Secure WordPress

File permissions

find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--

Ownership

During setup:

chown www-data:www-data -R * # Let Apache be owner

After setup:

chown root:root -R * 					# Let your useraccount be owner
chown www-data:www-data wp-content -R	# Let apache be owner of wp-content
chown www-data:www-data  wordfence-waf.php

find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--

# .wordfence-waf.php
chmod 644 wordfence-waf.php

# .htaccess
chown root:root .htaccess
chmod 644 .htaccess

# wp-config.php
chown root:root wp-config.php
chmod 644 wp-config.php


# to test:
#   click on "Wordfence" - "Firewall" --> should be activated
#   activate/deactivate plugin
#   install / uninstall plugin

Special files

config – so you dont need to enter username password for installing plugins

define('FS_METHOD', 'direct');

.htaccess file in main directory

Copy your htaccess file to a backup directory

chmod 644 .htaccess

After each modification (e.g. wordfence firewall optimization) make a backup of the .htaccess file.

File permissions

Install and configure Wordfence

Install and configure UpdraftPlus

Memory limit (e.g. for woocommerce)

Edit the wp-config.php file on your WordPress site. It is located in your WordPress site’s root folder.

Next, you need to paste this code in wp-config.php file just before the line that says ‘That’s all, stop editing! Happy blogging.’

define( 'WP_MEMORY_LIMIT', '256M' );

HTTP Headers

Check your site:

https://securityheaders.com/

Enable headers for apache:

a2enmod headers

Paste this into your VirtualHost config (nano /etc/apache2/sites-enabled/...):

   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-Xss-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
   Header always set Referrer-Policy "strict-origin"
   Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),ful>
   Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

Restart server

service apache2 restart

Remove old security protocols (TLS 1.1, etc.)

e.g. if you use apache and Let’s Encrypt you can edit the by modifying some lines in the configuration:

Edit the include file:

nano /etc/letsencrypt/options-ssl-apache.conf

Modify the file to include the following:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1.1 -TLSv1.2

Test

check on one of the follwoing sites:

https://securityheaders.com/

https://www.ssllabs.com/

Schreibe einen Kommentar