Security Setup

  • lostalien666

    (@lostalien666)


    2 weeks, 6 days ago

    Hi, I hope I’ve posted in the correct place. If not, I apologize.

    I am an Old timer programmer here.   We’re talking Cobol and C from the mid 80s until the late 90s.  I do have a grasp of front-end languages.  And PHP seemed natural to me when I started playing with it last year.  

    My buddy just handed me a contract to build and maintain a subscription site.  It will deliver a curriculum(LMS) for those interested in becoming proficient IELTS instructors.

    WP is well documented and supported.  Therefore, I felt it was a good choice for delivering products online.

    At this moment, I am seeking advice on WP security.

    Setup:
    Dev:  Windows 11, Wamp,  Apache. 2.4.65, PHP 8.23.28, MYSQL 8.4.7 , MariaDB 11.4.9

    Live: We have a managed WP package with IONOS. Haven’t the info in front of me at this moment.

    I’ve read that the following steps are good ways to increase stability.  I would like to know what others believe, and would gladly accept any advice.

    Sorry, it is a long list.

    1. Choose a good host
    2. Change Database prefix (wp_prefix to something like ourdb_prefix
    3. Move admin profile
    4. Disable pingbacks
    5. .htaccess file usage (I am new to this)
    6. File permissions
    7. Disable file editing
    8. Use Cloudfare (nice product)
    9. Backups regularly (Of course)
    10. Activate and force HTTPS(I think our host does this already)
    11. Disable session suggestions
    12. Change Admin URL
    13. Limit login attempts
    14. USE firewalls (Again I think our host has this feature.
    15. White list my own IP for Admin usages within WP
    16. 2FA (Great)
    17. Secure Headers
    18. Disable atom/rss feeds
    19. Prevent XML-RPC attacks
    20. Delete readme.html
    21. Hide php warnings and notifications
    22. Hide apache, php and wp versions
    23. Updates , backups and scans
    24. Use Captcha

    Okay, so I think that is quite a bit of setup work.  But some questions.

    1.  Is all this really necessary?
    2. What have I missed?
    3. Will this create performance problems?

    Again, I want to thank everyone for supporting each other. 

    • Alien
Viewing 8 replies - 1 through 8 (of 8 total)
  • Patrick – WPMU DEV Support

    (@wpmudevsupport12)

    2 weeks, 5 days ago

    Hi @lostalien666

    WordPress is one of the most popular CMS so it is expected to see some attempts therefore, security is always a good idea.

    Choose a good host – Always good
    Change Database prefix (wp_prefix to something like ourdb_prefix – Usually, managed hosting will already create the WordPress using custom prefix,
    Move admin profile – Not sure what is meant here, but ideally you can stop user enumeration attacks by hidding the profiles eg. /author/1
    Disable pingbacks – That will depend if you would like or not https://wordpress.org/documentation/article/trackbacks-and-pingbacks/
    .htaccess file usage (I am new to this) – htaccess will be relevant if you use Apache server, otherwise Nginx config will handle it
    File permissions – Use WordPress recommended file permission https://developer.wordpress.org/advanced-administration/server/file-permissions/
    Disable file editing – That’a a good idea
    Use Cloudfare (nice product) – that’s a good idea
    Backups regularly (Of course) – Must step
    Activate and force HTTPS(I think our host does this already) – Must step
    Disable session suggestions – Will not make a lot of difference but you can use a plugin to reduce your session time, example if 1h of inactivity, expire the session
    Change Admin URL – you can mask the wp-login.php but modifying the wp-admin won’t bring a lot of security enhancement
    Limit login attempts – That’s a good idea
    USE firewalls (Again I think our host has this feature. – That’s a good idea
    White list my own IP for Admin usages within WP – Not really necessary
    2FA (Great) – That’s a good idea
    Secure Headers – That’s a good idea
    Disable atom/rss feeds – Depends if you are are or not using it
    Prevent XML-RPC attacks – Depends if you are are or not using it
    Delete readme.html – Not really necessary
    Hide php warnings and notifications – Good idea
    Hide apache, php and wp versions – It is a good idea to avoid the zero day attack but mostly, keep things updated
    Updates , backups and scans – Great idea
    Use Captcha – Good idea if you have comments section

    WordPress has some documentation about security https://wordpress.org/about/security/ or https://developer.wordpress.org/advanced-administration/security/hardening/ this will be the best start point

    Best Regards
    Patrick Freitas

    Thread Starter lostalien666

    (@lostalien666)

    2 weeks, 4 days ago

    Hi Patrick

    Thanks for your time and given some feedback on these items.

    Tech has changed so much since the 90s that I was spinning my head on options. I will be following up on these now as I finally got a day off from work.

    I’ll also read those links now.

    More to come.

    Thread Starter lostalien666

    (@lostalien666)

    2 weeks, 4 days ago

    Have completed 90% of that. Still want to study somethings about .htaccess as there are several mods to be made.

    How could someone test all these?

    Nithin – WPMU DEV Support

    (@wpmudevsupport11)

    2 weeks, 3 days ago

    Hi @lostalien666,

    Testing would require manual workflow, but you could use these for some of these aspects:

    Security Headers: https://securityheaders.com

    SSL: https://www.ssllabs.com/ssltest/

    https://wpscan.com/ and Sucuri online SiteCheck etc

    Testing out the .htaccess rules would require manual checks, e.g., creating a PHP file and checking whether you could access it directly based on the added rules.

    Regards,

    Nithin

    Thread Starter lostalien666

    (@lostalien666)

    2 weeks, 3 days ago

    Good morning.

    Hey that sounds great! Just waking up here and looking at an nba game over coffee.

    Your advice is greatly appreciated. I will have a look at those today.

    Back in my early days, we didn’t have to worry about so much as today. Things really changed a lot. Many things are already made to do much work which was all done by hand, back in the day.

    But certainly will not skimp on testing.

    I’ll have a go at those and report back.

    Thanks

    Patrick – WPMU DEV Support

    (@wpmudevsupport12)

    2 weeks, 3 days ago

    Hi @lostalien666

    Back in my early days, we didn’t have to worry about so much as today. Things really changed a lot. Many things are already made to do much work which was all done by hand, back in the day.

    With AI now we see more attack vectors so security is even more important than ever indeed.

    Best Regards
    Patrick Freitas

    Thread Starter lostalien666

    (@lostalien666)

    2 weeks, 2 days ago

    I suppose I just opened a can of worms for myself? lol

    Thread Starter lostalien666

    (@lostalien666)

    1 week, 2 days ago

    Ok I am back finally.

    FIrst of all thanks for the advice on this list.

    I’ve completed 95% of them and had issues setting up sftp/ssh on ionos to get access to wp_config.php and .htaccess

    so i couldn’t get the following done. Advice please

    1. Hiding apache/php versions
    2. hiding php warning and notifications

    Just these two i wasn’t able to , as of now, setup.

    Thank the old gods and the new for a system like Cloudfare. That’s some powerful safety gear. I couldn’t even imagine doing this by hand in the ‘old days.’

    for ending this task I’d like to ask another short round of questions.

    those 2 steps mentioned above. Are they critical?

    If so, i will move on to figure out why my sftp isn’t granting me the access i setup on the host.

    suggestions?

    thanks again

    D

Viewing 8 replies - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Tags