Security hardening blocks the execution of PHP files in sensitive directories of your WordPress installation. This is done by adding a set of rules in your .htaccess file in each of those directories. You can enable and disable which directories and files you want the security hardening for by going to Sucuri Security Dashboard > Settings > Hardening > Hardening Options.
- Verify WordPress Version – We harden this file to protect your WordPress version. An attacker can exploit your version of WordPress especially if your site is not on the latest version of WordPress.
- Remove WordPress Version – This checks to see if your WordPress version is being leaked out to the public via an HTML meta-tag.
- Block PHP File execution in wp-content/uploads, wp-content, wp-includes
- Verify PHP Version – Harden to protect your version of PHP from attackers.
- Information Leak – Checks to see if the “readme.html” files are available.
- Plugin and Theme Editor – This will disable editing of your plugin in themes from unwanted changes.
You can revert the hardening for the most common directories from your WordPress Dashboard > Sucuri Security Dashboard > Settings > Hardening > Hardening Options.
Hardening can be reverted for:
- Block PHP Files in uploads
- Block PHP Files in wp-content
- Block PHP Files in wp-includes
- Plugin and Theme Editor You can disable this feature when you are ready to make changes to your site and then enable it again once you are done.
Hardening for some files/directories cannot be reverted because those files/directories have known vulnerabilities and hardening shouldn’t impact your website functionality. If you want to revert those files/directories where the option isn’t available in the dashboard, you will need to download a copy of the files/directories and re-upload fresh ones.
Problems with Hardening
Hardening requires testing, there’s not one set of rules that will work for every site. After you apply the hardening to wp-includes, wp-content, and/or wp-content/uploads and you find that certain plugins or your theme are not working correctly you can allow exceptions by going to your Security Dashboard > Settings > Hardening > Whitelist Blocked PHP files.