Divi WordPress Theme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress fix Reply To: Security

Discussion in 'Misc WordPress Requests' started by Viktor Szépe, Feb 3, 2018.

  1. Viktor Szépe

    Guest

    Reply To: Security, by Viktor Szépe

    Hello!

    These are my keywords on security, no theory, almost all of them are incident-based.

    Compromise from hosting provider

    Choose an enterprise-level server provider (e.g. UpCloud)
    Secure control panel access: 2FA, login notification
    Secure API (IP whitelist)
    Subscribe to status updates
    Protect computers used for logging in (HitmanPro.Alert)

    Compromise through server software

    Use modern server software (OS, web server, PHP version, in-memory cache, database)
    Hide server software version
    Don’t install multiple websites on a server / separate by OS user
    Subscribe to OS security updates

    Server-side

    HTTPS websites receive less attacks: force HTTPS (HSTS)
    Block known hostile networks (myattackers-ipset)
    Preventively block vulnerability scanners (WordPress Fail2ban)
    Restrict access to core, theme and plugin files and directories (wordpress.inc.conf)
    Disable file upload to the server
    Source code integrity check (hourly)
    Alert on source code change (hourly)
    Have daily offsite backup
    Keep backups for one week

    Application

    Delete unused plugins and themes and demo content
    Audit plugins and themes (source code) – prefer authors providing enterprise services
    Install an auditing plugin
    Disable file editing
    Block on WordPress security events (WordPress Fail2ban)
    Add SRI (Subresource Integrity) attributes to elements with foreign CDN content
    Choose wisely if you decide on a page builder

    Authentication

    One administrator
    One user per natural person
    Remove roles from unused accounts
    Disallow weak passwords
    Two-factor authentication
    Alert on foreign country logins (PHP geoip_country_code_by_name() or Apache mod_maxminddb)
    Analyse HTTP headers on login (WordPress Fail2ban)
    Limit login attempts (WordPress Fail2ban)

    After contributing to a few very popular “security” plugins, I’ve left common knowledge and blog posts behind and written a firewall based on actual HTTP traffic:
    https://github.com/szepeviktor/wordpress-fail2ban
    It needs a clean WordPress website, any error in code could trigger a false alarm!

    Reply To: Security
     
    #1

Share This Page

Monarch Social Sharing Plugin