type="text/css" />

What else I can do beyond the famous WordPress 5-minute installations to make it more secure?


Do you remember the famous WordPress 5-Minute installaion? It is all about installing WordPress using default settings. At WordCamp UK 2011 conference, Steve Taylor shared a presentation on settings addition to the standard installation;

  • Best security practices
  • Guides to wp-config.php, .htaccess, robots.txt
  • Must-have admin plugins

 
Beyond the WordPress 5 minute Install – Presentation Transcript
Beyond the 5-minute InstallSteve Taylorhttp://sltaylor.co.uksteve@sltaylor.co.uk@sltayloresqueWordCamp Portsmouth UK 2011

Security & best practices● .htaccess● wp-config.php● robots.txt● functions.php / “functionality plugin”● Plugins● Other issues?

A bit about me● Custom theme developer● No themes released● A few pluginsThis talk● Advice for beginners ● Tips for developers 

.htaccess● “hypertext access”●Controls requests to server before any PHP /WordPress processing● Apache only (IIS?)● Root of website (sub-directories?)● Sometimes simple, sometimes complex!http://httpd.apache.org/docs/http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!

www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]# Force “www”RewriteCond %{HTTP_HOST} ^example.com$ [NC]RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Protect important files●# Protect .htaccess files order allow,deny deny from all●# Protect wp-config.php order allow,deny deny from all

WordPress pretty permalinks
WordPress pretty permalinksInclude at end of .htaccess:●# BEGIN WordPressRewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]# END WordPress
WordPress pretty permalinksReally bad idea for big sites:
WordPress pretty permalinksReally bad idea for big sites:Better:http://ottopress.com/2010/category-in-permalinks-considered-harmful/http://codex.wordpress.org/Using_Permalinks

wp-config.php● Create your own wp-config-sample.php●Check the file for new stuff in new versions ofWordPress● Edit and initialize BEFORE installing WordPress! http://codex.wordpress.org/Editing_wp-config.phphttp://digwp.com/2010/08/pimp-your-wp-config-php/

Server-dependent settings●// ** MySQL settings – You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, database_name_here);●/** MySQL database username */define(DB_USER, username_here);●/** MySQL database password */define(DB_PASSWORD, password_here);●/** MySQL hostname */define(DB_HOST, localhost);
Server-dependent settings●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( DB_NAME, aef4RgX_mysitedev ); define( DB_USER, aef4RgX_mysitedev ); define( DB_PASSWORD, Jyt6v48jS9frkGgZyS5iIjif6LnosuYr ); define( DB_HOST, localhost ); break; } default: { // Live server define( DB_NAME, sd6FE2xc_mysitelive ); define( DB_USER, sd6FE2xc_mysitelive ); define( DB_PASSWORD, as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR ); define( DB_HOST, localhost ); break; }}https://www.grc.com/passwords.htm

Authentication Keys and SaltsChange them for every installation!define(AUTH_KEY, put your unique phrase here);define(SECURE_AUTH_KEY, put your unique phrase here);define(LOGGED_IN_KEY, put your unique phrase here);define(NONCE_KEY, put your unique phrase here);define(AUTH_SALT, put your unique phrase here);define(SECURE_AUTH_SALT, put your unique phrase here);define(LOGGED_IN_SALT, put your unique phrase here);define(NONCE_SALT, put your unique phrase here);https://api.wordpress.org/secret-key/1.1/salt/

Database table prefixThe default:$table_prefix = wp_;

Database table prefixThe default:$table_prefix = wp_;Much better:$table_prefix = a3rfGtQ1_;

Database table prefixWhen coding database queries, don’t use hard-codedtable names!

Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );

Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );A custom table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” );http://codex.wordpress.org/Class_Reference/wpdb

Server needs FTP for upgrades?define( “FTP_HOST”, “ftp.example.com” );define( “FTP_USER”, “myftpuser” );define( “FTP_PASS”, “hQfsSITtKteo1Ln2FEhHlPkXZ” );

Debuggingdefine( WP_DEBUG, true );
Debuggingdefine( WP_DEBUG, true );http://dev.example.com/?debug=1●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( WP_DEBUG, isset( $_GET[debug] ) ); break; } default: { // Live server define( WP_DEBUG, false ); break; }}

Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );
Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );
Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );// Autosave posts interval in secondsdefine( AUTOSAVE_INTERVAL, 60 );

Disable plugin and theme editingdefine( DISALLOW_FILE_EDIT, true );

robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xmlhttp://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization

Custom theme functions.php /“functionality” plugin● Snippets not worth making into a plugin● Plugin is more portable● Check out /mu-plugins/http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-usershttp://wpcandy.com/teaches/how-to-create-a-functionality-pluginhttp://codex.wordpress.org/Must_Use_Plugins

Disable upgrade notifications forpeople who cant do upgradesif ( ! current_user_can( update_core ) ) { add_action( init, create_function( $a, “remove_action( init,wp_version_check );” ), 2 ); add_filter( pre_option_update_core, create_function( $a, “returnnull;” ) );}

Remove nofollow fromcomments remove_filter( pre_comment_content, wp_rel_nofollow ); add_filter( get_comment_author_link, slt_dofollow ); add_filter( post_comments_link, slt_dofollow ); add_filter( comment_reply_link, slt_dofollow ); add_filter( comment_text, slt_dofollow ); function slt_dofollow( $str ) { $str = preg_replace( ~<a ([^>]*)s*([“|]{1}w*)s*nofollow([^>]*)>~U, <a ${1}${2}${3}>, $str ); return str_replace( array( rel=””, ” rel=” ), , $str ); } }http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/

Better default display namesadd_action( user_register, slt_default_user_display_name );function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, first_name ); $last = get_usermeta( $user_id, last_name ); $display = $first . ” ” . $last; wp_update_user( array( “ID” => $user_id, “display_name” => $display ));}

PluginsForce Strong Passwords. Copies WordPresss JavaScriptpassword strength meter into PHP and forces “executive” usersto have a strong password when updating their profile.http://wordpress.org/extend/plugins/force-strong-passwords/Google XML Sitemaps (or equivalent).http://wordpress.org/extend/plugins/google-sitemap-generator/Use Google Libraries.http://wordpress.org/extend/plugins/use-google-libraries/WordPress Database Backup.http://wordpress.org/extend/plugins/wp-db-backup/

Other issues● File permissionshttp://codex.wordpress.org/Hardening_WordPress#File_permissions● .htpasswd for /wp-admin/● Settings > Discussion

Cheers!http://sltaylor.co.uk@sltayloresque

By Jinnat Ul Hasan | On Wednesday, August 17th, 2011 | Under Security, WordCamp | No Comments »


DO YOU NEED OUR HELP?

Contact our experts, most of the time we assist our readers free of charge.

Those who found this page were searching for:

  • should i deny wp-config in robots.txt
  • $wp_salt = array
  • more secure beyond make
  • disable robots.txt from "functions.php"
  • disable robots.txt from "functions.php"
  • what else i can do
  • how to protect wp admin discussion
  • steve@sltaylor.co.uk
  • htaccess protect wp-admin
  • best wp-admin .htaccess 2011

Previous post:

Next post: