This topic has 10 replies, 1 voice, and was last updated 7 years by 
-
-
1. Change your DataBase prefix:
By default WordPress prefix is: wp_
But this prefix is not secure. So, you need to change it.
During your WordPress installation you can change it, if your Automatic Installer permit.
But, if your Automatic Installer does not permit it, you can change wp_ prefix before.
Manual Installation (recommended for HostGator):
First, in your Hosting Server, you need to create a DataBase. Use secure username and pass, for example:
Db name: Db_sweet01
Db user name: Im%K3ym4SteR_#01@0
Password: sW%3eT@paSs#0)_1
Now:
– Extract the Wp zip, open the wp-sample-config.php with some text editor (NotePad++ for Windows, TextEditor for MacOs).
Define your database name, db username and password.
Second:
Change Wp prefix. NOTE: If you have WordPress installed follow this Tutorial (LINK).
* WordPress Database Table prefix…….
*/
$table_prefix = ‘wp_’;
Here, change ‘wp_‘; for a custom prefix, for example: sw3Et_
Generate and copy the Authentication Unique Keys and Salts.
First go to: Api WordPress (LINK) to obtain the Keys.
Copy all and replace all:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
Etc. Of this section.
Save your wp-sample-config.php with the name: wp-config.php (after that, delete wp-sample-config.php).
Well, upload all your WordPress content in your Public_Html folder. For that, you can use: FileZilla (LINK). Before, remember create a FTP account for that.
And now, try open http://www.your-web-site.com, if you all well, you could create your WordPress Admin.
DON’T USE the name: admin or administrator, use for example: Obiw4N2o17
A Strong PassWord: goOd^U$%MY_paSz%67#002@
Inside you WP DashBoard:
Install the Plugin:
– All In One WordPress Security And FireWall (and please, see a tutorial for configure this plugin very well).
Or, if you want:
– WordFence
(but, if you use these plugins together, maybe you can get an error, for this reason only install one. If you install WF, you need to add manually your custom directives to .htaccess).
WordFence:
CUSTOM DIRECTIVES FOR /PUBLIC_HTML / .HTACCESS
# Protect my license.txt, wp-config-sample and readme
<Files license.txt>
Order deny,allow
Deny from all
</Files>
<Files wp-config-sample.php>
Order deny,allow
Deny from all
</Files>
<Files readme.html>
Order deny,allow
Deny from all
</Files>
# Disable Index
Options All -Indexes
# Disable Server Signature
ServerSignature Off
# Protect my .htaccess
<files .htaccess>
Order allow,deny
Deny from all
</files>
# Protect my wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# Protect my wp-includes directory
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
# Disable my install.php (after wp’s installation)
<Files install.php>
order allow,deny
deny from all
</Files>
# Protect Headers
Header set X-XSS-Protection “1; mode=block”
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
# Disable TRACE HTTP and TRACK
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
# Stop Spam
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*PUT-YOUR-DOMAIN-NAME-HERE.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
NOTE: Remember change: RewriteCond %{HTTP_REFERER} !.*PUT-YOUR-DOMAIN-NAME-HERE.com.* [OR]
# Disable Image Hotlinking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://PUT-YOUR-DOMAIN-NAME-HERE\.com [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
NOTE: Remember change: RewriteCond %{HTTP_REFERER} !.*PUT-YOUR-DOMAIN-NAME-HERE.com.* [OR]
# Prevent SQL Injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
# Active Gzip
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
<h1>CONTINUE:</h1>
Disable XML-RPC (Please Read LINK)
<h4>Well, If you decides to user All In One WordPress Security, use this Custom directives:</h4>
COPY CODE# Prevent SQL Injections Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] # Protect Headers Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGIN # Active Gzip <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule><h2>MORE SECURITY </h2>
If you are using HostGator and Php 5 or 7, go to your: public_html , search the file: .user.ini and put this:
display_errors = OffThis prevent the bug WordPress – Full Path Disclosure.
<h4>Protect Wp Admin </h4>
There are many forms to protect Wp Admin, but here I give you one:
In public_html / wp-admin Create a .htaccess file, and add this:
# Protect htaccess
<files .htaccess>
order allow,deny
deny from all
</files># Protect wp-admin by my IP
order deny,allow
allow from 000.0.00.00
deny from allChange 000.0.00.00 for your IP. What is your IP Address? (LINK TO KNOW)
Nobody except the Administrator and Contributors could in to your WP Admin DashBoard.
If you want to add other secure IP, add other: allow from 000….
<h4>Protect Uploads folder </h4>
Go to: public_html / wp-content / uploads, Create a .htaccess files and add this:
# Protect htaccess
<files .htaccess>
order allow,deny
deny from all
</files># Secure uploads directory
<Files ~ “.*\..*”>
Order Allow,Deny
Deny from all
</Files>
<FilesMatch “\.(jpg|jpeg|jpe|gif|png|pdf|mp4|mpeg|mp3)$”>
Order Deny,Allow
Allow from all
</FilesMatch>PART III
Now, go to: public_html / wp-content / themes / sweetdate-child and open functions.php for Edit. ADD:
COPY CODE// Enable shortcodes in text widgets add_filter('widget_text','do_shortcode'); // Protect commentary box add_filter('pre_comment_content', 'wp_specialchars'); // Disable Login's errors function login_errors_message() { return 'Ooooops! Something is wrong, try again, please!'; } add_filter('login_errors', 'login_errors_message'); // Remove WP Header Junk remove_action('wp_head', 'rsd_link'); // remove really simple discovery link remove_action('wp_head', 'wp_generator'); // remove wordpress version remove_action('wp_head', 'feed_links', 2); // remove rss feed links (make sure you add them in yourself if youre using feedblitz or an rss service) remove_action('wp_head', 'feed_links_extra', 3); // removes all extra rss feed links remove_action('wp_head', 'index_rel_link'); // remove link to index page remove_action('wp_head', 'wlwmanifest_link'); // remove wlwmanifest.xml (needed to support windows live writer) remove_action('wp_head', 'start_post_rel_link', 10, 0); // remove random post link remove_action('wp_head', 'parent_post_rel_link', 10, 0); // remove parent post link remove_action('wp_head', 'adjacent_posts_rel_link', 10, 0); // remove the next and previous post links remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0 );NOTE: The next code if to Protect BuddyPress Admin.
COPY CODE// Exclude Admins from Directories and BP Widgets add_filter( 'bp_after_has_members_parse_args', 'buddydev_exclude_users' ); function buddydev_exclude_users( $args ) { //do not exclude in admin if( is_admin() && ! defined( 'DOING_AJAX' ) ) { return $args; } $excluded = isset( $args['exclude'] )? $args['exclude'] : array(); if( !is_array( $excluded ) ) { $excluded = explode(',', $excluded ); } $user_ids = array( 1, ); // enter user ids here $excluded = array_merge( $excluded, $user_ids ); $args['exclude'] = $excluded; return $args; } // Deny access to admins profile. User is redirected to the homepage function bpfr_hide_admins_profile() { global $bp; if(bp_is_profile && $bp->displayed_user->id == 1 && $bp->loggedin_user->id != 1) : wp_redirect( home_url() ); exit; endif; } add_action( 'wp', 'bpfr_hide_admins_profile', 1 ); // Hide admin's activities from all activity feeds function bpfr_hide_admin_activity( $a, $activities ) { // ... but allow admin to see his activities! if ( is_site_admin() ) return $activities; foreach ( $activities->activities as $key => $activity ) { // ID's to exclude, separated by commas. ID 1 is always the superadmin if ( $activity->user_id == 1 ) { unset( $activities->activities[$key] ); $activities->activity_count = $activities->activity_count-1; $activities->total_activity_count = $activities->total_activity_count-1; $activities->pag_num = $activities->pag_num -1; } } // Renumber the array keys to account for missing items $activities_new = array_values( $activities->activities ); $activities->activities = $activities_new; return $activities; } add_action( 'bp_has_activities', 'bpfr_hide_admin_activity', 10, 2 );If you use these codes… your BuddyPress KeyMaster or Admin will be Invisible for all members (except yourself). This Admin will be only to Administrate the Site (update plugins, create Pages only, etc.). Keymaster or Admin is Not for Post Activities, Blog Posts, Messaging, etc.
