Don’t worry about that folder, it’s safe.

OK good to know. I read various online guides advising to secure it.

top way a pro locks down a Wordpress site. There are several useful tools and concepts in general.

I’m sure we’re gonna go Deep at some point, but I’d like all this Wordpress talk to be in one place in the Forum, so I let’s not get too deep just yet.

It’s best to open up a dedicated threads in a Wordpress specific Category

Wordpress within Blocs has possibly opened Blocs to being one of the best builders if not the BEST on the market…this is taking Blocs to a next new level. I am so looking forward to what people can do with this! The possibility’s are endless.

I am getting my head around doing themes for it now ! Can’t way to have a play with it.

I am seriously considering changing ALL my current projects into Blocs 4 as soon as its available and going back to the drawing board on design!!!

@Norm - im surprised if you have even got any sleep this year !

Yes I agree 110%. I’ll ask @Norm about adding a new category for WordPress issues. It may end up as the busiest part of the forum.

Here’s what I do on every WordPress site to provide a minimal security (more is always better):

Add these to the .htaccess:

Enable HSTS with this snippet:

Header set Strict-Transport-Security “max-age=31536000” env=HTTPS

hide htaccess file

<Files .htaccess>
order allow,deny
deny from all

hide wp-config file

order allow,deny deny from all

Block wp-includes folder and files

RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

Prevent Track & Trace abuse leading to XSS attacks:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Stop username enumeration:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

Within wp-content/uploads I tend to put another .htaccess file, containing these snippets:

Limit accessible files to certain filetypes

order deny,allow
deny from all
<files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all

Prevent php execution

<Files *.php>
deny from all

Then add some tweaks to the wp-config.php:

Force SSL for the backend

define(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true);

Disable file editing from the wp-admin

define(‘DISALLOW_FILE_EDIT’, true);

These are some of the more generic ones I use
Always happy to help out with more specific settings/tips/questions.

Folder permissions handle that, which yes, many people screw up which leads to breaches.

I’m an old Unix head to some extent, but the security is all enhanced through understanding which groups have 'read or write" access. using the groups and permissions you are able to craft better base level security.

Okay so you went there! Love it. I just want to get this stuff organized.

Excellent start @brechtryckaert

Wow that’s a lot. I already enable HSTS on my sites as well as the hide htaccess on my standard Blocs sites but the rest is all new. Is all of that going in your htaccess?

I’ll try and work out an optimized .htaccess (containing security and performance tweaks) for sites built with Blocs in the coming days.

Loads more actually, as I’m also very focussed on performance. Once my optimized .htaccess is ready, I’ll share it here. Just need to see how Blocs 4 Plus exports WP Themes first to ensure I don’t add any site-breaking rules.