Forum Replies Created
-
-
ROBOTS.TXT
In public_html, create a new file (if not exists) named: robots.txt
Inside write for example:
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/For make a good robots.txt, please, read here (LINK).
Other for wp-admin:
COPY CODE# Protect htaccess <files .htaccess> order allow,deny deny from all </files> # Protect wp-admin by my IP order deny,allow allow from 000.0.00.00 deny from all <FilesMatch "\.(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>Allow Ajax is important for some Plugins and Themes.
Remember change allow from 000.0.00.00 IP Address.PART III
Now, go to: public_html / wp-content / themes / sweetdate-child and open functions.php for Edit. ADD:
COPY CODE// Enable shortcodes in text widgets add_filter('widget_text','do_shortcode'); // Protect commentary box add_filter('pre_comment_content', 'wp_specialchars'); // Disable Login's errors function login_errors_message() { return 'Ooooops! Something is wrong, try again, please!'; } add_filter('login_errors', 'login_errors_message'); // Remove WP Header Junk remove_action('wp_head', 'rsd_link'); // remove really simple discovery link remove_action('wp_head', 'wp_generator'); // remove wordpress version remove_action('wp_head', 'feed_links', 2); // remove rss feed links (make sure you add them in yourself if youre using feedblitz or an rss service) remove_action('wp_head', 'feed_links_extra', 3); // removes all extra rss feed links remove_action('wp_head', 'index_rel_link'); // remove link to index page remove_action('wp_head', 'wlwmanifest_link'); // remove wlwmanifest.xml (needed to support windows live writer) remove_action('wp_head', 'start_post_rel_link', 10, 0); // remove random post link remove_action('wp_head', 'parent_post_rel_link', 10, 0); // remove parent post link remove_action('wp_head', 'adjacent_posts_rel_link', 10, 0); // remove the next and previous post links remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0 );NOTE: The next code if to Protect BuddyPress Admin.
COPY CODE// Exclude Admins from Directories and BP Widgets add_filter( 'bp_after_has_members_parse_args', 'buddydev_exclude_users' ); function buddydev_exclude_users( $args ) { //do not exclude in admin if( is_admin() && ! defined( 'DOING_AJAX' ) ) { return $args; } $excluded = isset( $args['exclude'] )? $args['exclude'] : array(); if( !is_array( $excluded ) ) { $excluded = explode(',', $excluded ); } $user_ids = array( 1, ); // enter user ids here $excluded = array_merge( $excluded, $user_ids ); $args['exclude'] = $excluded; return $args; } // Deny access to admins profile. User is redirected to the homepage function bpfr_hide_admins_profile() { global $bp; if(bp_is_profile && $bp->displayed_user->id == 1 && $bp->loggedin_user->id != 1) : wp_redirect( home_url() ); exit; endif; } add_action( 'wp', 'bpfr_hide_admins_profile', 1 ); // Hide admin's activities from all activity feeds function bpfr_hide_admin_activity( $a, $activities ) { // ... but allow admin to see his activities! if ( is_site_admin() ) return $activities; foreach ( $activities->activities as $key => $activity ) { // ID's to exclude, separated by commas. ID 1 is always the superadmin if ( $activity->user_id == 1 ) { unset( $activities->activities[$key] ); $activities->activity_count = $activities->activity_count-1; $activities->total_activity_count = $activities->total_activity_count-1; $activities->pag_num = $activities->pag_num -1; } } // Renumber the array keys to account for missing items $activities_new = array_values( $activities->activities ); $activities->activities = $activities_new; return $activities; } add_action( 'bp_has_activities', 'bpfr_hide_admin_activity', 10, 2 );If you use these codes… your BuddyPress KeyMaster or Admin will be Invisible for all members (except yourself). This Admin will be only to Administrate the Site (update plugins, create Pages only, etc.). Keymaster or Admin is Not for Post Activities, Blog Posts, Messaging, etc.
So, you can create a new User for post, etc. a secure Contributor or SubAdmin. Remember if a Hacker know your Super Admin, you could have problems.What more can I improve? To know that, go to WPDOCTOR (LINK). Write your Url or Domain. Here you can obtain a good analysis of your Security, Speed, etc.
RECOMMENDE PLUGINS:
– SEO by Yoast
– Wp Super Cache
– BackUpWordPress
Please, do not install a lot of plugins, or outdate plugins.
Only use that you need.GOOD LUCK!
<h1>CONTINUE:</h1>
Disable XML-RPC (Please Read LINK)
<h4>Well, If you decides to user All In One WordPress Security, use this Custom directives:</h4>
COPY CODE# Prevent SQL Injections Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] # Protect Headers Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGIN # Active Gzip <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule><h2>MORE SECURITY </h2>
If you are using HostGator and Php 5 or 7, go to your: public_html , search the file: .user.ini and put this:
display_errors = OffThis prevent the bug WordPress – Full Path Disclosure.