So, you can create a new User for post, etc. a secure Contributor or SubAdmin. Remember if a Hacker know your Super Admin, you could have problems.What more can I improve? To know that, go to WPDOCTOR (LINK). Write your Url or Domain. Here you can obtain a good analysis of your Security, Speed, etc.
RECOMMENDE PLUGINS:
– SEO by Yoast
– Wp Super Cache
– BackUpWordPress
Please, do not install a lot of plugins, or outdate plugins.
Only use that you need.GOOD LUCK!
Other for wp-admin:
COPY CODE# Protect htaccess <files .htaccess> order allow,deny deny from all </files> # Protect wp-admin by my IP order deny,allow allow from 000.0.00.00 deny from all <FilesMatch "\.(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>Allow Ajax is important for some Plugins and Themes.
Remember change allow from 000.0.00.00 IP Address.ROBOTS.TXT
In public_html, create a new file (if not exists) named: robots.txt
Inside write for example:
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/For make a good robots.txt, please, read here (LINK).
SPEED (HOSTGATOR)
COPY CODE# Enable Gzip <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> # Enable Deflate <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/atom_xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-shockwave-flash AddOutputFilterByType DEFLATE image/svg+xml .svg .svgz </IfModule> # Enable mod_headers <ifModule mod_headers.c> # 6 MONTH <FilesMatch ".(ico|gif|jpg|jpeg|png|flv|pdf|mp3|mp4)$"> Header set Cache-Control "max-age=15552000" </FilesMatch> # 1 WEEK <FilesMatch ".(js|css|swf)$"> Header set Cache-Control "max-age=604800" </FilesMatch> # 60 MIN <FilesMatch ".(html|htm|txt)$"> Header set Cache-Control "max-age=2700" </FilesMatch> </ifModule> # Expires <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access plus 60 days" ExpiresByType image/jpeg "access plus 60 days" ExpiresByType image/gif "access plus 60 days" ExpiresByType image/png "access plus 60 days" ExpiresByType audio/x-wav "access plus 1 month" ExpiresByType audio/mpeg "access plus 1 month" ExpiresByType video/mpeg "access plus 1 month" ExpiresByType video/mp4 "access plus 1 month" ExpiresByType video/quicktime "access plus 1 month" ExpiresByType video/x-ms-wmv "access plus 1 month" ExpiresByType text/css "access 5 days" ExpiresByType application/pdf "access plus 1 month" ExpiresByType text/x-javascript "access plus 1 week" ExpiresByType application/x-shockwave-flash "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 week" ExpiresByType application/javascript "access plus 1 week" ExpiresByType image/x-icon "access plus 1 month" ExpiresDefault "access plus 2 days" </IfModule>If you use All In One WordPress Security And FireWall, DONT Active Captcha with this plugin.
Here I sharing my Htaccess. Good Luck!
Warning: Dont copy and paste this htaccess without check.
Please, open the file and delete this part:
#AIOWPS_LOGIN_WHITELIST_START
<FilesMatch “^(banana_Split)”>
Order Allow,Deny
Allow from whatsmymate.com
Allow from 108.167.183.46
Allow from 148.0.96.55
</FilesMatch>
#AIOWPS_LOGIN_WHITELIST_ENDOPTIMIZATIONS
UPDATESWorking fine on HostGator (APACHE).
