Wordpress What do you think of my security measures and what can i improve?

captainamerica60

Neophyte
Joined
May 2, 2021
Messages
4
Hello, i'm configuring wordpress before launching my new website next week. I've read a lot of guides and i have compiled so far what i've down.
What do you think ? What can i improve?

  • Http headers with redirection plugins :
    Strict-Transport-Security
    X-Frame-Options
    X-Content-Type-Options
    Content-Security-Policy : default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http:; style-src 'unsafe-inline' http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts; "base-uri 'self';
    Referrer-Policy
    Feature policy : Feature-Policy: "camera='none'; fullscreen='self'; magnetometer='none'; microphone='none'; midi='none'; payment='none'; sync-xhr='none'; usb='none'; speaker-selection='none';
  • permissions 444 sur .htacess et wp_config.php
  • create an user editor and using it to create content instead of admin user
  • complicated passwords (40 characters with symbols etc.)
  • double authentification

  • updraft plus pro : auto back in local and in cloud
  • changing name of tables in database
  • wordpression version delete in meta tags
  • certificat SSL
  • pages login and signup déplacés. Old page are redirecting to 404 page.
  • Ithemes security free version
 

Pete

Flavours of Forums Forever
Joined
Sep 9, 2013
Messages
2,165
With security, what threat are you hoping to neutralise?

For me the biggest risk in the equation is WordPress’s auto update which requires all the folders and files be writable - I’d never allow that normally except for the folders that must by design (think wp_content)

But let’s run through the list…

HTTP headers - protects against MITM, click jacking, virtually every web app should be running with these rules really
User editor and strong passwords - mitigates account takeover
Double auth - ditto
Changing the names of tables does little in practice - any exploit will just check against the configuration
Hiding version in meta tags - well, drive by attackers don’t check the version, they just hit with everything they have, targeted attackers (if you are unfortunate enough to be here, most people aren’t) will likeky not trust this and find some other route
SSL certificate - protects against MITM
Moving login and signup only slows down fully automated attacks

Overall, the list is pretty reasonable though some of it is security theatre that doesn’t work in practice (but is often touted as good advice). The question comes back to more fundamental security - the more plugins one uses the more risk one of them does something stupid that leverages its way into being a problem.

While auto updates are nice in theory I’d never actually let it, I’d keep as much readonly as possible to prevent tampering.
 

vbgamer45

Adherent
Joined
Sep 22, 2005
Messages
296
Good list. Big thumb up on the readonly, I have done that. I normally try to keep wordpress on a separate host, I am more worried about plugins/themes than the core itself.
I also did in wp-config.php
Code:
define('DISALLOW_FILE_EDIT', true);

Maybe change admin url https://stackoverflow.com/questions/49028309/wordpress-change-admin-login-url

In the wp-content folder I have done this .htaccess

Code:
Require all denied
<Files ~ ".(xml|css|jpeg|png|gif|ttf|svg|eot|woff|js|less)$">
Require all granted
</Files>
 

Klaatu

Fan
Joined
Mar 1, 2010
Messages
613
I would add "Options -Indexes" to .htaccess to make sure no directories can be browsed. I'm extra paranoid, so I wouldn't store backups locally; especially if your site is hosted on a shared server.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,572
In addition to some of what you've put, I usually edit htaccess to only allow my IP address access to the admin area

Disable xml-rpc too if you don't need it, can be done in htaccess or as a setting in Wordfence.

There's a few decent tips in here https://www.wpbeginner.com/wp-tutorials/9-most-useful-htaccess-tricks-for-wordpress/


The only times I've had sites hacked were from very recently exploited plugins, so go figure. I still can't bring myself to enable auto updates though as the sites I run on Wordpress are usually customised enough where I don't want to risk auto updates in case they break anything, especially if it's ecommerce.

I suppose the best solution would really to roll out some automated testing and enable automatic updates to see if anything has broken after every automatic update. That would involve writing tests though....😑
 

captainamerica60

Neophyte
Joined
May 2, 2021
Messages
4
Hello all :) thank you for your help

@Pete i don't really know what threats i want to neutralize, i just want to limit the risks. I understand it's security theatre because a motivated attacker will often find a vulnerability but still i just want to limit the risks ^^

@vbgamer45 i'm also worried about plugins/themes :/ i tried to use as less as i can and to choose the ones with a good support

@R0binHood allowing only my ip is a good idea but i'm using a VPN which change often its server and the IP. I don't want to have a static IP or to use split tunneling on my website.
 
Last edited:

Alpha1

Administrator
Joined
May 28, 2007
Messages
4,083
@R0binHood allowing only my ip is a good idea but i'm using a VPN which change often its server and the IP. I don't want to have a static IP or to use split tunneling on my website.
Then you can forget about tight security. The very first thing you need to do is to limit all webmaster tools (admin panels, phpmyadmin, cpanel, ssh, ftp, etc to your whitelisted IP. For some you can use 2FA. That goes for any server.
 

captainamerica60

Neophyte
Joined
May 2, 2021
Messages
4
I'm reconsidering what i said. I could use split tunneling for a browser dedicated to my wordpress admnistration and for writing articles. But if my ISP static IP changes for some reason, will i be lock out? Alpha1
Also, do you have a guide to limit all webmaster tools to my IP?
 

Alpha1

Administrator
Joined
May 28, 2007
Messages
4,083
If you have to ask then it's best to ask your host to fix this for you. Which will also be able to help you if you get locked out.
 

TLChris

Administrator
Joined
Jan 2, 2020
Messages
333
Also recommend using CloudFlare's tools, they have firewalls built to block a number of attacks, and tweaks to make the site cache a bit better.
 
Top