-
Notifications
You must be signed in to change notification settings - Fork 40
WordPress Security Checklist
grayghostvisuals edited this page Mar 20, 2013
·
12 revisions
#A checklist to WordPress Security
Hardening WordPress via Codex:
Locking Down WordPress - FREE PDF
-
Update! Update! Update!
-
Secure File permissions
- 2.1 All WordPress Core Files should have
0644Default Permissions ( Only Writeable by user account ) - 2.2 Default WordPress Folder Permissions are
0755(file is writeable only by user and readable by web server and every one else.
- 2.1 All WordPress Core Files should have
-
Disable Directory Views (protects a directory from displaying a content tree to the user)
- 3.2 Place this snippet in the
.htaccessfile of your site's root directory ...
Options -Indexes - 3.2 Place this snippet in the
-
Protect
wp-config.php
-
4.1 use this snippet in your root's
.htaccessfile.#Secure Config File <Files ~ wp\-config\.php> Order Deny, Allow Deny from all Allow from xxx.xxx.xxx (your personal IP whitelist) </Files>
- Protect
install.php- 5.1 Option one is to Nuke the file entirely
- 5.2 Option two is to use the site's root
.htaccessfile for control.
- Protect
wp-admindirectory - Protect sensitive files by type
- Stop users from injecting malicious code via dashboard editors. Place the following line in your
wpconfig-define('DISALLOW_FILE_EDIT', true);
Directory Root .htaccess Snippets
#Options -Indexes
#Disable Directory View
#Secure Config File
<Files wp\-config\.php>
Order Deny, Allow
Deny from all
Allow from xxx.xxx.xxx (your personal IP whitelist)
</Files>
#Secure Range of IP to Config File
#<Files wp\-config\.php>
#Order Deny, Allow
#Deny from all
#Allow from xxx.xxx. (your personal IP whitelist)
#</Files>
#Protect WordPress imstall.php from revealing any info to hackers
#<Files install.php>
#Order Allow, Deny
#Deny from all
#Satisfy all
#</Files>
#Protect Sensitive Files by File Type.
#<Files "\.(htaccess|ini|php)$">
#Order Deny, Allow
#Deny from all
#Allow from xxx.xxx.xxx
#</Files>
# Custom IP BLACKLIST
#<Limit GET POST PUT>
#Order Allow,Deny
#Allow from all
#Deny from xxx.xxx.xxx.xx
#</Limit>
wp-admin Directory .htaccess snippets
# Protect WP-Admin Files
<FilesMatch "*.*">
Order Deny, Allow
Deny from all
Allow from xxx.xxx.xxx
</FilesMatch>
# Secure WP-admin directory
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.456\.789
RewriteRule ^(.*)$ - [F,L]
</IfModule>