<h4>Protect Wp Admin </h4>
There are many forms to protect Wp Admin, but here I give you one:
In public_html / wp-admin Create a .htaccess file, and add this:
# Protect htaccess
<files .htaccess>
order allow,deny
deny from all
</files># Protect wp-admin by my IP
order deny,allow
allow from 000.0.00.00
deny from allChange 000.0.00.00 for your IP. What is your IP Address? (LINK TO KNOW)
Nobody except the Administrator and Contributors could in to your WP Admin DashBoard.
If you want to add other secure IP, add other: allow from 000….
<h4>Protect Uploads folder </h4>
Go to: public_html / wp-content / uploads, Create a .htaccess files and add this:
# Protect htaccess
<files .htaccess>
order allow,deny
deny from all
</files># Secure uploads directory
<Files ~ “.*\..*”>
Order Allow,Deny
Deny from all
</Files>
<FilesMatch “\.(jpg|jpeg|jpe|gif|png|pdf|mp4|mpeg|mp3)$”>
Order Deny,Allow
Allow from all
</FilesMatch>Hi there.
If you are using Hostgator, use this:
Put this code in: public_html / .user.ini (from php 3)
ini_set("display_errors", 0);This code fix a problem of security.
For my friend Radu. If you want, for the Next SD Update… 😉
https://codex.buddypress.org/plugindev/bp_attachment/
Please, add too: Message Text Area With Emoji
Hi Radu. Please, Test it and tell me!
And please. NOT MORE PLUGINS! Right Now I have a big problem with a Plugin.
Do you know the bug Full Path Disclosure?? Hehhe a Big problem. For me and you!
Check your plugins! For example. WP Super Cache!
With more supplements, the more insecure is WP! But, you know that! 🙂
For this reason, I PREFER SECURE AND STANDARD PHP CODE!
Querida Laura.
Probé el primero… No funciona con SweetDate.
El segundo tiene 1 año que no lo actualizan. La seguridad de WP depende demasiado de las Updates.
Por tanto, me gustarÃa saber cómo uds añadieron este reCaptcha a Kleo.
Ok, más tarde. Pero lo que digo es que ya uds tienen la forma de aplicar protección al Login sin que esta afecte el LogOut de los Suscriptores. Eso es lo que quiero saber.
Por otro lado qué me dices del Plugin AIO Wp Security and Firewall?
Security Plugins:
Go to google and read about these:
– WordFence
– iThemeSecurity
– All In One WordPress Security and Firewall
For now is all.
Well, well,
Now, inside your functions.php (child theme) use:
COPY CODE// Desactiva los errores de la pagina Login function login_errors_message() { return 'Ooooops! Something is wrong, try again, please!'; } add_filter('login_errors', 'login_errors_message'); // Remove WP Header Junk remove_action('wp_head', 'rsd_link'); // remove really simple discovery link remove_action('wp_head', 'wp_generator'); // remove wordpress version remove_action('wp_head', 'feed_links', 2); // remove rss feed links (make sure you add them in yourself if youre using feedblitz or an rss service) remove_action('wp_head', 'feed_links_extra', 3); // removes all extra rss feed links remove_action('wp_head', 'index_rel_link'); // remove link to index page remove_action('wp_head', 'wlwmanifest_link'); // remove wlwmanifest.xml (needed to support windows live writer) remove_action('wp_head', 'start_post_rel_link', 10, 0); // remove random post link remove_action('wp_head', 'parent_post_rel_link', 10, 0); // remove parent post link remove_action('wp_head', 'adjacent_posts_rel_link', 10, 0); // remove the next and previous post links remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0 ); // Proteger caja comentarios add_filter('pre_comment_content', 'wp_specialchars'); // Wp DashBoard Only for Admins add_action( 'init', 'blockusers_init' ); function blockusers_init() { if ( is_admin() && !current_user_can( 'administrator' ) && !( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) { wp_redirect( home_url() );exit; } } // Enable shortcodes in text widgets add_filter('widget_text','do_shortcode'); /* Filter the redirect url for login */ add_filter("login_redirect","kleo_redirect_to_profile",100,3); function kleo_redirect_to_profile($redirect_to_calculated,$redirect_url_specified,$user){ /*if no redirect was specified,let us think ,user wants to be in wp-dashboard*/ if(!is_super_admin($user->ID)) return bp_core_get_user_domain($user->ID ); else return $redirect_to_calculated; /*if site admin*/ } // Exclude Admins from Directories and BP Widgets add_filter( 'bp_after_has_members_parse_args', 'buddydev_exclude_users' ); function buddydev_exclude_users( $args ) { //do not exclude in admin if( is_admin() && ! defined( 'DOING_AJAX' ) ) { return $args; } $excluded = isset( $args['exclude'] )? $args['exclude'] : array(); if( !is_array( $excluded ) ) { $excluded = explode(',', $excluded ); } $user_ids = array( 1, ); // enter user ids here $excluded = array_merge( $excluded, $user_ids ); $args['exclude'] = $excluded; return $args; } // Deny access to admins profile. User is redirected to the homepage function bpfr_hide_admins_profile() { global $bp; if(bp_is_profile && $bp->displayed_user->id == 1 && $bp->loggedin_user->id != 1) : wp_redirect( home_url() ); exit; endif; } add_action( 'wp', 'bpfr_hide_admins_profile', 1 ); // Hide admin's activities from all activity feeds function bpfr_hide_admin_activity( $a, $activities ) { // ... but allow admin to see his activities! if ( is_site_admin() ) return $activities; foreach ( $activities->activities as $key => $activity ) { // ID's to exclude, separated by commas. ID 1 is always the superadmin if ( $activity->user_id == 1 ) { unset( $activities->activities[$key] ); $activities->activity_count = $activities->activity_count-1; $activities->total_activity_count = $activities->total_activity_count-1; $activities->pag_num = $activities->pag_num -1; } } // Renumber the array keys to account for missing items $activities_new = array_values( $activities->activities ); $activities->activities = $activities_new; return $activities; } add_action( 'bp_has_activities', 'bpfr_hide_admin_activity', 10, 2 );RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?whatsmymate.com [NC]
Here, change whatsmymate.com to: http://www.raibar.co.uk
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)raibar.co.uk [NC]1) I dont know what server you are using. If is HostGator (Baby Plan or Advance) you need to install WP manually, because the Automatic install does not permit to change the Wp Prefix.
So, you need the change the Wp Prefix in wp-config.php
What prefix? By default the prefix is: wp_ but, this prefix is not secure. You can try with, for example, b1jA_
And, you then to add the WordPress Key too.
After that, upload to your /public_html all your WP files and Folders (your install).
Remember create a DataBase for that after.
If your Server permit to change the wp prefix in the Installation, change it.
——–
Insite public_html / .htaccess file*, put:
* Sometime this file is hidden… If is hidden, click on Setting to see it.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule># END WordPress
# Disable Indexation of Directories
Options All -Indexes# Enable Gzip
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule># Protect htaccess
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files># Disable wp install after installation
<Files install.php>
order allow,deny
deny from all
</Files># Not Spam
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*whatsmymate.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]# Protect wp-config
<files wp-config.php>
order allow,deny
deny from all
</files># Protect wp-includes
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]# Protect Headers
Header set X-XSS-Protection “1; mode=block”
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN# Disable hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?whatsmymate.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]# Not SQL injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]First. You need to have clear What you want!
After that, work with the Security. See all my Tickets and its Answers.
About your site, needs a lot of work!
A lot of…
I cant help you. Because I need to finish my site. http://www.whatsmymate.com
Hi. Waplog.com is a Dating site (no mine), that I think is based in BuddyPress, like Kleo or SweetDate.
I dit put this photo like example for 7thQueen Team. They need update their Themes.
Hi Raibar.
For a Dating Site… The Most Important NOW for you, is the Security!
Protect .htaccess
Protect with hta… wp / uploadsHide your Admin Site, etc. etc. etc.
Mi querida Laura. Los plugins necesitan soporte, un código PHP estable no.
Tampoco hay necesidad de contratar, ya que solo necesito leer y aplicar.
Lo que quiero saber es cómo uds aseguraron el Wp-Login, pues veo que lo tienen protegido en el Demo.
Yo sé como protegerlo, el problema es que quizás hay algo que me falta y por eso me da error cuando uno hace click en Log Out. En el Demo permite hacer Log Out sin pedir confirmación de la Clave protectora.
And Radu. I saw the link, but, I dont understand what I can do with:
I saw header.php, but, this file has an especific code… So, please, Help me!
I need to protect Wp-admin and Wp-login (without plugin)… But, the problem is when a User click on LogOut…
My friend Radu. The problem of autofill in Compose is in your Theme. Look at the picture. Taking for example your Demo!
And yeas my friend, your Theme needs a best Messaging (like Waplog maybe, or you can add Quick Ms Navigation for now…).
—–
Note: Dont forget the problem of the Profile Cover (white text, shadow… etc.)!! Remember…Hi again!
