tar­gets for attacks.

There are a few places from where the Word­Press ver­sion can be detect­ed:

- gen­er­a­tor meta tag in the head­er (<meta name=“generator” content=“WordPress 4.2.2” />)
— RSS feed
— Stylesheets and scripts with­out spec­i­fied ver­sion will add the WP ver­sion as default (stylesheet.css?ver=4.2.2)
— default readme file

# For hid­ing the Word­Press ver­sion from the head­er and from the RSS feed, all you need to do is add the fol­low­ing code to your functions.php

function wpsos_remove_wp_version() {
    return '';
}
add_filter('the_generator', 'wpsos_remove_wp_version');

# For hid­ing the Word­Press ver­sion from the stylesheet and script links, you can mod­i­fy links and remove the ver­sion, before dis­play­ing them in brows­er by adding the fol­low­ing lines to functions.php

function wpsos_remove_wp_version_links( $src ) {
    global $wp_version;
    //If the version is set in the link and equals the current WP version
    if ( strpos( $src, 'ver=' . $wp_version ) ) {
        //Remove the version arg from the link
        $src = remove_query_arg( 'ver', $src );
}
    return $src;
}
add_filter( 'script_loader_src', 'wpsos_remove_wp_version_links' );
add_filter( 'style_loader_src', 'wpsos_remove_wp_version_links' );

# The default readme.html with infor­ma­tion about the Word­Press ver­sion can be found in http://yoursitename.com/readme.html. In case the file is there, remove it.

Note: it’s still high­ly rec­om­mend­ed to always update to the lat­est ver­sion of Word­Press!

WordPress Plugin: Add or Remove Www

The Word­Press plu­g­in Add or Remove Www seeks to solve a com­mon prob­lem: pre­vent­ing redi­rects from a www- ver­sion to a non-www ver­sion of a site — or vice-ver­sa.

Add or Remove Www lets you eas­i­ly con­fig­ure your Word­Press site to always (or nev­er) use the www. sub­do­main in all links of the posts and pages.

It’s com­mon that you’ll cre­ate a con­tent link or include an image, link­ing to http://YourSiteNameHereForExample.com/imageExample.jpg — but your serv­er then redi­rects that to http://www.YourSiteNameHereForExample.com/imageExample.jpg . That adds in an extra serv­er request and delay to the user.

Instead of going through every image and link, one by one, mak­ing sure they’re all con­sis­tent, Add or Remove Www changes the links.

Note: the ver­sion 1.0 does NOT change all the pre­vi­ous­ly exist­ing URLs, it affects all the con­tent and image URLs that are saved/modified after sav­ing acti­vat­ing the plu­g­in and choos­ing the suit­able option.

We plan on adding more options to be edit­ed — if you have any oth­er sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘add-or-remove-www‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press
3. From the ‘Set­tings’ menu, there should be a new option, called ‘Add Or Remove Www’

As of ver­sion 1.0, you can choose between two options: using the URLs with or with­out www. The option affects all the post and page URLs, includ­ing image URLs.
Note: the ver­sion 1.0 does NOT change all the pre­vi­ous­ly exist­ing URLs, it affects all the con­tent and image URLs that are saved/modified after sav­ing the option.

WordPress Plugin: Tweak Hidden Options

Tweak Hid­den Options is a safe and easy-to-use way to mod­i­fy var­i­ous Word­Press options that Word­Press does­n’t link to from the stan­dard Word­Press inter­face.

All options are pro­vid­ed in safe select-down options, with­out any user-input data, so that it is per­fect­ly safe for any user to use.

We plan on adding many more options to be edit­ed — if you have any oth­er sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io/

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘tweak-hid­den-options‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press
3. From the ‘Set­tings’ menu, there should be a new option, called ‘Tweak Hid­den Options’

Ver­sion 1.0 sup­ports the fol­low­ing options:

* comment_order,
* gzip­com­pres­sion,
* image_default_align,
* image_default_size,
* image_default_link_type.

Note: chang­ing the image options has effect only on images uploaded after­wards.