————————–.HTACCESS. BASIC SECURITY AND SPEED
Note: In the line: RewriteRule .* http://example.com/? [L,R=302], change example.com with your own Url.COPY CODE# SECURITY START # Protect htaccess <files .htaccess> order allow,deny deny from all </files> # Protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files> # Protect wp-includes <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # Protect Headers Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Security-Policy "allow 'self';" Header always unset "X-Powered-By" Header always edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly" # Block WP File Access <FilesMatch "^(install\.php|php\.ini|readme\.html|license\.txt)"> Order Allow,Deny Deny from all </FilesMatch> # Block xmlrpc.php if you don’t use that. <files xmlrpc.php> order allow,deny deny from all </files> # Block debug.log <files debug.log> order allow,deny deny from all </files> # Disable Index Views Options -Indexes # Disable Trace_Track <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> # Block User ID Phishing Requests <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ^author=([0-9]*) RewriteRule .* http://example.com/? [L,R=302] </IfModule> # Forbid Proxy Comments <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^POST RewriteCond %{HTTP:VIA} !^$ [OR] RewriteCond %{HTTP:FORWARDED} !^$ [OR] RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_HOST} !^$ [OR] RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR] RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ RewriteRule wp-comments-post\.php - [F] </IfModule> # Deny Bad Query Strings <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> ErrorDocument 403 /403.shtml ErrorDocument 404 /404.shtml ErrorDocument 500 /500.shtml ServerSignature Off LimitRequestBody 10240000 # SECURITY END # SPEED START # Habilitar compresion Gzip <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> # BEGIN WEBSITE SPEED BOOST # Time cheat sheet in seconds # A86400 = 1 day # A172800 = 2 days # A2419200 = 1 month # A4838400 = 2 months # A29030400 = 1 year # Test which ETag setting works best on your Host/Server/Website # with Firefox Firebug, Firephp and Yslow benchmark tests. # Create the ETag (entity tag) response header field # This is probably not the optimum choice to use. #FileETag MTime Size # Remove the ETag (entity tag) response header field # This is most likely the optimum choice to use. Header unset ETag FileETag None <IfModule mod_mime.c> AddType application/javascript js AddType audio/mp4 f4a f4b m4a AddType audio/ogg oga ogg opus AddType image/bmp bmp AddType image/svg+xml svg svgz AddType image/webp webp AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv AddType image/x-icon cur ico AddType application/font-woff woff AddType application/font-woff2 woff2 AddType application/vnd.ms-fontobject eot AddType application/x-font-ttf ttc ttf AddType font/opentype otf </IfModule> <IfModule mod_expires.c> ExpiresActive on # ExpiresByType overrides the ExpiresDefault... # cache expiration time of 2 days|A172800. ExpiresDefault A172800 ExpiresByType text/css A2419200 ExpiresByType text/html A2419200 ExpiresByType text/javascript A2419200 ExpiresByType text/x-javascript A2419200 ExpiresByType application/x-javascript A2419200 ExpiresByType application/javascript A2419200 ExpiresByType application/x-font-ttf A2419200 ExpiresByType application/x-font-woff A2419200 ExpiresByType font/opentype A4838400 ExpiresByType application/x-shockwave-flash A2419200 ExpiresByType image/vnd.microsoft.icon A2419200 ExpiresByType image/jpg A2419200 ExpiresByType image/jpeg A2419200 ExpiresByType image/gif A2419200 ExpiresByType image/png A2419200 ExpiresByType image/bmp A2419200 ExpiresByType image/webp A2419200 ExpiresByType image/x-icon A2419200 ExpiresByType image/svg+xml A2419200 ExpiresByType video/mp4 A2419200 ExpiresByType video/ogg A2419200 ExpiresByType video/webm A2419200 ExpiresByType audio/ogg A2419200 ExpiresByType font/eot A2419200 ExpiresByType font/opentype A2419200 ExpiresByType font/woff A2419200 ExpiresByType application/font-woff2 A2419200 ExpiresByType application/x-font-woff A2419200 ExpiresByType application/x-font-ttf A2419200 ExpiresByType application/vnd.ms-fontobject A2419200 </IfModule> <IfModule mod_headers.c> <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$"> Header append Cache-Control "public" </FilesMatch> <FilesMatch "\.