Knowledgebase

This article is part of the Protecting WordPress index, but can be generally applied to your account and security practices! 

Restricting access to certain files or directories in your account is a good way to prevent possible entry points for hackers.

Installing a plugin to help limit login attempts is a step in the right direction.

1. A .htaccess file limiting directory/file access is likely one of the best (remove the spaces between the < and > tags for your code to work):
<FilesMatch>
Order Allow, Deny
Allow from xx.xx.xx.xx 
</FilesMatch>

Note that the xx.xx.xx.xx needs to be replaced with your IP, which can be retrieved from a location like ipcow.com. Also, note that your IP may not always be the same, so you may need to occasionally change this file to match.

2. Hide Indexes or Limit Access

In a .htaccess file, add:
Options –Indexes

3. Make sure the PHP source code is never revealed.

Your site's wp-includes/ directory is the most important one to block. Find the .htaccess file there and insert:

RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]

If there are or will be subdirectories of wp-includes/, insert the following code for each one in the same .htaccess configuration file:

RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]