Categories
Linux wordpress

WordPress Security

Last updated on April 5th, 2020 at 16:13

This applies to self-managed Apache2 servers. Shared servers require different permissions, for example wp-config : set that file’s permissions to 440 or 400.

Site Lockdown

File permissions to lock down website, from the websites home folder. Do this from the root directory for example and you will break your server.


chown root:root  -R * 
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

Change to wp-content/uploads (to allow uploads)

chown www-data:www-data -R * 

If you get asked for ftp details when trying to upgrade wordpress, or any plugins or themes, you need to add the following to wp-config.php

define('FS_METHOD','direct');

Refer to https://wordpress.org/support/article/hardening-wordpress/ for more details, especially those regarding MySql.

On the server install

Denyhosts

Disable root login

Install rkhunter (root kit hunter) to check for vulnerabilities.

sudo apt-get install rkhunter

Perform check with

sudo rkhunter --check --skip-keypress

or on first run

sudo rkhunter --checkall --skip-keypress

And keep it updated with

sudo rkhunter --update

For Ubuntu server you may have to “fix” /etc/rkhunter.conf

UPDATE_MIRRORS=0 to UPDATE_MIRRORS=1
MIRRORS_MODE=1 to MIRRORS_MODE=0
WEB_CMD="/bin/false" to WEB_CMD=""