(txt|html)$"> Header append Cache-Control "proxy-revalidate" </FilesMatch> <FilesMatch "\.(php|cgi|pl|htm|xml)$"> Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" Header set Pragma "no-cache" </FilesMatch> </IfModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript AddOutputFilterByType DEFLATE application/javascript application/x-javascript AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE font/eot font/otf font/opentype application/font-otf application/x-font-otf AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf AddOutputFilterByType DEFLATE image/bmp image/svg+xml image/x-icon image/vnd.microsoft.icon # Drop problematic browsers BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </IfModule> #SPEED END—————————
INSIDE WP-CONTENT FOLDER
Create a new file named .htaccess and put this:COPY CODE# Protect htaccess <Files .htaccess> Order allow,deny Deny from all </files> <FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch> Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js|mp3|mp4)$"> Allow from all </Files>———————-
IN YOUR CHILD THEME FUNCTIONS.PHP// Enable Automatic Updates for WordPress Plugins
add_filter( ‘auto_update_plugin’, ‘__return_true’ );// Limit access to DashBoard only to Admin
add_action( ‘init’, ‘blockusers_init’ );
function blockusers_init() {
if ( is_admin() && !current_user_can( ‘administrator’ ) && !( defined( ‘DOING_AJAX’ ) && DOING_AJAX ) ) {
wp_redirect( home_url() );
exit;
}
}// Change your username by a nickname
function set_default_display_name( $user_id ) {
$user = get_userdata( $user_id );
$name = sprintf( ‘%s %s’, $user->first_name, $user->last_name );
$nickname = sanitize_user( strtolower( str_replace( ‘ ‘, ”, $name ) ) );
$args = array(
‘ID’ => $user_id,
‘display_name’ => $name,
‘nickname’ => $nickname,
‘user_nicename’ => $nickname
);
wp_update_user( $args );
}
add_action( ‘user_register’, ‘set_default_display_name’ );// Force strong password
function strong_password() {
global $bp;if ( !empty( $_POST[‘signup_password’] ) )
if ( !valid_pass( $_POST[‘signup_password’] ) ){
$bp->signup->errors[‘signup_password’] = __( ‘Your password is not strong enough. Please, write a strong password using characters: A-Z, a-z, 0-9, @#$%&*-:;,.!’, ‘buddypress’ );
}
}
add_action( ‘bp_signup_validate’, ‘strong_password’);function valid_pass($candidate) {
$r1=’/[A-Z]/’; //Uppercase
$r2=’/[a-z]/’; //lowercase
$r3=’/[!@#$%^&*()-_=+{};:,<.>]/’; // whatever you mean by special char
$r4=’/[0-9]/’; //numbersif(preg_match_all($r1,$candidate, $o)<1) return FALSE;
if(preg_match_all($r2,$candidate, $o)<1) return FALSE;
if(preg_match_all($r3,$candidate, $o)<1) return FALSE;
if(preg_match_all($r4,$candidate, $o)<1) return FALSE;
if(strlen($candidate)<8) return FALSE;return TRUE;
}// Restricted Email Domains
add_option(‘limited_email_domains’, array(‘yahoo.com’, ‘outlook.com’, ‘hotmail.com’, ‘gmail.com’, ‘aol.com’, ‘mail.com’));// Decrease image compression in WordPress
add_filter( ‘wp_generate_attachment_metadata’, function( $metadata, $attachment_id )
{
$file = get_attached_file( $attachment_id );
$type = get_post_mime_type( $attachment_id );// Target jpeg images
if( in_array( $type, [ ‘image/jpg’, ‘image/jpeg’ ] ) )
{
// Check for a valid image editor
$editor = wp_get_image_editor( $file );
if( ! is_wp_error( $editor ) )
{
// Set the new image quality
$result = $editor->set_quality( 75 );// Re-save the original image file
if( ! is_wp_error( $result ) )
$editor->save( $file );
}
}
return $metadata;
}, 10, 2 );// Defer jQuery Parsing using the HTML5 defer property
if (!(is_admin() )) {
function defer_parsing_of_js ( $url ) {
if ( FALSE === strpos( $url, ‘.js’ ) ) return $url;
if ( strpos( $url, ‘jquery.js’ ) ) return $url;
// return “$url’ defer “;
return “$url’ defer onload='”;
}
add_filter( ‘clean_url’, ‘defer_parsing_of_js’, 11, 1 );
}// Remove WP Header Junk
// all actions related to emojis
remove_action( ‘wp_head’, ‘print_emoji_detection_script’, 7 );
remove_action( ‘wp_print_styles’, ‘print_emoji_styles’ );// Remove the REST API endpoint.
