Hide the system version from others to remove version display. All you need to do is go to the functions.php file and add the following code:
function wp_version_remove_version() { return ''; } add_filter('the_generator', 'wp_version_remove_version');
Disable editing in the system control panel to solve and block the edit option through the admin panel. Go to the wp-config.php file and add the following code:
define('DISALLOW_FILE_EDIT', true);
Protect the wp-config file, copy the code below to the .htaccess file to prevent access to the file:
<files wp-config.php>
order allow,deny
deny from all
</files>
By blocking PHP file execution in certain directories, the code instructs Apache to block PHP file execution in the /wp-content/uploads/ directory. To perform this action, open a new file named .htaccess, enter the code, save it, and then upload the file to the path:
/wp-content/uploads/
<Files *.php>
deny from all
</Files>
Options -Indexes
Use security headers; add the code independently by changing the function.php file:
header('Content-Security-Policy: default-src https:');
header('X-FRAME-OPTIONS: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security: max-age=31536000; includeSubdomains; preload');
header("Permissions-Policy: accelerometer 'none' ; ambient-light-sensor 'none' ; autoplay 'none' ; camera 'none' ; encrypted-media 'none' ; fullscreen 'none' ; geolocation 'none' ; gyroscope 'none' ; magnetometer 'none' ; microphone 'none' ; midi 'none' ; payment 'none' ; speaker 'none' ; sync-xhr 'none' ; usb 'none' ; notifications 'none' ; vibrate 'none' ; push 'none' ; vr 'none' ");
header('Referrer-Policy: same-origin');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
Enable SSL certificates for secure and encrypted connection between you and the server when entering and managing the WordPress site. Add the following line to the wp-config file:
define('FORCE_SSL_ADMIN', true);
Disable the xmlrpc file; paste the following code into the .htaccess file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files>
Server response headers contain detailed information about the PHP version. It is assumed that you will need to ask the hosting company to configure the HTTP server not to display PHP version information. Nevertheless, you can also try adding these instructions yourself to the .htaccess file:
#start hide PHP version in header <IfModule mod_headers.c> Header unset X-Powered-By Header unset Server </IfModule> #END hide PHP version in header
Protect the WP-admin path; put the following code in the functions file, notifying the system that any attempt to access the file will redirect to a 404 error page:
add_action('init', 'alderity_blockusers_init');
function alderity_blockusers_init() { if (is_admin() && !current_user_can(‘administrator’) && !(defined(‘DOING_AJAX’) && DOING_AJAX)) { // Redirect to a 404 error page status_header(404); exit(); }}
Change the URL path of WP-Login to protect the login page. Insert the following code into the functions file and replace “?=secret” with a new passphrase of your choice:
// Disable login protection WordPress users function alderity_protection_for_login_page() { $secret_path = '?=secret'; $request = 'https://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING']; if ( site_url('/wp-login.php').$secret_path == $request ) {} else { header( 'Location: https://' . $_SERVER['SERVER_NAME'] . '/404' ); }} add_action('login_head', 'alderity_protection_for_login_page');
To access the login file, you will need to enter the URL of your site with the following path: your-domain.com/wp-login.php?=secret. Replace “your-domain.com” with your site’s address and the passphrase “?=secret” you chose.
Easy deactivation of USER REST API for JSON; insert the following code into the functions file to block access:
// Disable certain rest routes add_filter( 'rest_endpoints', function( $endpoints ){ if ( isset( $endpoints['/wp/v2/users'] ) ) { unset( $endpoints['/wp/v2/users'] ); } if ( isset( $endpoints['/wp/v2/users/(?P<id>[d]+)'] ) ) { unset( $endpoints['/wp/v2/users/(?P<id>[d]+)'] ); } return $endpoints; });
Easy deactivation of REST API for JSON; insert the following code into the functions file to block access:
// Disable WordPress REST API add_filter('rest_enabled', '__return_false'); // Optional: If you want to disable REST API for users who are not logged in add_filter('rest_authentication_errors', function ($result) { if (!is_user_logged_in()) { return new WP_Error('rest_not_logged_in', 'You are not logged in.', array('status' => 401)); } return $result; });
To activate the codes below, follow these instructions: go to the functions.php file and add all the following codes:
Remove the RSD link that may expose information about the site and allow certain attacks:
remove_action('wp_head', 'rsd_link');
Remove the WordPress version identifier from the page’s source code to reduce the risk of tools checking the version for vulnerabilities:
remove_action('wp_head', 'wp_generator');
Remove the link generated for the REST API from the page header:
remove_action('template_redirect', 'rest_output_link_header', 11);
Remove the Emoji identification script, providing security against undesired actions:
remove_action('wp_head', 'print_emoji_detection_script', 7);
Remove Emoji styles from the design to prevent undesired actions:
remove_action('wp_print_styles', 'print_emoji_styles');
Remove the Emoji identification script from the control panel, as it is not always necessary for site administrators:
remove_action('admin_print_scripts', 'print_emoji_detection_script');
Remove Emoji styles from the control panel:
remove_action('admin_print_styles', 'print_emoji_styles');
Remove REST API links from the page title to reduce displayed information in the title and prevent unnecessary data exposure:
remove_action('wp_head', 'rest_output_link_wp_head');
Remove oEmbed data links from the page title to prevent undesired actions from the browser:
remove_action('wp_head', 'wp_oembed_add_discovery_links');
Remove the REST API path associated with oEmbed to prevent unnecessary access to information:
remove_action('rest_api_init', 'wp_oembed_register_route');
Hide oEmbed results when data is received to protect sensitive information:
remove_filter('oembed_dataparse', 'wp_filter_oembed_result', 10);
Remove the embed script that adds oEmbed hosting to prevent misuse of data:
remove_action('wp_head', 'wp_oembed_add_host_js');
Remove the shortlink from the page title to reduce the information displayed in the title:
remove_action('wp_head', 'wp_shortlink_wp_head', 10);