wordpress hardening tips
Last Post 23 Oct 2015 08:19 AM by SuperUser Account. 0 Replies.
Author Messages
SuperUser AccountUser is Offline
New Member
New Member
Posts:17


--
23 Oct 2015 08:19 AM
    Do not use admin or any part of the url as the user name , pick something random or not easy to associate with the site.

    Consider using SSL for the site (also gives seo boost)

    From codex.wordpress.org
    wp-includes: A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>


    # BEGIN WordPress
    Note that this won't work well on Multisite

    securing wp-config - can be moved above the root but may introduce issues. using .htaccess
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    disable file editing -The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:

    define('DISALLOW_FILE_EDIT', true);

    Protect wp-admin folder user cpanel password protect or .htaccess
    in the wp-admin folder add another .htaccess
    order allow,deny
    allow from xxx.xxx.xxx.xxx
    allow from xxx.xxx.xxx.xxx
    deny from all

    Prevent folder browsing - inside .htaccess set "Options All -Indexes"

    block the world but allow a specific IP
    order deny,allow
    deny from all
    allow from <YOUR_IP_ADDRESS>

    prevent php execution in uploads if they get it onto the server lets slow them down from executing . place .htaccess file in the /wp-contents/uploads folder
    php_flag engine off <--do not use if suphp is in use
    <Files *.php>
    deny from all
    </Files>

    xmlrpc.php implementing this depends on if you have any plugins that use it (for example jetpack does)
    Add this to your htaccess rules. Here is an example of what this might look like:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    --->RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L] <----
    </IfModule>

    # END WordPress
    Other Stuff
    Never , ever log on to the site from an untrusted network. So coffee shops, airports etc are high risk. A bad person could be sitting there sniffing the traffic and get both the user name and the password to your site. I will take a latte with my hack?


    ---