remove_action( ‘wp_head’, ‘rest_output_link_wp_head’);
remove_action( ‘wp_head’, ‘wp_oembed_add_discovery_links’ );
remove_action( ‘wp_head’, ‘wp_oembed_add_host_js’ );remove_action(‘wp_head’, ‘rsd_link’); // remove really simple discovery link
remove_action(‘wp_head’, ‘wp_generator’); // remove wordpress versionremove_action(‘wp_head’, ‘feed_links’, 2); // remove rss feed links (make sure you add them in yourself if youre using feedblitz or an rss service)
remove_action(‘wp_head’, ‘feed_links_extra’, 3); // removes all extra rss feed linksremove_action(‘wp_head’, ‘index_rel_link’); // remove link to index page
remove_action(‘wp_head’, ‘wlwmanifest_link’); // remove wlwmanifest.xml (needed to support windows live writer)remove_action(‘wp_head’, ‘start_post_rel_link’, 10, 0); // remove random post link
remove_action(‘wp_head’, ‘parent_post_rel_link’, 10, 0); // remove parent post link
remove_action(‘wp_head’, ‘adjacent_posts_rel_link’, 10, 0); // remove the next and previous post links
remove_action(‘wp_head’, ‘adjacent_posts_rel_link_wp_head’, 10, 0 ); // remove the next and previous post linksremove_action(‘wp_head’, ‘wp_shortlink_wp_head’, 10, 0 );
wp_deregister_script( ‘comment-reply’ ); // Remove comment-reply.min.js from footer
// Protect commentary box
add_filter(‘pre_comment_content’, ‘wp_specialchars’);// Enable shortcodes in text widgets
add_filter(‘widget_text’,’do_shortcode’);// BP redirect to profile
function redirect_to_profile( $redirect_to_calculated, $redirect_url_specified, $user ) {
if ( ! $user || is_wp_error( $user ) ) {
return $redirect_to_calculated;
}
//If the redirect is not specified, assume it to be dashboard
if ( empty( $redirect_to_calculated ) ) {
$redirect_to_calculated = admin_url();
}
// if the user is not site admin, redirect to his/her profile
if ( ! is_super_admin( $user->ID ) ) {
return bp_core_get_user_domain( $user->ID );
} else {
//if site admin or not logged in, do not do anything much
return $redirect_to_calculated;
}
}
add_filter( ‘login_redirect’, ‘redirect_to_profile’, 100, 3 );// Exclude admins from directories and BP widgets
add_filter( ‘bp_after_has_members_parse_args’, ‘buddydev_exclude_users’ );function buddydev_exclude_users( $args ) {
//do not exclude in admin
if( is_admin() && ! defined( ‘DOING_AJAX’ ) ) {
return $args;
}$excluded = isset( $args[‘exclude’] )? $args[‘exclude’] : array();
if( !is_array( $excluded ) ) {
$excluded = explode(‘,’, $excluded );
}$user_ids = array( 1 ); //user ids
$excluded = array_merge( $excluded, $user_ids );
$args[‘exclude’] = $excluded;
return $args;
}// Make xprofile fields translable fix
if (!function_exists(‘make_x_profile_fields_name_translable’)):function make_x_profile_fields_name_translable($fieldname) {
return __($fieldname, ‘kleo_framework’);
}add_filter(‘bp_get_the_profile_field_name’, ‘make_x_profile_fields_name_translable’);
endif;
// Remove Query Strings From Static Resources
if ( ! is_admin() ) {
function _remove_script_version( $src ){
$parts = explode( ‘?ver’, $src );
return $parts[0];
}
add_filter( ‘script_loader_src’, ‘_remove_script_version’, 15, 1 );
add_filter( ‘style_loader_src’, ‘_remove_script_version’, 15, 1 );
}// MINIFY YOUR HTML, JAVASCRIPT AND CSS
if ( ! is_admin() ) {
class WP_HTML_Compression
{
// Settings
protected $compress_css = true;
protected $compress_js = false;
protected $info_comment = true;
protected $remove_comments = true;// Variables
protected $html;public function __construct($html)
{
if (!empty($html))
{
$this->parseHTML($html);
