Lock Down Your Writable Directories
To ensure that no bots or other unauthorized visitors can access some of your important WordPress directories (which are writable so that WordPress can operate), you can restrict access so that the only your WordPress installation can use the files.Create an
_htaccess
file with a plain text editor (note the underscore before htaccess) but do not put any text or anything in it. Save it as a blank file in your WordPress directory (same directory your wp-config.php file is located).Create an uploads directory in your wp-content directory.
Create another
_htaccess
file, this time in the wp-content/uploads directory you just created. Edit the new file in a text editor by adding the code below:<Files *.php>
deny from all
</Files>
Save the file and copy it to your wp-includes directory (there should now be an
_htaccess
file in both wp-content/uploads and wp-includes).