Difference between revisions of "WordPress Setup"

WordPress Best Practices

• Keep Wordpress Core and all plugins and themes updated
• Remove all unused plugins and themes
• Practice good password hygiene
  • Use strong passwords
  • Do not reuse passwords
  • Enable two-factor authentication where possible
  • Use a trusted password manager such as 1Password

Recommended WordPress Toolkit Settings

Recommended update settings for WordPress core, plugins, and themes:

• 

  Update Settings

Enact the following WP Toolkit Security recommendations (at a minimum):

• 

  Recommended Security Settings

• Restrict access to files and directories
• Block directory browsing
• Block unauthorized access to wp-config.php
• Disable PHP execution in cache directories
• Block access to sensitive files
• Forbid execution of PHP scripts in the wp-includes directory
• Forbid execution of PHP scripts in the wp-content/uploads directory
• Block access to .htaccess and .htpasswd

Enact these security settings in addition to the above:

• 

  Preferred Security Settings

• Configure security keys
• Disable scripts concatenation for WordPress admin panel
• Turn off pingbacks
• Change default database table prefix
• Enable bot protection
• Block access to potentially seneitive files
• Change default administrator's username

Addon Domains

When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary public_html folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.