A Handy Site Security Checklist | WordPress sites 22May2011

WordPress Site Security CHECKLIST

This checklist utilizes the book “Digging Into WordPress” available at
http://digwp.com. If you aren’t familiar with the work of Chris Coyier and Jeff
Starr and you use WordPress for personal or business pursuits, you are missing
out.

Whether you purchase their eBook (lifetime upgrades) or not, their website can
be searched to find most, if not all, of the topics /steps in this checklist.

When I refer to other articles I’ve used to compile my checklist if I haven’t

provided a URL you can find it by performing a Google search.

Should you follow this checklist, or most of it, the security of your WordPress site
will be greatly enhanced.

Securing WordPress, p. 325 – Digging Into WordPress

(Primary REF)
9.1.3 Setting Secure File Permissions, p.326
I’ll look at this but plan on using GoDaddy permissions to lock out access.

9.1.4 Disabling Directory Views, p.329

Simply open your root .htaccess file or Apache configuration file and add the
following line, preferably near the top of the file (although it will work anywhere): >>
Options –Indexes . Alternately, if .htaccess is not an option, you may prevent
directory listings by simply adding a blank index.html or index.php file to each of your
WordPress directories.

9.1.5 Forbid Access to Sensitive Files >> install.php, p.332

You’ve chosen step 3 >> Replace it with something safe and useful.

9.1.5 Forbid Access to Sensitive Files >> wp_admin directory, p.335

Lucky for you, GoDaddy provides password-Protected directories with a few clicks of
the mouse from your Hosting Account.

Page 1
A Handy Site Security Checklist | WordPress sites 22May2011

9.1.6 Neuter the Default “Admin” User Account, p.341

Here are the steps:
1. Add a new user with full administrative privileges.
2. Log out and log back in as the new user.
3. Once inside, change the user privileges for admin to “subscriber”.
4. You’re done.

9.18 Use Security Keys to Increase Security, p. 344

WordPress Security Keys are a set of random variables that improve encryption of
information stored in the user’s cookies. Prior to WordPress 3.0, you had to install
this in your wp-config.php file manually. Now, with WPv3.0, the install wizard
automatically adds the security keys into your wp-config.php. Also prior to WordPress
3.0, there were only 4 security keys. WPv3.0 has eight (8) security keys available.

If you setup WordPress v3.0 without the install wizard here’s the WP.org website to
obtain the eight (8) line security key >> https://api.wordpress.org/secret-key/1.1/salt/.
Just cut and paste the keys into your wp-config.php file.

9.1.8 Securing Your MySQL Database, p.345

Your preferred way of changing your prefix is to export your database SQL file then
search/replace (with Notepad++) all instances of “wp_”.

9.1.10 Prevent Hotlinking, p.345

Install the .htaccess script from Perishable Press to Hotlink protect your site from
everyone except your Feedburner subscribers:

9.2.2 Configuring Your WordPress Admin Options, p.349

Configure for more restrictive Comment settings in the Admin > Settings > Discussion
options page, there are several options that enable you to take strong action against
spam. Make them.

9.2.5 Disabling Comments on Old Posts, p.350

An easy solution to this is to simply disable comments on all posts that are older
than “x” number of days. For example, digwp.com automatically closes comments after
90 days. Any reasonable amount of time should work fine.

9.2.5 Deny Access to No-Referrer Requests, p.351

Many spambots target WordPress’ comment script directly, bypassing your comment
form entirely. An easy way to circumvent this behavior is to deny all requests for the

Page 2
A Handy Site Security Checklist | WordPress sites 22May2011

comment script that do not originate from your domain. Install the script into your
.htaccess file. Add these scripts to your .htaccess file.

OTHER Security Provisions

Block Bad Queries (BBQ) Plugin by Perishable Press
http://wordpress.org/extend/plugins/block-bad-queries/
This script checks for excessively long request strings (i.e., greater than 255
characters), as well as the presence of either “eval(” or “base64” in the request URI.
These sorts of nefarious requests were implicated in the September 2009 WordPress
attacks.

SECURE Foolproof WP Security – Part 1 by WebHost (Primary REF)

This article provides numerous ways to better secure WordPress WITHOUT PLUG-INS.
This is what’s not yet incorporated into your security umbrella:

1. Disable Remote Publishing if you don’t use it. (Maybe)

Seems like a good idea but it involves adding code to the function.php file (just
another file I need to change). I want to emphasize changes to the .htaccess file
or use plugins to make changes, if at all possible.

2. Hide Your Plug-ins and Themes (Yes)

Copy empty index.php files into your wp-config folder or add GoDaddy password
protection to the wp-config folder.

3. Block WordPress Folders from Search Engines (Yes)

More than merely adding “Disallow: /wp-*” to your robots.txt file, look at your current
robots.txt but be prepared to add the robots.txt file recommended by www.askapache.com. This
content is also referred to in the WordPress Codex article, “Seo Engine Optimization for
WordPress.”

SECURE Ten (10) Useful WordPress Security Tweaks – 2July10 (PDF)

http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
This article stirred up a boatload of comments from the Smashing community. Of
the ten (10) tweaks this is the one that I haven’t addressed, yet >>
#5 – Protect Your WordPress Blog from Script Injections

Page 3