Category Archives: Security

Simple Steps to Secure WordPress Site

  1. Keep WordPress updated
  2. Keep plugins updated
  3. Only use trusted plugins
  4. Only use trusted themes
  5. Choose a secure password
  6. No “admin” username
  7. Decent hosting
  8. Keep regular backups
  9. Restrict login attempts (use iThemes Security)
  10. Switch on SSL encryption
  11. Change database prefix
  12. Two-factor authentication (use Google Authenticator)
  13. Monitor what’s happening
  14. Block access to system files

    # protect files
    <files wp-config.php>
    Order deny,allow
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files license.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files error_log>
    Order allow,deny
    Deny from all
    </files>

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

  15. Build your own firewall
  16. Hide .htaccess file
    # STRONG HTACCESS PROTECTION
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow, deny
    deny from all
    satisfy all
    </Files>
  17. Protect WP-Admin area
  18. Block PHP in uploads folder
    <Files *.php> Deny from All </Files>
  19. Tighten PHP configuration
    ; Disable allow_url_fopen in php.ini for security reasons
    allow_url_fopen = Off
    ; Disable allow_url_include in php.ini for security reasons
    allow_url_include = Off
    ; Disable display_errors in php.ini for security reasons
    display_errors = Off
    log_errors = On
  20. Create your own encryption keys
  21. Folder permissions

Source: Primary Image

OpenSSL Update

Instructions on how to secure your server against the Heartbleed vulnerability:

  1. Edit CentOS-Base.repo (vi /etc/yum.repos.d/CentOS-Base.repo)
    • Add the # sign to this URL: mirrorlist=http://... (#mirrorlist=http://...)
    • Delete # sign to this URL: #baseurl=http://... (baseurl=http://...)
  2. yum clean all
  3. yum update openssl
  4. openssl version -a (Confirm the update: exemple: 'built on: Tue Apr 8 02:39:29 UTC 2014')
  5. rpm -q --changelog openssl | head (fix can be confirmed)
  6. Restart Apache
  7. Re-edit CentOS-Base.repo (vi /etc/yum.repos.d/CentOS-Base.repo)
    • Delete the # sign to this URL: #mirrorlist=http://... (mirrorlist=http://...)
    • Add # sign to this URL: baseurl=http://... (#baseurl=http://...)

Source: GoDaddy.

Re-Keying an SSL Certificate in GoDaddy.

Turning off SSL engine in Apache for CentOS

  1. vi /etc/httpd/conf.d/ssl.conf (Edit ssl.conf)
  2. SSLEngine off (Find a line SSLEngine and turn it to off)
  3. service httpd restart (Restart the Httpd Services)

Source: Linux Toolkits