Updated WordPress Security Tips (markdown)
ethicalhack3r
@@ -1,18 +1,22 @@
|
|||||||
**1. Keep your blog on a subdomain.**
|
**For further WordPress hardening tips see: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)**
|
||||||
|
|
||||||
Although not a silver bullet, this will help in the affect of some Cross-Site Scripting (XSS) attacks as your blog will be affected by the browser's Same Origin Policy (SOP). This may, however, affect your blog's Google page rank.
|
**1. Keep the blog on a subdomain.**
|
||||||
|
|
||||||
**2. Move your wp-content directory.**
|
This will ensure your blog is on a different 'origin' than your main website. The browser's Same Origin Policy (SOP) will add some client side separation between the two. This may, however, effect your blog's Google page rank.
|
||||||
|
|
||||||
Moving the wp-content directory will help in protecting your blog against some automated 0day attacks. "Since Version 2.6, you can move the wp-content directory, which holds your themes, plugins, and uploads, outside of the WordPress application directory." [http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content](http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content)
|
**2. Move the wp-content directory.**
|
||||||
|
|
||||||
**3. Don't use the 'admin' username.**
|
Moving the wp-content directory will help protect your blog against some automated attacks.
|
||||||
|
>Since Version 2.6, you can move the wp-content directory, which holds your themes, plugins, and uploads, >outside of the WordPress application directory.
|
||||||
|
[http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content](http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content)
|
||||||
|
|
||||||
WordPress used to set the 'admin' username by default on all installations. In recent versions the username can now be chosen on installation. Since it is widely known that a lot of WordPress blogs use the 'admin' username it is a prime target for brute force attacks.
|
**3. Do not use the 'admin' username.**
|
||||||
|
|
||||||
|
WordPress used to set the 'admin' username by default on all installations. In recent versions the username can now be chosen on installation. Since it is widely known that a lot of WordPress blogs use the 'admin' username it is a prime target for password brute force attacks.
|
||||||
|
|
||||||
**4. Keep plugin installations to a minimum.**
|
**4. Keep plugin installations to a minimum.**
|
||||||
|
|
||||||
Through experience we've found that WordPress plugins are normally the weakest link in a WordPress blog's security. Many plugins are susceptible to Cross-Site Scripting (XSS), SQL Injection and other attacks. By keeping plugin installations to a minimum you reduce the attack surface.
|
Through experience we have found that WordPress plugins are normally the weakest link in a WordPress blog's security. Many plugins are susceptible to Cross-Site Scripting (XSS), SQL Injection and other attacks. By keeping plugin installations to a minimum you reduce the attack surface.
|
||||||
|
|
||||||
**5. Move the wp-config.php file one directory up, outside of the web root directory.**
|
**5. Move the wp-config.php file one directory up, outside of the web root directory.**
|
||||||
|
|
||||||
@@ -111,5 +115,3 @@ ServerTokens Prod # Only show Server: Apache
|
|||||||
ServerSignature Off # Remove internal information
|
ServerSignature Off # Remove internal information
|
||||||
TraceEnable Off # Disable trace method
|
TraceEnable Off # Disable trace method
|
||||||
```
|
```
|
||||||
|
|
||||||
**For further WordPress hardening tips see: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)**
|
|
||||||
Reference in New Issue
Block a user