Server Setup / Wordpress

WordPress Security Checklist

by ,


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

In this post, I’m going through a list of security measures to make your WordPress invincible from outside attacks.

As is usual with our checklists, some items are linked to relevant posts disclosing further details about setting them up.

Let’s go 🙂

Chapter I. Implement security through obscurity

While this doesn’t make your WordPress truly secure, security through obscurity is a practice you should use in your toolset.
Lessening the exposure of using WordPress and breaking intruders’ expectations, by itself, often makes them unwilling to go further in locating potential exploits.
Completely hiding the fact of using WordPress is definitely not possible, as it exposes a lot of its “signatures” through well-known URLs and HTML elements.

We can make it look less than a typical WordPress installation by changing standard paths like wp-content.
This will trick most bots to believe they are not dealing with WordPress.
Then they usually leave your website alone without scanning further.

1. Change URLs for plugins and content directories

define( "WP_CONTENT_URL", "/c"); 
define( "WP_PLUGIN_URL", "/p" ); 

This saves some bytes in the HTML because we use absolute URLs without domains. It also safeguards against the majority of bots, which scan /wp-content/ and do not attempt to detect alternative paths.
So a better security, and reduced CPU load from those bots.

2. Hide Server header and software information disclosed via HTTP headers

You do want to hide the information about your web server.

How to remove the Server header in NGINX

Chapter II. Securing WordPress

1. Secure NGINX configuration

A perfectly secure NGINX configuration for WordPress allows the execution of only whitelisted PHP endpoints.
In this way, it prevents the execution of user-uploaded PHP files.

Best practice secure NGINX configuration for WordPress

2. Auto-block bots in firewall

The NGINX honeypot approach allows you to block bots immediately and permanently in your server firewall.

NGINX honeypot – the easiest and fastest way to block bots!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: