The most important security feature you can add to your Wordpress website or any website for that matter is an .htaccess file. This .htaccess code below will block ALL hackers from hacking your website with XSS attacks / Code Injection attacks. To create the .htaccess file copy the code below to notepad (or any other text editor) and create a text file called .htaccess. Of couse notepad will want you to give the file a name in order to save it so just give it this name or whatever you want >>> deletethis.htaccess.txt After you have saved the file you will need to rename it via Windows Explorer (not Internet Explorer) to .htaccess and upload the file to the root of whatever folder your Wordpress website is installed in. The root folder for your Wordpress website not /wp-content. The root folder contains your wp-config.php file so wherever that file is just copy the .htaccess file to that same folder.
CAUTION: this .htaccess file code below is only for Wordpress websites installed at the root of the domain. You will need to add your folder name / path to the RewriteBase and and Rule if your site is not installed in the root. example: RewriteBase /blog/ RewriteRule . /blog/index.php [L] For HTML sites just replace index.php with index.html.
CAUTION: this is a very restrictive .htaccess file that interferes with a couple of admin functions because the Query filter detects the execution of those commands as attack threats and they are blocked. Those areas are configuring Widgets and Installing new Plugins. What I am doing for now is until I write a Wordpress plugin to automate this is to have 2 .htaccess files on the site root domain. 1 named secure.htaccess and one named default.htaccess. To enable either one you just remove the first part of the file name so that what you have left is just .htaccess. This is a bit of minor nuisance for now until I write that WP plugin, but consider the alternative - hours of fixing your hacked website. ;( I have not decided on a name for the Wordress Plugin that I will be writing in the near future so I can't tell you what to look for in the near future. Maybe WP-BulletProof? If you want you can register at my site and when I release my new plugin I will email anyone who has registered at my site. I HATE SPAMMERS so the only time you will ever get an email from me is if you requested for me to contact you. My website is here >>> http://www.ait-pro.com.
******* The Code below is mangled here on YA and not usable *******
To download the .htaccess file go here >>> http://www.ait-pro.com/aitpro-blog/wordpress-tips-tricks-fixes/bulletproof-htaccess-file-code-wordpress-bulletproof-htaccess-code/
***** DO NOT USE THIS CODE BELOW *****
# BEGIN WordPress STANDARD WP MOD REWRITE
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
# FILTER REQUEST METHODS
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
# QUERY STRING EXPLOITS BLOCKS XSS ATTACKS
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|… [NC]
RewriteRule ^(.*)$ - [F,L]
*** the .htaccess file (2 separate files) can be put on the root of your domain and in your /wp-admin folder if you want. If you don't put an additional .htaccess file in your /wp-admin folder the rules will carry over to the /wp-admin folder.