I did some research on securing WordPress. My research led to adding and configuring some WordPress plug-ins along with hardening WordPress itself.
New WordPress Plugins and Configuration
- WP Updates Notifier by Scott Criss
- Install and Activate
- Settings
- Confirm email address to send to
- Save settings with test email
- BackWPup by Inpsyde GmbH
- Install and activate
- Go to the Dashboard and follow the First Steps links
- check the installation
- Create a job
- Name – Nightly
- Job Tasks – check database backups, file backup, Installed plug-ins list
- archive name – nightly_%Y-%m-%d_%H-%i-%s
- Archive Format – Zip
- Job Destination – Backup to Folder
- confirm email address and from address to send log
- Save changes
- Run the created job
- Run the job now
- Check the job log
- Schedule
- Start job – check “with WordPress cron”
- Scheduler type – basic
- Scheduler – daily at 3:00
- Save changes
- To: folder
- File deletion – 30
- Save change
- Install and activate
- WP Security Audit Log
- Install and activate
- Settings -> Audit Log
- Alerts Timestamp – WordPress’ timezone
- Wordfence
- Install and activate
- Close Tour
- Click to start configuration
- Click End the Tour
- Web Application Firewall
- Click continue to accept server configuration
- Download copy of HTACCESS file
- Click Continue
- Scan -> Scheduling
- Confirm automatic scans is checked by default
- Scan -> Options
- Check – Scan plugin files against repository versions for changes
- Save Options
- Firewall -> Brute Force
- Lock out after how many login failures – 5
- Lock out after how many forgot password attempts – 5
- Save Options
- Options
- Basic Options
- Enter email address to send alerts
- Email Summary
- Email Summary frequency – Once a day
- Advanced Options
- Check – alert me when a non-admin user signs in
- Basic Options
- Scan
- Click start a Wordfence scan
- Fix any issues
- Check back in week to see if firewall rule in enabled.
Hardening WordPress – https://codex.wordpress.org/Hardening_WordPress
- WP-Admin folder and password protect
- Media Temple
- Password Protect Folder command
- Create user
- Select folder
- Password Protect Folder command
- Fix admin-ajax.php error in HTACCESS in WP-Admin folder
- Media Temple
- WP-Includes folder and block scripts
- Add text to HTACCESS right before WordPress section
- WP-Content\Uploads folder and PHP execution
- Add to new HTACCESS file and add to Uploads folder
- WP-config.php to prevent viewing
- Add to top of HTACCESS file
- Disable File Editing
- Add to end of wp-config.php
Code to Harden WordPress
WP-admin folder – secure at Media Temple
fix admin-ajax error in HTACCESS in wp-admin folder
Order allow,deny
Allow from all
Satisfy any
</Files>
————————-
WP-Includes – add in HTACCESS right before #WordPress Begin
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
———————
Uploads – add to blank HTACCESS file and upload to Uploads folder
# Kill PHP Execution
<Files *.php>
deny from all
</Files>
—————————–
WP-Config – add to top of HTACEES
<files wp-config.php>
order allow,deny
deny from all
</files>
——-
Disable file editing – add to end of wp-config file
## Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);