View on GitHub
Securing WordPress
WordPress is a regular hackers’ target and instances of WordPress on the SRCF are regularly compromised in various ways, leading to private data leaks, tampered files, and website irregularities. Most of these risks can be minimized by following the hardening steps below.
- Ensure your
wp-config.php
is not world-readable, as that will contain your database credentials. You can set permissions in your FTP client or in the console by typingchmod 0660 wp-config.php
. If you are installing Wordpress under web space that belongs to a group or society then yourwp-config.php
file will be owned by that group or society’s user account rather than your own personal account, in which case you will need to run the previous console command as that user:sudo -u socname chmod 0660 wp-config.php
. Unfortunately FTP clients won’t let you do this so you will need to use the console. - It is advised to lock down WordPress’ admin panel at /wp-admin/ by
putting that directory behind University Account authentication –
see an example at
/public/societies/sample/public_html/wordpress/wp-admin/.htaccess
. - We also recommend you disable Allow link notifications from other
blogs (pingbacks and trackbacks) on new posts, under
Settings
>Discussion
in the admin panel. - Activate a spam filtering plugin like Akismet and a capatcha system
like reCAPTCHA. Akismet is installed by default and just needs
activiating. Go to
.../wp-admin/plugins.php
to install and activate plugins. - You may optionaly want to modify your theme so that it no longer puts the Wordpress version into the html - this may help stop hackers finding that you installation is outdated but it does not protect against problems caused by the version you are using being compromised.
- Regularly check up on the status of your installation and keep an eye on any vulnerabilities in the plugins you use.
Last modified on Saturday Dec 7, 2024 by Richard Allitt