garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated WordPress Security Tips (markdown)

ethicalhack3r
2014-10-17 15:29:08 -07:00
parent d75c9ebe96
commit f1ca857d48
1 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
WordPress-Security-Tips.md

@@ -1,18 +1,22 @@
**1. Keep your blog on a subdomain.**
**For further WordPress hardening tips see: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)**
Although not a silver bullet, this will help in the affect of some Cross-Site Scripting (XSS) attacks as your blog will be affected by the browser's Same Origin Policy (SOP). This may, however, affect your blog's Google page rank.
**1. Keep the blog on a subdomain.**
**2. Move your wp-content directory.**
This will ensure your blog is on a different 'origin' than your main website. The browser's Same Origin Policy (SOP) will add some client side separation between the two. This may, however, effect your blog's Google page rank.
Moving the wp-content directory will help in protecting your blog against some automated 0day attacks. "Since Version 2.6, you can move the wp-content directory, which holds your themes, plugins, and uploads, outside of the WordPress application directory." [http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content](http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content)
**2. Move the wp-content directory.**
**3. Don't use the 'admin' username.**
Moving the wp-content directory will help protect your blog against some automated attacks.
>Since Version 2.6, you can move the wp-content directory, which holds your themes, plugins, and uploads, >outside of the WordPress application directory.
[http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content](http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content)
WordPress used to set the 'admin' username by default on all installations. In recent versions the username can now be chosen on installation. Since it is widely known that a lot of WordPress blogs use the 'admin' username it is a prime target for brute force attacks.
**3. Do not use the 'admin' username.**
WordPress used to set the 'admin' username by default on all installations. In recent versions the username can now be chosen on installation. Since it is widely known that a lot of WordPress blogs use the 'admin' username it is a prime target for password brute force attacks.
**4. Keep plugin installations to a minimum.**
Through experience we've found that WordPress plugins are normally the weakest link in a WordPress blog's security. Many plugins are susceptible to Cross-Site Scripting (XSS), SQL Injection and other attacks. By keeping plugin installations to a minimum you reduce the attack surface.
Through experience we have found that WordPress plugins are normally the weakest link in a WordPress blog's security. Many plugins are susceptible to Cross-Site Scripting (XSS), SQL Injection and other attacks. By keeping plugin installations to a minimum you reduce the attack surface.
**5. Move the wp-config.php file one directory up, outside of the web root directory.**
@@ -110,6 +114,4 @@ If you are running apache, you can also minimize the info sent about your Webser
ServerTokens Prod # Only show Server: Apache
ServerSignature Off # Remove internal information
TraceEnable Off # Disable trace method
```
**For further WordPress hardening tips see: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)**
```