Summary:
· Since security issues are becoming more common in the internet world, we decided to educate our customers about the security of their WordPress websites. People use WordPress websites for ecommerce, blogging, portfolios, and other services, among other things. DDOS, Brute Force Attacks on Admin Login Using XMLRPC.php, Directory Listing, JSON Leaks, and more major threads to WordPress websites. Simple steps that are simple to grasp and execute are provided below. If you have any questions, please contact [email protected].
Scope:
· This SOP applies to new WordPress installations, existing WordPress installations, and any other security-vulnerable WordPress websites. Customers should take these actions.
· How to Install a New WordPress:
· It is available for download from our Cpanel Softacoulous Wordpress manager.
· Please keep in mind that you should never install software from an unknown source. If you are unable to install it through the software, download it from the WordPress official website (https://wordpress.org/download/).
· After installing WordPress from Softaculous, security measures should be implemented.
Click Security Measures
- Please mark everything except Change the default administrator's username
- Restrict access to files and directories
- Block unauthorized access to xmlrpc.php
- Block access to .htaccess and .htpasswd
- Turn off pingbacks
- Disable file editing in WordPress Dashboard
- Block author scans
- Block directory browsing
- Forbid execution of PHP scripts in the wp-includes directory
- Forbid execution of PHP scripts in the wp-content/uploads directory
- Disable scripts concatenation for WordPress admin panel
- Block access to sensitive files
- Enable bot protection
Security measures for manual installation:
https://www.wpbeginner.com/wordpress-security/
Follow above link for security.
If you already have WordPress installed, please see How to do Fresh WordPress Security Settings (start of page).
Point to Ponder:
Please do not install themes/plugins from unknown platforms or cracked versions, as this may cause damage to your website and business. Your website may be get compromised, or a SQL data dump attempt, data exfiltration, or defacement may occur.
It is strongly advised not to include any plugin, theme, or JS/PHP/PERL/PYTHON, etc script inside code downloaded/copied from an unknown source/person, as the company will not be held liable for any damage to your website.
Be aware of social engineering, and never give your login credentials to anyone or click on any phishing link. Make sure that when you visit your website wp-admin or cpanel, the URL is exactly as it should be (https://yourdomain.any:2083 or https://yourdomain.any/wp-admin). Please update your passwords if you believe you have been compromised.
Your password policy should be strong, such as an 8 char length password with:
- 2 capital letters, 2 small letters, 2 numbers, 2 unique characters.
- Not your name, domain name, or publicly accessible information. Passwords should be passphrases such as YouCan’tHackME@IhAvEStronGPaSS should be used. (Please do not use this password; it is only an example.)
