Secure WordPress

File permissions

find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--

Ownership

During setup:

chown www-data:www-data -R * # Let Apache be owner

After setup:

chown root:root -R * 					# Let your useraccount be owner
chown www-data:www-data wp-content -R	# Let apache be owner of wp-content
chown www-data:www-data  wordfence-waf.php

find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--

# .wordfence-waf.php
chmod 644 wordfence-waf.php

# .htaccess
chown root:root .htaccess
chmod 644 .htaccess

# wp-config.php
chown root:root wp-config.php
chmod 644 wp-config.php


# to test:
#   click on "Wordfence" - "Firewall" --> should be activated
#   activate/deactivate plugin
#   install / uninstall plugin

Special files

config – so you dont need to enter username password for installing plugins

define('FS_METHOD', 'direct');

.htaccess file in main directory

Copy your htaccess file to a backup directory

chmod 644 .htaccess

After each modification (e.g. wordfence firewall optimization) make a backup of the .htaccess file.

File permissions

Install and configure Wordfence

Install and configure UpdraftPlus

Memory limit (e.g. for woocommerce)

Edit the wp-config.php file on your WordPress site. It is located in your WordPress site’s root folder.

Next, you need to paste this code in wp-config.php file just before the line that says ‘That’s all, stop editing! Happy blogging.’

define( 'WP_MEMORY_LIMIT', '256M' );

HTTP Headers

Check your site:

https://securityheaders.com/

Enable headers for apache:

a2enmod headers

Paste this into your VirtualHost config (nano /etc/apache2/sites-enabled/...):

   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-Xss-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
   Header always set Referrer-Policy "strict-origin"
   Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),ful>
   Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

Restart server

service apache2 restart

Test

check on one of the follwoing sites:

https://securityheaders.com/

https://www.ssllabs.com/

Schreibe einen Kommentar