DrGlenn's Legendary Hardening Codes

Your Helpful Friend in Pennsylvania

Harden-It Screenshot 1 Thumbnail

Overview

The Harden-It plugin, developed by DrGlenn, is an essential tool for any website owner looking to strengthen security. This plugin helps protect your website from unauthorized access, malicious bots, and other security threats by implementing advanced security rules and Apache directives, closing security vulnerabilities WordPress does not address. (Apache and Litespeed)

Do not rely solely on this plugin for website security. This plugin is only one part of a comprehensive security strategy. Need help? Contact DrGlenn.

Key Features

Feature Description
Toggle Security Rules Activate or deactivate each individual security rule, assuring you can select only the features you want. (Great for complex sites that want more flexibility.)
Block .htaccess and .htpasswd Access Prevents access to .htaccess and .htpasswd files, protecting these important configuration files from being accessed or modified by unauthorized users.
Block Bad Bots Enable or disable protection against malicious bots by adding or removing bot disallow rules, safeguarding your site from automated attacks.
Prevent Directory Surfing and Snooping Disables directory listing, preventing visitors from viewing the contents of directories and potentially exploiting vulnerabilities in file structure.
No Outside Access to Sensitive System Files Denies access to sensitive files such as error logs, wp-config.php, php.ini, and more, safeguarding critical configuration and log data from external threats.
Block Enumeration of Authors Prevents attackers from enumerating WordPress user IDs through the author parameter in URLs, reducing the risk of targeted attacks on specific user accounts.
Protect All .INI Files in Main Directory Blocks access to .ini files, which often contain sensitive configuration information, to prevent unauthorized access.
Prevent Rogue Access to wp-config.php File Denies access to the wp-config.php file, which contains database connection details and other sensitive information, preventing unauthorized access and potential data breaches.
Access to xmlrpc.php is Forbidden Blocks access to xmlrpc.php, a file that can be exploited for DDoS attacks and other malicious activities, enhancing overall site security.
Block Comment Spam and Redirect to FBI Blocks comment spam attempts that do not originate from your domain and redirects the spammers to the FBI website, helping to mitigate spam and potential attacks.
Block Blank User-Agents and Empty Referrers Blocks POST requests with blank user-agents, empty referrers, or missing host headers to prevent malicious activity, such as automated scripts and bots.
Bot Protection Blocks known bad bots from accessing your site to prevent scraping, DDoS attacks, and other malicious activities, improving site performance and security.
Disable PHP Execution in Uploads Directory Prevents execution of PHP files in the uploads directory, reducing the risk of code execution from uploaded malicious files.
Block Access to Backup and Source Files Blocks access to backup and source files to prevent unauthorized access and exposure of sensitive data.
Block Access to .zip Files Blocks access to .zip files to prevent unauthorized downloading of compressed files.
Prevent Clickjacking Adds an X-Frame-Options header to prevent your site from being embedded in an iframe, protecting against clickjacking attacks.
Add Security Headers Adds security headers such as X-Content-Type-Options, X-XSS-Protection, and Strict-Transport-Security, enhancing overall site security by mitigating common web vulnerabilities.
Protect Against SQL Injection Adds rules to the Apache Directives to prevent common SQL injection patterns.
Prevent Hotlinking Prevents other websites from linking directly to your images and other media files.
Disable XML-RPC Pingbacks Prevents abuse of the XML-RPC feature for pingback attacks.
Disable Server Signature Hides the server signature to prevent revealing the server version and other details.
Disable ETags Disables ETags to improve caching and prevent revealing inode information.
Disable TRACE Method Prevents the use of the TRACE method, which can be exploited in cross-site tracing attacks.
Force HTTPS Redirects all HTTP traffic to HTTPS to ensure secure communication.
Disable File Injections Prevents file injections by blocking requests containing certain strings.
Restrict Admin Access by IP Address Restricts access to the WordPress admin area to the current IP address. Warning: If you use a different IP to access the site (e.g., from a work computer, VPN, or mobile device), you will be blocked. Use this feature with caution.
Download Harden-It Plugin

Installation Instructions

  1. First, download the plugin by clicking the button above.
  2. Log in to your WordPress dashboard with your admin credentials.
  3. Navigate to the Plugins section on the left-hand menu and click on Add New.
  4. At the top of the page, click the Upload Plugin button.
  5. Click on Choose File, select the harden-it.zip file you downloaded, and then click Install Now.
  6. Once the plugin is installed, click on the Activate Plugin button.
  7. After activation, go to the plugin settings to configure the security rules according to your needs.

Advanced Tools

The Advanced Tools section provides additional security features and configurations to enhance the protection of your WordPress site. Below is a description of the available options:

Change File Permissions

This tool changes all folders and subfolders to 755 and all files to 644. These permissions enhance security and ensure proper functionality. These are the recommended default permissions for most servers, but you are encouraged to check with your host before applying this if you are unsure.

Modify WordPress Configuration

This option adds necessary security configurations to the wp-config.php file if they are not already present. The configurations added are:

  • DISALLOW_FILE_EDIT: Disallows file editing from within the WordPress admin dashboard to prevent unauthorized changes if the dashboard is compromised.
  • WP_HOME: Manually sets the site URL to improve performance by eliminating database calls and prevents hackers from changing the site URL if they gain access to the dashboard.
  • WP_SITEURL: Manually sets the WordPress URL to improve performance by eliminating database calls and prevents hackers from changing the site URL if they gain access to the dashboard.

Disclaimer: This plugin is provided for free without warranty or claims of fitness.