Published on February 19, 2014
FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY
WHAT REALLY MATTERS: TOP 3! IF YOU HAVE 5 MINS TO SPARE, JUST DO THESE…
#1 Update your blogs regularly! http://wordpress.org/extend/plugins/wp-updates-notifier/
Change update behavior… Be sure to REALLY know what you’re doing there…! # Disables ALL core updates: define('WP_AUTO_UPDATE_CORE', false); # Enables all core updates, including minor and majors: define('WP_AUTO_UPDATE_CORE', true); # Default: Enables core updates for minor releases: define('WP_AUTO_UPDATE_CORE', 'minor'); Want something more fine-grained? Check AUTO_UPDATE_$TYPE filter (e.g. auto_update_plugin, auto_update_theme, etc.) which is used for specific updates. http://github.com/georgestephanis/update-control/
#2 Get rid of stuff you don’t use! Remove all inactive plug-ins as well as themes!
#3 Backup Database & Files, often! http://wordpress.org/extend/plugins/backwpup/
SECURITY STARTS AT SETUP MAKE THINGS RIGHT FROM THE BEGINNING…!
#4 Setup WordPress properly Use unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘; https://api.wordpress.org/secret-key/1.1/salt/
#5 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Even better… move wpconfig.php outside of „www“. Also do chmod 400/440
#6 Remove the default „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
#7 Protect your Login (and wp-admin) Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wpadmin as well as the login itself. Don’t just put an .htaccess for basic passwd. protection. It’s a lot of pain… http://wordpress.org/extend/plugins/lockdown-wp-admin/
#8 Lock-out multiple failed logins Limit Login Attempts http://wordpress.org/extend/plugins/limit-login-attempts/
#9 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
#9 Even better: Two-factor Verification Google Authenticator http://wordpress.org/plugins/google-authenticator/
#9 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.
#10 Block malicious URL requests domain.com/?q=%2e%2e or domain.com/path/base64_ will return HTTP 403 (Forbidden). http://wordpress.org/plugins/block-bad-queries/
ADDITIONAL TWEAKS THINGS YOU COULD DO IN YOUR CONFIG AS WELL…
#11 SSL Logins & Administration define('FORCE_SSL_LOGIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) define('FORCE_SSL_ADMIN', true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
#12 Move the “wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_URL points to “new” full URI (no trailing slash either)
#13 Disable File Editing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
#14 Fix File & Folder Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only! http://wordpress.org/extend/plugins/wp-security-scan/
@basgr SEO Trainings, Seminars & Strategy Consulting Berlin-based Full-Service Performance Marketing Agency WordPress Security, Consulting & Development www.bg.vu/fos14
Security in WordPress is ... part of the goal of hardening WordPress is containing the ... use your favorite search engine and look for Web ...
Search WordPress.org for: Showcase; ... Malware Scanner and Security Hardening. The Sucuri WordPress Security plugin is a security toolset for security ...
... so what are your plans to harden WordPress security? ... WordCamp EU 2014: ... You can read more about it if you search for Hardening WordPress.
iThemes Security (formerly Better WP Security), #1 WordPress Security Plugin. iThemes Security (formerly Better WP Security) gives you over 30+ ways to ...
7 posts published by MIT during November 2014. ... What is Security SIG? Topic: OS Hardening Best ... Create a free website or blog at WordPress ...
KeriMorgret edited 2014-03 -19T08:22:56-07 ... Great article and definitely some more stuff for me to add to my Wordpress Security Hardening ... Search ...
... a friend of Mullenweg, ... many high profile search engine optimization ... Individual installations of WordPress can be protected with security plugins.