Posted on by scary

WP Security Considerations

My Short Story on Hardening WordPress

  • Use and require long passwords with upper,lower case, numbers and special characters
  • Limit user registration
  • Use a good hosting site, a current version of Linux, PHP, MYSQL etc and make sure they are updated
  • Know the vendors of your Themes, Plugins and Widgets
  • Install to a different directory than the default
  • Change the default Database prefix
  • Configure a set of “Authentication Unique Keys and Salts” in wp-config
  • Don't use admin, root etc. for usernames
  • Do you own scans of the PHP and JavaScript files etc.
  • Lock down uploads directory and comments
  • Stay current, make sure it is doing auto updates
  • Lock down PHP: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

I use the Wordfence security plugin
I am evaluating Securi

I use BackWPup

Use SSL. Here is a place you can get a free certificate: https://letsencrypt.org/
A list of site security scanners from OWASP (Open Web Application Security Web) web site scanners

I use Dashboard Widgets Suite by Jeff Starr, it has a security tab for some of the common things

  • Register Globals: Disabled
  • Safe Mode: Disabled
  • Display Errors: Disabled
  • allow_url_include: Enabled
  • allow_url_fopen: Enabled
  • Magic Quotes: Disabled
  • Server Signature: Enabled
  • WP Unique Keys: Enabled
  • mod_security: Not Installed
  • open_basedir: Disabled
  • upload_tmp_dir: /tmp
  • expose_php: Disabled

Read this: WP Codex: “Hardening WordPress”

More from Jeff Starr's Book The Tao of WordPress
example .htacess for uploads

#secure uploads directory
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmv)$">
Order Deny,Allow
Allow from all
</FilesMatch>

Note: you need .htacess in parents directory as well, buy the book for more!

My parent directory .htacess

DirectoryIndex index.php

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# This denies all web access to your wp-config file, error_logs, php.ini, and htaccess/htpasswds.
<FilesMatch "^.*(debug\.log|error_log|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

# BEGIN gmgj per TAO

# [5G] BLOCK BAD BOTS
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu|grimreaper) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>

# END gmgj per Tao

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.