My Short Story on Hardening WordPress
- Use and require long passwords with upper,lower case, numbers and special characters
- Limit user registration
- Use a good hosting site, a current version of Linux, PHP, MYSQL etc and make sure they are updated
- Know the vendors of your Themes, Plugins and Widgets
- Install to a different directory than the default
- Change the default Database prefix
- Configure a set of “Authentication Unique Keys and Salts” in wp-config
- Don't use admin, root etc. for usernames
- Do you own scans of the PHP and JavaScript files etc.
- Lock down uploads directory and comments
- Stay current, make sure it is doing auto updates
- Lock down PHP: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
I use the Wordfence security plugin
I am evaluating Securi
I use BackWPup
Use SSL. Here is a place you can get a free certificate: https://letsencrypt.org/
A list of site security scanners from OWASP (Open Web Application Security Web) web site scanners
I use Dashboard Widgets Suite by Jeff Starr, it has a security tab for some of the common things
- Register Globals: Disabled
- Safe Mode: Disabled
- Display Errors: Disabled
- allow_url_include: Enabled
- allow_url_fopen: Enabled
- Magic Quotes: Disabled
- Server Signature: Enabled
- WP Unique Keys: Enabled
- mod_security: Not Installed
- open_basedir: Disabled
- upload_tmp_dir: /tmp
- expose_php: Disabled
Read this: WP Codex: “Hardening WordPress”
More from Jeff Starr's Book The Tao of WordPress
example .htacess for uploads
#secure uploads directory
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmv)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Note: you need .htacess in parents directory as well, buy the book for more!
My parent directory .htacess
DirectoryIndex index.php
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# This denies all web access to your wp-config file, error_logs, php.ini, and htaccess/htpasswds.
<FilesMatch "^.*(debug\.log|error_log|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>
# BEGIN gmgj per TAO
# [5G] BLOCK BAD BOTS
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu|grimreaper) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>
# END gmgj per Tao
You must be logged in to post a comment.