If you have file transfer access to your WordPress site, use a simple text editor and create a file called “.htaccess” that consists of the following lines. These are the most often exploited folders (wp-includes and plugins) within WordPress. The syntax differs between Apache 2.2 and Apache 2.4
Order Deny,Allow <Files *.php> deny from all </Files>
Copy this .htaccess file to your wp-content/uploads folder.
Create another .htaccess file that contains the following lines:
Order Deny,Allow <Files *.php> deny from all </Files> <Files "wp-tinymce.php"> allow from all </Files>
Copy this file to your wp-includes folder. This file prevents the running of PHP scripts from the wp-includes folder, except for the WordPress Visual Editor.
Apache version 2.4 has a different syntax for these files. Additionally, the parameter “AllowOverride All” must be set in the server’s Directives. (This is the default in Apache 2.2).
Create a file called .htaccess and copy it to your wp-content/uploads folder.
Require all granted <Files *.php> Require all denied </Files>
Create another .htaccess file and copy it to your wp-includes folder:
Require all granted <Files *.php> Require all denied </Files> <Files "wp-tinymce.php"> Require all granted </Files>
This next tip optimizes PHP a little bit to improve security. Note that “0” is the equivalent to “Off” and “1” is the equivalent to “On”, depending upon your O/S distribution. This file is called “php.ini“. On CentOS systems, it is normally in the /etc directory. On Ubuntu, it resides in /etc/php5/apache2 (depending upon the web server and PHP version installed).
allow_url_fopen = 0 allow_url_include = 0 max_input_time = 30 max_execution_time = 30 memory_limit = 8M # NOTE: I had to set mine to 256M to appease the WordFence plugin register_globals = Off expose_php = 0 cgi.force_redirect = 1 display_errors = 0 display_startup_errors = 0 session.cookie_httponly = 1 session.use_cookies = 1 session.use_trans_sid = 0 session.hash_function = 1 session.bug_compat_42 = 0 session.bug_compat_warn = 0