Please, Check this ====> I dont know that I can add strings using gettext, and Translate it using Polylang.
gettext – The Most Useful Filter in WordPress
https://www.speakinginbytes.com/2013/10/gettext-filter-wordpress/Sobreescribir traducciones en WordPress: el filtro gettext
https://cybmeta.com/sobreescribir-traducciones-en-wordpressChange or Translate Text on a WordPress Theme
http://ronangelo.com/change-or-translate-text-on-a-wordpress-theme/OTHER CODE::::
COPY CODE// Remove admin from the member directory function bpdev_exclude_users($qs=false,$object=false){ $excluded_user='1'; // Id's to remove, separated by comma if($object != 'members' && $object != 'friends')// hide admin to members & friends return $qs; $args=wp_parse_args($qs); if(!empty($args['user_id'])) return $qs; if(!empty($args['exclude'])) $args['exclude'] = $args['exclude'].','.$excluded_user; else $args['exclude'] = $excluded_user; $qs = build_query($args); return $qs; } add_action('bp_ajax_querystring','bpdev_exclude_users',20,2); // Once admin is removed, we must recount the members ! function bpfr_hide_get_total_filter($count){ return $count-1; } add_filter('bp_get_total_member_count','bpfr_hide_get_total_filter');Gracias Laura.
Pues sÃ, yo veo que el Demo tiene protegido el wp-login, y no hay problema cuando le das a LogOut, sin embargo a mà me pasa que me pide ingresar nombre y clave para Salir.
Por tanto, me gustarÃa ver de qué manera uds protegieron el wp-login de manera funcional.COPY CODE<strong>FULL CODE:::</strong> // Exclude Admins from Directories and BP Widgets add_filter( 'bp_after_has_members_parse_args', 'buddydev_exclude_users' ); function buddydev_exclude_users( $args ) { //do not exclude in admin if( is_admin() && ! defined( 'DOING_AJAX' ) ) { return $args; } $excluded = isset( $args['exclude'] )? $args['exclude'] : array(); if( !is_array( $excluded ) ) { $excluded = explode(',', $excluded ); } $user_ids = array( 1, ); // enter user ids here, separated by comma $excluded = array_merge( $excluded, $user_ids ); $args['exclude'] = $excluded; return $args; } // Deny access to admins profile. User is redirected to the homepage function bpfr_hide_admins_profile() { global $bp; if(bp_is_profile && $bp->displayed_user->id == 1 && $bp->loggedin_user->id != 1) : wp_redirect( home_url() ); exit; endif; } add_action( 'wp', 'bpfr_hide_admins_profile', 1 ); // Hide admin's activities from all activity feeds function bpfr_hide_admin_activity( $a, $activities ) { // ... but allow admin to see his activities! if ( is_site_admin() ) return $activities; foreach ( $activities->activities as $key => $activity ) { // ID's to exclude, separated by commas. ID 1 is always the superadmin if ( $activity->user_id == 1 ) { unset( $activities->activities[$key] ); $activities->activity_count = $activities->activity_count-1; $activities->total_activity_count = $activities->total_activity_count-1; $activities->pag_num = $activities->pag_num -1; } } // Renumber the array keys to account for missing items $activities_new = array_values( $activities->activities ); $activities->activities = $activities_new; return $activities; } add_action( 'bp_has_activities', 'bpfr_hide_admin_activity', 10, 2 );FULL CODE:::
// Exclude Admins from Directories and BP Widgets
add_filter( ‘bp_after_has_members_parse_args’, ‘buddydev_exclude_users’ );function buddydev_exclude_users( $args ) {
//do not exclude in admin
if( is_admin() && ! defined( ‘DOING_AJAX’ ) ) {
return $args;
}$excluded = isset( $args[‘exclude’] )? $args[‘exclude’] : array();
if( !is_array( $excluded ) ) {
$excluded = explode(‘,’, $excluded );
}$user_ids = array( 1, ); // enter user ids here, separated by comma
$excluded = array_merge( $excluded, $user_ids );
$args[‘exclude’] = $excluded;
return $args;
}// Deny access to admins profile. User is redirected to the homepage
function bpfr_hide_admins_profile() {
global $bp;
if(bp_is_profile && $bp->displayed_user->id == 1 && $bp->loggedin_user->id != 1) :
wp_redirect( home_url() );
exit;
endif;
}
add_action( ‘wp’, ‘bpfr_hide_admins_profile’, 1 );// Hide admin’s activities from all activity feeds
function bpfr_hide_admin_activity( $a, $activities ) {// … but allow admin to see his activities!
if ( is_site_admin() )
return $activities;foreach ( $activities->activities as $key => $activity ) {
// ID’s to exclude, separated by commas. ID 1 is always the superadmin
if ( $activity->user_id == 1 ) {unset( $activities->activities[$key] );
$activities->activity_count = $activities->activity_count-1;
$activities->total_activity_count = $activities->total_activity_count-1;
$activities->pag_num = $activities->pag_num -1;
}
}// Renumber the array keys to account for missing items
$activities_new = array_values( $activities->activities );
$activities->activities = $activities_new;return $activities;
}
add_action( ‘bp_has_activities’, ‘bpfr_hide_admin_activity’, 10, 2 );
