checklist for new wordpress websites for security enhancements
General Security Enhancements
- Go to the WordPress dashboard
- Click on the Updates section
- Click on the Update Now button
- Go to the Plugins section in the WordPress dashboard
- Click on the Update Now link for each plugin
- Repeat the same process for themes in the Appearance section
- Go to the Plugins section in the WordPress dashboard
- Deactivate and delete any unused plugins
- Repeat the same process for themes in the Appearance section
- Create a new user with administrator privileges
- Login with the new user account
- Delete the default 'admin' username
- Use a combination of letters, numbers, and special characters
- Avoid using common words or phrases
- Consider using a password manager
- Install a two-factor authentication plugin
- Follow the setup instructions for the plugin
- Enable two-factor authentication for all user accounts
- Install a login attempt limiting plugin
- Set a limit on the number of login attempts
- Configure the plugin to block IP addresses after too many failed attempts
- Add the following line of code to the wp-config.php file: define( 'DISALLOW_FILE_EDIT', true );
- Save and upload the modified wp-config.php file
- Create a .htaccess file in the root directory of your WordPress installation
- Add rules to restrict access to sensitive files
- Save and upload the .htaccess file
- Go to the Plugins section in the WordPress dashboard
- Click on the Add New button
- Search for and install the Wordfence or Sucuri plugin
Website Configuration
- Purchase an SSL certificate from a trusted provider
- Install the SSL certificate on your web server
- Update the website URL to use HTTPS
- Install a backup plugin like UpdraftPlus
- Configure the backup settings to run automatically and store backups offsite
- Change file permissions to 644 for files and 755 for directories
- Avoid using 777 permissions as it gives too much access
- Access your website's root directory
- Locate the .htaccess file
- Add the following line to the .htaccess file: Options -Indexes
- Install a security plugin like Wordfence
- Disable XML-RPC in the plugin settings
- Access your website's root directory
- Locate the .htaccess file
- Add the following lines to the .htaccess file for each directory:
php_flag engine off
- Access your website's root directory
- Locate the .htaccess file
- Add the following lines to the .htaccess file: Header always set X-Frame-Options DENY Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options nosniff
- Access your website's root directory
- Locate the .htaccess file
- Add the following lines to the .htaccess file:
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx
Database Security
- Access your WordPress files via FTP or cPanel
- Open the wp-config.php file in a text editor
- Locate the line that defines the $table_prefix variable
- Change the prefix to a unique string
- Access your database through phpMyAdmin or a similar tool
- Create a new user with limited privileges
- Grant only the necessary permissions to the user
- Delete any unused or unnecessary users
- Install a backup plugin like UpdraftPlus or BackupBuddy
- Schedule regular backups of your database
- Store backups in a secure location, such as an external drive or cloud storage
- Test backups regularly to ensure they can be restored
- Install a security plugin like Wordfence or Sucuri
- Set up alerts for unusual database activity
- Regularly review database logs for any suspicious behavior
- Investigate and address any anomalies immediately
- Use a plugin like WP Encrypt or WP Security Audit Log
- Enable encryption for sensitive data fields
- Regularly review encryption settings for any updates or changes
- Ensure encryption keys are stored securely
Server Security
- Install and configure a firewall to filter incoming and outgoing traffic.
- Set up rules to block unauthorized access attempts.
- Generate SSH key pairs for server access.
- Disable password authentication and only allow key-based authentication.
- Update server configuration to disable directory browsing.
- Ensure sensitive directories are not accessible.
- Regularly review server logs for any suspicious entries.
- Set up alerts for unusual activities.
- Use a reputable security tool to scan the server for malware.
- Check for vulnerabilities in server software and address them.
Monitoring and Maintenance
- Utilize monitoring tools like Sucuri or Wordfence to set up alerts
- Configure email notifications for any security incidents
- Schedule regular malware scans using security plugins
- Run vulnerability scans using tools like WPScan or Nessus
- Review user login attempts and IP addresses
- Check for any unauthorized changes to files or settings
- Conduct manual security audits to identify potential vulnerabilities
- Perform penetration testing to simulate real-world attacks
- Back up website files and database regularly
- Create a detailed plan for restoring the website in case of a breach
Additional Security Measures
- Add Content-Security-Policy header to HTTP response
- Specify allowed sources for scripts, styles, images, fonts, etc.
- Use CSP directives to restrict which resources can be loaded
- Add Strict-Transport-Security header to HTTP response
- Set max-age directive to specify how long the browser should remember HSTS
- Include subdomains by adding includeSubDomains directive
- Install a WAF plugin or service
- Configure rules to block common attack patterns
- Regularly monitor and update firewall rules
- Perform security audits and vulnerability scans regularly
- Stay informed about latest security threats and best practices
- Update plugins, themes, and WordPress core regularly
Use in Manifestly