Detailed security settings for WordPress under the CentOS Server

Wordpress is a PHP open-source free blog platform system with powerful functions and ease of use. It is favored by many bloggers and has become the most popular blog system for users. Although wordpress has done a good job in terms of security, we still need to enhance security settings, because the vulnerabilities will certainly exist, but we have not found them yet. Therefore, we must further reinforce wordpress security to avoid unnecessary losses due to vulnerabilities.

I. Update wordpress

Every time wordpress is updated, it is necessary to update wordpress to the latest version in a timely manner to fix program vulnerabilities and solve security problems.

2. Set complex passwords

Increasing security awareness can avoid many potential security risks, such as password selection. We need to select a strong password for the wordpress background to prevent cracking.
A strong password includes:
1. At least 15 characters
2. uppercase letters
3. lowercase letters
4. Contains numbers
5. contains special symbols, such '! "? $? % ^ & * () _-+ = {[}]:; @ '~ # | <,> .? /
6. It cannot be similar to the last password
7. Your name cannot be included
8. Your friend's name cannot be included.
9. The name of a family member cannot be included.
10. Your birthday, mobile phone number, ID card, and other information cannot be contained.
...
We can use http://strongpasswordgenerator.com/the website to automatically generate a strong command.

3. Use sftp instead of ftp

Sftp transfers files through secure encryption to prevent hackers from stealing sensitive files. Common ftp files are transmitted in plaintext. Once a hacker successfully intercepts data packets, the files are displayed in plaintext. Sftp is part of sshd. If you have the permission to manage the space through an ssh account, you can use sftp to transfer files.

Iv. File Permission settings

File Permission settings instructions reference: http://www.centos.bz/2011/12/setup-secure-website-permissions/
The wordpress File Permission settings involve several directories:
Root directory/,/wp-admin/,/wp-nodes des /:
All files should be set to write permissions only for their user accounts, and others should only be set to read permissions.
/Wp-content /:
User Directory, which can be set to writable by all users.
/Wp-content/themes /:
Topic directory. If you need to use the topic editor in the background, you need to set it to writable.
/Wp-content/plugins /:
Plug-in Directory, which can only be written by your user account.
Tip: the wordpress full-site directory can run normally without writing, so we recommend that you set it to full-site unwriteable. When you need to automatically upgrade and install a topic or plug-in, you can temporarily set it to writable, then close the write permission, which is the safest setting.

V. Database Security

If the server runs on multiple websites and uses the mysql database, we recommend that you specify a low-privilege user for each database. Database users require the following permissions: Alter, Delete, Create, Drop, Execute, Select, and Update.
The command to add a mysql database is:
Remote connection is not required:

Grant Alter, Delete, Create, Drop, Execute, Select, Update on dbname. * to 'username' @ 'localhost' identified by 'Password ';

Remote connection required:

Grant Alter, Delete, Create, Drop, Execute, Select, Update on dbname. * to 'username' @ 'client-ip' identified by 'Password ';

Vi. Background wp-admin Security Settings

It is recommended that you modify the background address in the background wp-admin security settings. This is feasible but troublesome, and it may be difficult to upgrade wordpress. Therefore, we do not recommend modifying the background address. Here, we use three steps to implement the security settings of the wp-admin background.
1. Set server-side password authentication in the background.
When accessing the wp-admin background, you must enter the user name and password to enter the background. This prevents hackers from cracking the wordpress background password.
Nginx settings are as follows: http://www.centos.bz/2011/12/nginx-http-auth-basic/
Apache configuration method: http://www.centos.bz/2012/04/apache-password-access /.
2. Use ssl to log on to the background.
If your network is insecure and you use http plain text to log on to the background, hackers may listen to the user and password. If you use an https transfer password, this potential security risk can be avoided.
Setting Method: http://www.centos.bz/2012/04/force-wordpress-admin-with-ssl/
3. Only the specified ip address is allowed to log on to the background.
This should be a very good security setting. If possible, that is, your work address is relatively fixed, you can set to allow only the specified ip address or ip segment to log on to the background, which greatly enhances the security of the background.
Nginx setting method: http://www.centos.bz/2011/12/nginx-deny-or-allow-ip/
Apache configuration method: http://www.centos.bz/2012/04/apache-order-deny-allow /.

VII. wp-include wp-config.php

To protect the wp-include directory, we can use mod_rewrite of apache or nginx location to prohibit any user from accessing the wp-include file.
Apache setting method:

# Block the include-only files.
RewriteEngine On
RewriteBase/
RewriteRule ^ wp-config \. php-[F, L]
RewriteRule ^ wp-admin/includes/-[F, L]
RewriteRule! ^ Wp-DES/-[S = 3]
RewriteRule ^ wp-DES/[^/] + \. php $-[F, L]
RewriteRule ^ wp-nodes des/js/tinymce/langs/. + \. php-[F, L]
RewriteRule ^ wp-includes/theme-compat/-[F, L]

8. Hidden Security

1. Hide the wordpress version
The advantage of hiding wordpress versions is to prevent hackers from launching attacks by searching for corresponding Vulnerabilities Based on your version. Reference operation method: http://www.centos.bz/2012/04/wordpress-hide-version/
2. Rename the Administrator account
To prevent hackers from cracking the background password, it is best not to use the default admin account. To modify the default account, run the following command on the mysql command line:

Mysql> UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin ';

Alternatively, you can directly use phpmyadmin for visualized operations.
3. Change table_prefix (table name prefix)
Changing the default table name prefix wp _ can prevent SQL injection attacks.

IX. Data Backup

Don't expect that the above settings can be completed without any worries. We still need to back up the data so that the data can be quickly recovered when it is lost or hacked. For methods of data backup, see: http://www.centos.bz/category/backup/
Reference: http://codex.wordpress.org/Hardening_WordPress