Skip to content

Latest commit

History

History
75 lines (58 loc) 路 3.4 KB

WordPress-security.md

File metadata and controls

75 lines (58 loc) 路 3.4 KB
Raw

Blocking WordPress attack vectors

Strategy

  1. Reject traffic from known hostile networks
  2. Ban IP addresses on the very first suspicious request preventing further scanning
  3. Serve requests as quickly as possible to prevent DoS attacks
  4. Lowest access level possible for users
  5. Monitor everything (source code, database, logs, traffic, humans)

Compromise from your computer and mobile

  • Do not store usernames and passwords in browsers
  • Use a password manager
  • Second opinion anti-malware software (HitmanPro.Alert)
  • Protect devices

Compromise from hosting provider

  • Choose an enterprise ready server provider (e.g. UpCloud)
  • Secure control panel access: 2FA, login notification
  • Secure API: IP whitelisting
  • Subscribe to status updates

Compromise through server software

  • Use modern server software (OS, web server, PHP version, in-memory cache, database, remote access with SSH)
  • Hide server software version
  • Don't install multiple websites on a server / separate by OS user
  • Subscribe to OS security updates

Server-side

  • HTTPS websites receive less attacks: force HTTPS (HSTS)
  • Block known hostile networks (myattackers-ipset)
  • Preventively block vulnerability scanners (WAF for WordPress)
  • Restrict access to core, theme and plugin files and directories (wordpress.inc.conf)
  • Disable file upload to the server
  • Source code integrity check (hourly)
  • Alert on source code change (hourly)
  • Have daily offsite backup
  • Keep backups for one week

Application

  • Delete unused plugins and themes and demo content
  • Audit plugins and themes (source code) - prefer authors with enterprise mindset
  • Install an auditing plugin
  • Disable file editing
  • Block on WordPress security events (WAF for WordPress)
  • Add SRI (Subresource Integrity) attributes to elements with foreign CDN content
  • Content Security Policy (CSP) HTTP header
  • Choose wisely if you decide on a page builder

Authentication

  • One administrator per site
  • One user account per natural person
  • Remove roles from unused accounts
  • Disallow weak passwords
  • Two-factor authentication
  • Alert on foreign country logins (PHP geoip_country_code_by_name() or Apache mod_maxminddb)
  • Analyse HTTP headers on login (WAF for WordPress)
  • Disallow too short usernames and passwords (WAF for WordPress)
  • Limit login attempts (WAF for WordPress)

馃敡 Maintenance

Have me on board: viktor@szepe.net

This page contains affiliate links