I did some research on securing WordPress.  My research led to adding and configuring some WordPress plug-ins along with hardening WordPress itself.

 

New WordPress Plugins and Configuration

  • WP Updates Notifier by Scott Criss
    • Install and Activate
    • Settings
    • Confirm email address to send to
    • Save settings with test email
  • BackWPup by Inpsyde GmbH
    • Install and activate
      • Go to the Dashboard and follow the First Steps links
      • check the installation
      • Create a job
        • Name – Nightly
        • Job Tasks – check database backups, file backup, Installed plug-ins list
        • archive name – nightly_%Y-%m-%d_%H-%i-%s
        • Archive Format – Zip
        • Job Destination – Backup to Folder
        • confirm email address and from address to send log
        • Save changes
      • Run the created job
        • Run the job now
      • Check the job log
    • Schedule
      • Start job – check “with WordPress cron”
      • Scheduler type – basic
      • Scheduler – daily at 3:00
      • Save changes
    • To: folder
      • File deletion – 30
      • Save change
  • WP Security Audit Log
      • Install and activate
      • Settings -> Audit Log
      • Alerts Timestamp – WordPress’ timezone
  • Wordfence
    • Install and activate
    • Close Tour
    • Click to start configuration
      • Click End the Tour
      • Web Application Firewall
        • Click continue to accept server configuration
        • Download copy of HTACCESS file
        • Click Continue
    • Scan -> Scheduling
      • Confirm automatic scans is checked by default
    • Scan -> Options
      • Check – Scan plugin files against repository versions for changes
      • Save Options
    • Firewall -> Brute Force
      • Lock out after how many login failures – 5
      • Lock out after how many forgot password attempts – 5
      • Save Options
    • Options
      • Basic Options
        • Enter email address to send alerts
      • Email Summary
        • Email Summary frequency – Once a day
      • Advanced Options
        • Check – alert me when a non-admin user signs in
    • Scan
      • Click start a Wordfence scan
      • Fix any issues
    • Check back in week to see if firewall rule in enabled.

 

Hardening WordPress –  https://codex.wordpress.org/Hardening_WordPress

  • WP-Admin folder and password protect
    • Media Temple
      • Password Protect Folder command
        • Create user
        • Select folder
    • Fix admin-ajax.php error in HTACCESS in WP-Admin folder
  • WP-Includes folder and block scripts
    • Add text to HTACCESS right before WordPress section
  • WP-Content\Uploads folder and PHP execution
    • Add to new HTACCESS file and add to Uploads folder
  • WP-config.php to prevent viewing
    • Add to top of HTACCESS file
  • Disable File Editing
    • Add to end of wp-config.php

 

Code to Harden WordPress

 

WP-admin folder – secure at Media Temple

————————-
fix admin-ajax error in HTACCESS in wp-admin folder
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

————————-
WP-Includes – add in HTACCESS right before #WordPress Begin

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

———————
Uploads – add to blank HTACCESS file and upload to Uploads folder

# Kill PHP Execution
<Files *.php>
deny from all
</Files>

—————————–
WP-Config – add to top of HTACEES

<files wp-config.php>
order allow,deny
deny from all
</files>

——-
Disable file editing  – add to end of wp-config file

## Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);