WordPress Security
From WordPress hosting - “Harden Security”, Ticket 6540
To Do
Admin Accounts (manual install and configuration).
Set
WP_DEBUGtofalseinwp-config.php.Security plugins (manual install and configuration).
Remove all .htaccess files (hopefully using Salt)
Steps
Admin Accounts
Add 2FA to admin level user accounts using (a good plugin). Perhaps one of these, https://kinsta.com/blog/wordpress-security-plugins/
cron
We run WordPress cron tasks using the Linux cron system, so disable the
fire on every page load option in wp-config.php:
# 'wp-config.php'
define('DISABLE_WP_CRON', true);
For information:
Our Nginx configuration disables calling
wp-cron.phpvia an HTTP process e.g:location ~* ^/(?:wp-cron.php|wp-links-opml ... deny all; }The Linux
crontask is created using Salt, https://gitlab.com/kb/salt/-/commit/809a65cdd8119a0faeab9afd9d64fe5799694968
fail2ban
The following plugins are compatible with fail2ban:
Loginizer https://loginizer.com/
Limit Login Attempts Reloaded https://www.limitloginattempts.com/
For more information, see, fail2ban - chat with Malcolm.
Plugins
One of our customers was using Really Simple SSL, https://wordpress.org/plugins/really-simple-ssl/ but this duplicates the features provided by our LetsEncrypt certificates. For more information, see Really Simple SSL - chat with Malcolm
Security plugins
For now, we are using Sucuri, https://sucuri.net/website-security-platform/signup/
Chosen from, https://kinsta.com/blog/wordpress-security-plugins/
.htaccess
All copies of .htaccess should be removed from the live folder (and
sub-folders) e.g:
/home/web/repo/project/www.hatherleigh.info/live
For more information, see:
- NGINX does not read .htaccess files
and any restrictions set with a
.htaccessfile will not apply.
- Nginx does not use .htaccess files as Apache does
This means that configuration previously done in
.htaccessfiles now has to be done in a different format, explained in the Nginx documentation.