Securing WordPress – Laskowski-Tech

Tips on Securing WordPress:

Keep your install up to date

Tool to keep up to speed on if you are running old versions of CMS software such as WordPress:

https://github.com/JamesDooley/VersionFinder

Use as few plugins as possible, keep them up to date and remove plugins no longer in use.

Tool you can use to audit your plugins:

https://github.com/wpscanteam/wpscan

I recommend the docker install if not using Kali or pre-installed distro.

Prevents unauthorized logins.

Use 2FA….Use 2FA….Use 2FA.

My preferred choice:

https://duo.com/docs/wordpress

Also secure passwords, preferably in a password manager so they can be something like this: Shu1theetatebongeiv!ohlahh#

NEW###

Update password security with Passwords Evolved, integrates with https://haveibeenpwned.com/ and upgrades stored passwords from md5 hash to bcrypt, read more about this here.

Lock down Assets

If you can get away with is restrict access to sections of the site, like don’t list directories in the Web server configuration. Prevent access to xmlrpc.php wp-login.php. Xmlrpc and wp-login can both be used to compromise the site assets but they are also prevalent in DOS attacks on WordPress sites.

Method for doing so via .htaccess on a Apache web server:

#prevent directory listing
Options -Indexes 

<Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from x.x.x.x
</Files>

<Files xmlrpc.php>
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from x.x.x.x
</Files>

Use Web Application Firewalls (WAF’s)

Web application firewalls can inspect individual requests coming into the site at the application level. There are many freely available ones both at the WordPress level and at the web server level.

Examples for wordpress level:

www.wordfence.com

sucuri.net

Both offer free software with paid add-ons but even the free offering will provide an additional layer of security.

At the server level:

Modsec WAF

Free WAF that has free and paid security rulesets available.

Lastly, use WordPress without using WordPress.

If your site is mostly static, but you still want to have the easy of development that WordPress offers check out Simply-Static. It generates a html version of your WordPress site, so install WordPress locally do your work and then upload the static files to the publicly available server. So this site uses WordPress, and you can see a mirror version on aws.laskowski-tech.com that uses the static files for the site. Not only is your site more secure with keeping databases, logins, and php processing offline, the load times also improve.