NCWF / CWR Forums
Sedcuring WordPress - Printable Version

+- NCWF / CWR Forums (https://forums.azcwr.org)
+-- Forum: Education and Reference Materials (https://forums.azcwr.org/forum-82.html)
+--- Forum: Blue Team Tools (https://forums.azcwr.org/forum-85.html)
+--- Thread: Sedcuring WordPress (/thread-47720.html)



Sedcuring WordPress - blscott - 2020-05-02

This article is copied from our ISAO's known best practices section of these forums.

Before you link the site to a domain.
----------------------------------------------------------------------------------------------
* Create a CloudFlare account and assign the DNS servers to the service for your domain. Ensure the sites domain is routing BEFORE you link the IP address to the domain through the service,
* If you expect the site will receive excessive attacks or will need to scale to a very large footprint, makes a load balancing server. We recommend DigitalOcean for load balancers since they allow load balancing servers they do not own. Point the domain to the load balancer and then point the load balancer to your WordPress server.

Once you have made the pathway to your WordPress server safe
----------------------------------------------------------------------------------------------
* Do your WordPress setup and configuration. Assign the WordPress server an SSL certificate. We recommend using LetsEncrypt.
* Install security plugins.
* We use WordFence.
* We use 404 to home for redirecting all 404 errors to your WordPress home page.
* We use WPFail2Ban for locking out brute force attackers.
* We also use Trusona for passwordless logins.
* Use plugins after testing it properly. Going through the plugin reviews, Google search will let you know about the reputation of the plugin.
* Change permissions for .htaccess, wp-config.php, themes main files to 444.
* Proper file permissions for other files and folders. The best practice is to use 644 for files and 755 for folders.
* Keep your WordPress up to date.
* Keep your all plugins, themes up to date.
* Always keep backup of your database, files and make it update after some interval. Using a cloud host makes this easy and automatic.
* Change all passwords associated with the site at regular intervals. All accounts.
* Use strong passwords for all logins. Include the mixture of at least one uppercase letter, lowercase letter, special character, number.
* Change your WP-Admin username from admin to some other name.
* Change database prefix from wp_ to some other complicated characters to avoid zero-day SQL injection attacks.
* Remove timthumb script if your site running it as its no longer supported or maintained.
* Keep track of the latest visitors through log files for tracking site users. If you find any suspicious activity at any particular time, then logs files might help you to know a bit about the attacker.
* Keep all home systems authorized to update your WordPress site virus free.
* Always try accessing the site credentials from one system only per authorized site administrator.
* Validate all user inputs like URL, image uploads etc.
* Keep track of WP-Admin, FTP accounts user section for any unauthorized user.
* You can also use Wordfence plugin to monitor from malicious scripts.
* Put some security to the server on which your site is hosted, either it hosted on dedicated or a shared server. e.g. Fail2Ban and UFW rules.
* Keep updated with the latest vulnerabilities. Utilize our ISAO to help with that.

In the event of a compromise
----------------------------------------------------------------------------------------------
* If the site has been compromised, then you must change your salt keys from your wp-config.php file under the root directory. You can generate new keys from here. It will force all users to have to log in again.
* Immediately change all passwords for all accounts,