WordPress Setup

From Montebello Park Hosting Support
Jump to navigation Jump to search

WordPress Best Practices

  • Keep Wordpress Core and all plugins and themes updated
  • Remove all unused plugins and themes
  • Practice good password hygiene
    • Use strong passwords
    • Do not reuse passwords
    • Enable two-factor authentication where possible
    • Use a trusted password manager such as 1Password

Recommended WordPress Toolkit Settings

Updates

WP Toolkit Update Settings
Update Settings

Recommended update settings for WordPress core, plugins, and themes:

  • Update WordPress automatically
    • Yes, but only minor (security) updates: With this setting you will only get security updates automatically and will have to install major/feature updates yourself. This is the absolute minimum recommended setting.
    • Yes, all (minor and major) updates: With this setting all updates will be installed. You will need to check your site after a major update to make sure nothing has been broken by the update. If you have a simple site without many 3rd party plugins or themes this is recommended.
  • Update plugins automatically
    • Defined individually, but security updates are autoinstalled: Autoupdate settings for each plugin are followed, vulnerable plugins will be updated automatically regardless of their settings. This is the minimum recommended setting.
    • Forced: All plugins will be autoupdated regardless of their settings. This is the preferred setting.
  • Update themes automatically
    • Defined individually, but security updates are autoinstalled: Autoupdate settings for each theme are followed, vulnerable themes will be updated automatically regardless of their settings. This is the minimum recommended setting.
    • Forced: All themes will be autoupdated regardless of their settings. This is the preferred setting.

Minimum Security

Minimum Security Settings
Minimum Security Settings

Enact the following WP Toolkit Security recommendations (at a minimum):

  • Restrict access to files and directories
  • Block directory browsing
  • Block unauthorized access to wp-config.php
  • Disable PHP execution in cache directories
  • Block access to sensitive files
  • Forbid execution of PHP scripts in the wp-includes directory
  • Forbid execution of PHP scripts in the wp-content/uploads directory
  • Block access to .htaccess and .htpasswd

Recommended Security

Preferred WordPress Toolkit Security Settings
Preferred Security Settings

Enact these security settings in addition to the above:

  • Configure security keys
  • Disable scripts concatenation for WordPress admin panel
  • Turn off pingbacks
  • Change default database table prefix
  • Enable bot protection
  • Block access to potentially seneitive files
  • Change default administrator's username

Addon Domains

When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary public_html folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.