Wordpress Checklist: Difference between revisions

Line 28:

= Security =

* Always use the latest version of WordPress

* Do not use “admin” as a user, but choose a personal user name

* check integration with third party software and services

* If site has an SSL certificate, force SSL login/admin and resolve insecurely-loaded assets. If no SSL, consider adding a secure login alternative like Facebook.

* Check that you have the latest version of all plugins

* Check that your login is secured

Install a two-factor authentication WordPress plugin like Clef or Duo Security.

Install a brute force attack prevention plugin like BruteProtect.

Check that you have strong passwords

If you’re using passwords to log in to your WordPress installation, enable HTTPS on your site and force HTTPS logins at all times.

* Check that you there’s no account named admin on your install

If you have an admin account, create a new administration account and delete admin.

* Check that you’re accessing your WordPress installation for development in a secure way

Ensure that you always use SFTP or SSH to access your server remotely. Never use FTP.

* Check that your database is secure

Make sure you’re not using the default `wp_` table prefix.

* Check that you have a secure .htaccess file

1. Secure wp-includes by adding these lines to your .htaccess file.

2. Secure your wp-config.php by adding these lines to your .htaccess file.

* Check that you have disabled file editing

Add the line `define(‘DISALLOW_FILE_EDIT’, true);` to your wp-config.php file.

* Check file permissions

wp-config.php

Desired: 400

Fallback: 440, 600, 640

uploads folder

Desired: 755

Fallback: 766, 777 (not recommended)

.htaccess files

Desired: 400

Fallback: 440, 444, 600, 640

* Delete readme.html and install.php

* Add blank index.php files where needed

wp-includes

wp-content

wp-content/plugins

wp-content/themes

wp-content/uploads

* Move wp-config.php file outside the web root folder

The wp-config.php file is a very important configuration file. It contains a lot of sensitive information about your WordPress site, like your database information for example.

WordPress will automatically look for this file in the folder above the WordPress root folder if it does not exist in the root folder. Moving this file out of the public_html folder means the file will not be accessible from the Internet.

= TEMPLATE =

= Plugin =

@@ Line 28: / Line 28: @@
 = Security =
+* Always use the latest version of WordPress
+* Do not use “admin” as a user, but choose a personal user name
+* check integration with third party software and services
+* If site has an SSL certificate, force SSL login/admin and resolve insecurely-loaded assets. If no SSL, consider adding a secure login alternative like Facebook.
+* Check that you have the latest version of all plugins
+* Check that your login is secured
+  Install a two-factor authentication WordPress plugin like Clef or Duo Security.
+  Install a brute force attack prevention plugin like BruteProtect.
+  Check that you have strong passwords
+  If you’re using passwords to log in to your WordPress installation, enable HTTPS on your site and force HTTPS logins at all times.
+* Check that you there’s no account named admin on your install
+  If you have an admin account, create a new administration account and delete admin.
+* Check that you’re accessing your WordPress installation for development in a secure way
+  Ensure that you always use SFTP or SSH to access your server remotely. Never use FTP.
+* Check that your database is secure
+  Make sure you’re not using the default `wp_` table prefix.
+* Check that you have a secure .htaccess file
+. Secure wp-includes by adding these lines to your .htaccess file.
+. Secure your wp-config.php by adding these lines to your .htaccess file.
+* Check that you have disabled file editing
+  Add the line `define(‘DISALLOW_FILE_EDIT’, true);` to your wp-config.php file.
+* Check file permissions
+  wp-config.php
+  Desired: 400
+  Fallback: 440, 600, 640
+  uploads folder
+  Desired: 755
+  Fallback: 766, 777 (not recommended)
+  .htaccess files
+  Desired: 400
+  Fallback: 440, 444, 600, 640
+* Delete readme.html and install.php
+* Add blank index.php files where needed
+  wp-includes
+  wp-content
+  wp-content/plugins
+  wp-content/themes
+  wp-content/uploads
+* Move wp-config.php file outside the web root folder
+  The wp-config.php file is a very important configuration file. It contains a lot of sensitive information about your WordPress site, like your database information for example.
+  WordPress will automatically look for this file in the folder above the WordPress root folder if it does not exist in the root folder. Moving this file out of the public_html folder means the file will not be accessible from the Internet.
 = TEMPLATE =
 = Plugin =

Wordpress Checklist: Difference between revisions

Navigation menu

Search