WordPress.org
WordPress.org
Get WordPress

Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

Talk:Hardening WordPress

Maybe we need a bit actually about how you can harden the server that WordPress is on e.g. hardenedphp mod_security --Westi 12:03, 22 Jun 2005 (UTC)

I'm obliterating this page based on some input from my brother, who's a security guru at Microsoft. My user page has changes, still in progress. --Ringmaster 16:05, 14 Jul 2005 (CDT)

Your changes are helpful, Ringmaster, but I don't see why you didn't edit this page instead of forking it. Won't that create confusion? I'm leaving a couple comments on your userspace page. --Eads 12:47, 15 Jul 2005 (UTC)

He's trying to make MAJOR changes to the documentation before replacing it. This actually often happens as people aren't "exactly" sure about the changes they want to make, or who they will offend or how badly, and they will copy it to their user page and start ripping and tearing, preserving the original. This is the why. Lorelle 13:31, 15 Jul 2005 (UTC)

Hi, I guess this page hasn't been updated in a while, but I've got another suggestion for the File Permissions Section. Many people are on shared hosting servers, and these servers usually run something like suPHP this means that wordpress is run as a dedicated user account (for each customer), by setting wp-config.php with 600 permission, rather than 644 it protects the DB credentials from other users on the same server. --linickx 19:10, 11 Feb 2007 (UTC)

Is the link under the "Passwords" section really necessary? "The Automatic Password Generator" seems far too complex for the average user. Open source pwgen may be a better solution. PlanetMike 13:19, 9 April 2008 (UTC)

The AskApache plugin is highly problematic. This is a WordPress Codex page and it seems to put the stamp of approval on this plugin. Yet, when I installed it, it locked me out of my Admin panel. In reading the comments about the plugin, lots of other users had similar problems. You have to delete the .htaccess file that appears in your wp-admin folder to get back in. Tom 06:16, 23 June 2008 (UTC)

I think the AskApache plugin should be pulled. It locks people out of their sites when they install it. At first I thought it was just me, but then a friend experienced the same problem. Tom 02:30, 24 June 2008 (UTC)

Administration Over SSL

Is Securing wp-admin the same as SSL Encryption Security ("WordPress 2.6 and later has greatly improved support for Administration Over SSL out of the box.")? Looks to me like they should merge, but I might have misunderstood. --Chriswaterguy 13:12, 29 November 2010 (UTC)

File Permissions

In the File Permissions section I read this sentence: "You have to omit to use this command for /wp-includes/."

Its meaning escapes me. It was meant (probably) to refer to the code snippet right above it. Even so, what to omit is a mystery. I would have fixed the line if I had been able to understand it. saltlakejohn 09:35, 1 January 2011 (UTC)

Changing table prefix

Changing the table prefix may be a good idea -- but it's problematic if it's not done at the time of installation. I'm trying to track down exactly what's needed if there's a requirement to change the table prefix on a running installation.

Trac entry 4780 Forum discussion

Converting2wp 14:22, 9 June 2011 (UTC)

Adding Plugin Link to Resources

Hello, I have developed a plugin that helps users to check for violations for most of the things described in the hardening guide as well as some additional ones. Is it ok to add a link to it in the resources section? Please advise.

MVIS Security Center

Mvis 10:30, 30 October 2012 (UTC+7)

Links to plugins in the WordPress extend are welcome. Thanks for contributing. --MichaelH (talk) 16:04, 1 November 2012 (UTC)

Thanks for your feedback MichaelH. I will put the link in now. Mvis 12:48, 2 November 2012 (UTC+7)

Adding Link to Resources

Added link to my extensive article on Securing WordPress, using both developer and user aspects. This is unique to the other resources added and wasn't JUST plopping a link in for giggles. MichaelH removed this and I don't see why.

Accuracy of Information

Is this information still current and accurate? I'm sensing there may be some glaring problems. For instance, it advises us to give group ownership to www-data on a few folders, but then advises that we should set all folder permissions to 755 and file permissions to 644, which does *not* have the group write bit set. Plus, if plugins is owned by the user only, then installing plugins will never work unless they supply FTP or SSH credentials. You can use SSH2 support in WP, but WP needs read access to the ssh private key, and if a hacker gains access to that through the www-data user, they can ssh into your account. MDesigner0 (talk) 21:43, 23 January 2016 (UTC)

Securing wp-includes w/ Multisite

In the section 'Securing wp-inculdes' of current doc there is the following note re Multisite:

"Note that this won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security."

What about altering the code to something like RewriteCond !wp-includes/ms-files\.php$ [NC] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] which I haven't tested yet think will work... insight/opinion? Maxfein 14 May 2016

Retrieved from "https://codex.wordpress.org/index.php?title=Talk:Hardening_WordPress&oldid=156979"

Codex Resources