}
}public function __toString()
{
return $this->html;
}protected function minifyHTML($html)
{
$pattern = ‘/<(?<script>script).*?<\/script\s*>|<(?<style>style).*?<\/style\s*>|<!(?<comment>–).*?–>|<(?<tag>[\/\w.:-]*)(?:”.*?”|\’.*?\’|[^\'”>]+)*>|(?<text>((<[^!\/\w.:-])?[^<]*)+)|/si’;
preg_match_all($pattern, $html, $matches, PREG_SET_ORDER);
$overriding = false;
$raw_tag = false;
// Variable reused for output
$html = ”;
foreach ( $matches as $token ) {$tag = (isset($token[‘tag’])) ? strtolower($token[‘tag’]) : null;
$content = $token[0];if ( is_null( $tag ) ) {
if ( !empty( $token[‘script’] ) ) {
$strip = $this->compress_js;
} else if ( !empty($token[‘style’] ) ) {
$strip = $this->compress_css;
} else if ( $content == ‘<!–wp-html-compression no compression–>’ ) {
$overriding = !$overriding;
// Don’t print the comment
continue;} else if ( $this->remove_comments ) {
if ( !$overriding && $raw_tag != ‘textarea’ ) {
// Remove any HTML comments, except MSIE conditional comments
$content = preg_replace(‘/<!–(?!\s*(?:\[if [^\]]+]|<!|>))(?:(?!–>).)*–>/s’, ”, $content);
}
}} else {
if ( $tag == ‘pre’ || $tag == ‘textarea’ || $tag == ‘script’ ) {
$raw_tag = $tag;
} else if ( $tag == ‘/pre’ || $tag == ‘/textarea’ || $tag == ‘/script’ ) {
$raw_tag = false;
} else {
if ($raw_tag || $overriding) {
$strip = false;
} else {
$strip = true;
// Remove any empty attributes, except:
// action, alt, content, src
$content = preg_replace(‘/(\s+)(\w++(?<!\baction|\balt|\bcontent|\bsrc)=””)/’, ‘$1’, $content);// Remove any space before the end of self-closing XHTML tags
// JavaScript excluded
$content = str_replace(‘ />’, ‘/>’, $content);
}}
}
if ( $strip ) {
$content = $this->removeWhiteSpace($content);
}$html .= $content;
}return $html;
}public function parseHTML($html)
{
$this->html = $this->minifyHTML($html);
}protected function removeWhiteSpace($str)
{
$str = str_replace( “\t”, ‘ ‘, $str );
$str = str_replace( “\n”, ”, $str );
$str = str_replace( “\r”, ”, $str );while ( stristr($str, ‘ ‘ ) ) {
$str = str_replace(‘ ‘, ‘ ‘, $str);
}return $str;
}
}function wp_html_compression_finish($html) {
return new WP_HTML_Compression($html);
}function wp_html_compression_start() {
ob_start( ‘wp_html_compression_finish’ );
}// add_action( ‘get_header’, ‘wp_html_compression_start’ );
add_action( ‘wp_loaded’, ‘wp_html_compression_start’ ); // for working with SEO by Yoast
}NOTES:
// Limit access to DashBoard only to Admin
But, if you wants access for an editor use:
COPY CODEadd_action( 'init', 'blockusers_init' ); function blockusers_init() { if ( is_admin() && ! current_user_can( 'administrator') && ! current_user_can( 'editor')&& ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) { wp_redirect( home_url() ); exit; } }For Admin, Editor and Shop Manager:
COPY CODEadd_action( 'init', 'blockusers_init' ); function blockusers_init() { if ( is_admin() && ! current_user_can( 'administrator') && ! current_user_can( 'editor') && ! current_user_can( 'shop_manager')&& ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) { wp_redirect( home_url() ); exit; } }// Change your username by a nickname
After you add this code to your functions.php, go to: Dashboard / Users and, Update all users. For example: If your username is lover360, and your name-last-name is: John Wick, so, your nickname needs to be: johnwick, and your Public name to display: John Wick. Remember, lover360 is your Login, and this needs to be secret.
For new members this code works automatic.
You must be logged in to reply to this topic.
