Magento WordPress Integration SecurityWordPress Integration

« Back to Magento WordPress Integration

Any installed web application can present serious security risks and this includes WordPress and Magento. Fortunately by following these simple steps, it's quite easy to reduce these security risks and securely integrate WordPress into Magento.

Upgrade WordPress & Plugins

Always upgrade the WordPress core and plugins as soon as updates become available. WordPress updates are easy and can be done by a single click in the Admin.

Remove Plugins You Don't Need

A high number of hacks are caused by plugins and not the WordPress core. If you don't need the plugin, delete it.

You should delete ALL WordPress themes with the exception of the FishPig theme.

Database Security

Run WordPress in it's own database, using it's own database user and use a custom table prefix.

Delete Core WordPress Files You Don't Need

When integrating WordPress into Magento, you don't need the following files and these can be deleted, reducing the number of attack vectors you provide. Alternatively you can block access to them in your server config.

license.txt, readme.html, wp-activate.php, wp-config-sample.php, wp-cron.php, wp-links-opml.php, wp-mail.php, wp-signup.php, wp-trackback.php, xmlrpc.php

If you don't use the commenting system, you can also delete wp-comments-post.php.

These files will be automatically created when you upgrade WordPress so you will have to delete them each time.

Install a Security Module

We offer a Magento 2 Security Module that provides protection for Magento and WordPress at the same time.

Server Security (.htaccess)

The following .htaccess file will provide an extra layer of protection for your WordPress installation. This file limits access to specific files and can be modified to your needs. This should be placed inside your WordPress installation directory (eg. wp/.htaccess).

Please read the comments to understand what each part does.

# Secure WordPress when integrated into Magento
<IfModule mod_rewrite.c>
RewriteEngine On

# Allow access to certain file extensions
RewriteCond %{REQUEST_URI} !\.(js|css|jpg|png|gif|svg|woff|woff2)$
# Allow access to specific PHP files
RewriteCond %{REQUEST_URI} !/index.php
RewriteCond %{REQUEST_URI} !/wp-(comments-post|login).php

# Some plugins use admin-ajax.php
# If none of your plugins use this file
# Remove the line below to block access to it
RewriteCond %{REQUEST_URI} !/wp-admin/admin-ajax.php

# Allow global access to specific IPs
# This will allow Admin access
# Enter IPs below that should be allowed Admin access
# RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
# RewriteCond %{REMOTE_ADDR} !^82\.12\.10\.1$

# This line allows Admin access to all IPs
# Remove this to limit it to the IPs entered above
RewriteCond %{REQUEST_URI} !/wp-admin/

# Rewrite to 404.php 	
# You can create a 404.php file in your WordPress folder
# If this file doesn't exist, the Magento 404 will display
RewriteRule .* 404.php [L]


This script uses a 404.php file that is present in the parent directory of WordPress (the Magento folder) and this is loaded when a user is blocked. This file can be as simple as the below code.

	header('HTTP/1.0 404 Not Found');
	echo '404';

By locking down access to WordPress by IP address, you effectivey make your WordPress installation un-hackable, however you should still follow all other steps and ensure everything is always updated and the WordPress database is separate.