diff --git a/WordPress-Security-Tips.md b/WordPress-Security-Tips.md index e52d530..6b87cbf 100644 --- a/WordPress-Security-Tips.md +++ b/WordPress-Security-Tips.md @@ -1,18 +1,22 @@ -**1. Keep your blog on a subdomain.** +**For further WordPress hardening tips see: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)** -Although not a silver bullet, this will help in the affect of some Cross-Site Scripting (XSS) attacks as your blog will be affected by the browser's Same Origin Policy (SOP). This may, however, affect your blog's Google page rank. +**1. Keep the blog on a subdomain.** -**2. Move your wp-content directory.** +This will ensure your blog is on a different 'origin' than your main website. The browser's Same Origin Policy (SOP) will add some client side separation between the two. This may, however, effect your blog's Google page rank. -Moving the wp-content directory will help in protecting your blog against some automated 0day attacks. "Since Version 2.6, you can move the wp-content directory, which holds your themes, plugins, and uploads, outside of the WordPress application directory." [http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content](http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content) +**2. Move the wp-content directory.** -**3. Don't use the 'admin' username.** +Moving the wp-content directory will help protect your blog against some automated attacks. +>Since Version 2.6, you can move the wp-content directory, which holds your themes, plugins, and uploads, >outside of the WordPress application directory. +[http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content](http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content) -WordPress used to set the 'admin' username by default on all installations. In recent versions the username can now be chosen on installation. Since it is widely known that a lot of WordPress blogs use the 'admin' username it is a prime target for brute force attacks. +**3. Do not use the 'admin' username.** + +WordPress used to set the 'admin' username by default on all installations. In recent versions the username can now be chosen on installation. Since it is widely known that a lot of WordPress blogs use the 'admin' username it is a prime target for password brute force attacks. **4. Keep plugin installations to a minimum.** -Through experience we've found that WordPress plugins are normally the weakest link in a WordPress blog's security. Many plugins are susceptible to Cross-Site Scripting (XSS), SQL Injection and other attacks. By keeping plugin installations to a minimum you reduce the attack surface. +Through experience we have found that WordPress plugins are normally the weakest link in a WordPress blog's security. Many plugins are susceptible to Cross-Site Scripting (XSS), SQL Injection and other attacks. By keeping plugin installations to a minimum you reduce the attack surface. **5. Move the wp-config.php file one directory up, outside of the web root directory.** @@ -110,6 +114,4 @@ If you are running apache, you can also minimize the info sent about your Webser ServerTokens Prod # Only show Server: Apache ServerSignature Off # Remove internal information TraceEnable Off # Disable trace method -``` - -**For further WordPress hardening tips see: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)** \ No newline at end of file +``` \ No newline at end of file