Use this to spread this tutorial in forums etc.
[php]
1. Download wordpress and upload it to your FTP ( FileZilla )
[COLOR=#FF8C00]Englisch ( [URL]http://wordpress.org/download/[/URL] )[/COLOR]
2. Configure your wp-config.php
Firstly, you have to fill in the database information like :
[CODE]define(‘DB_NAME’, ‘Databasename’);
define(‘DB_USER’, ‘Databaseuser’);
define(‘DB_PASSWORD’, ‘Databasepassword’);
define(‘DB_HOST’, ‘localhost’);
define(‘DB_CHARSET’, ‘utf8′);
define(‘DB_COLLATE’, ”);[/CODE]
It woud be good if you’ll use another prefix then the standard “wp_”, so use somethink like that:
[CODE]
$table_prefix = ‘myblog123_’;[/CODE]
Disallow File Edit ( will disallow file editing via wp-admin, but some designs like for example mystique needs that option, so activate it after you have setting up your design options )
[CODE]
define(‘DISALLOW_FILE_EDIT’, true);[/CODE]
Please let the Debug Function disabled ( false ) for security reasons, enable it only if you have problems and wants to see the errors.
[CODE]define(‘WP_DEBUG’, false);[/CODE]
Generate a security key @ [URL]https://api.wordpress.org/secret-key/1.1/[/URL] and add this in your file
It could be look like :
[CODE]define(‘AUTH_KEY’, ‘Y5x@O^>N#A(Oa__aNW3-[2Z%3(4A> _OHx,3So%N=AzZ[O+1w&gBQ v$@pAn/7|[‚);
define(‚SECURE_AUTH_KEY‘, ‚2:(WG|>])]7.vT$O$u|?hh| D0Q8|nH%QL=9bS,6@uw_5^d$pr-1n5(/+^|y.R;U’);
define(‘LOGGED_IN_KEY’, ‘M`ZfZZ}5UqIDT8{_Oqa x$)XK{S)dQq L=B*-!]3B-i`K}W9NT52fJ68G?QZ$E2N’);
define(‘NONCE_KEY’, ‘,OgC~-2U/kcq[7s_OqRM]469V5In{/xo]|mI`fOSoO_ 3c|s(na7ScJeixx/Fxul’);[/CODE]
3. Install WordPress
When you install wordpress, please do not use “admin” as account. You can change your display name every time (wp-admin/profile.php). A secure password is really important, i would use this generator [URL]http://www.gaijin.at/olspwgen.php[/URL]. Could be look like this one : [B][COLOR=#FF8C00]sN@KMqhKxlWV2oqubl]Esö0&8uYq@!vbgI!QDHJFpj5yb@>Z[/COLOR][/B]
4. Configure folder/file rights
The config.php should have [COLOR=#FF8C00]440 [/COLOR]or [COLOR=#FF8C00]400 [/COLOR]at its best, if these settings do not work, use [COLOR=#FF8C00]644[/COLOR].
[IMG]http://blog.yakuza112.org/wp-content/uploads/2012/02/WordPress_1329497020157.png[/IMG]
4. Install plugins
Anti-Vorratsdatenspeicherung 2.0 ( saves the ip’s as MD5 hash ) so its better to use version 1, Ips will be saved as 127.0.0.1 , User-Agents and Emails won’t be saved.
[URL]http://wordpress.org/extend/plugins/remove-ip/[/URL] Emails and user agent will be saved / IP’s will be saved as 127.0.0.1
AntiSpam Bee Alternative to Askimet, to block spam in comments, pingbacks.
Jetpack WordPress Statistics and more, you need a wordpress.com account to use it.
block-bad-queries/ protect wordPress against malicious url requests
WordPress File Monitor [URL]http://wordpress.org/extend/plugins/wordpress-file-monitor[/URL]
WordPress Firewall 2 [URL]http://wordpress.org/extend/plugins/wordpress-firewall-2/[/URL]
Secure WordPress by WebsiteDefender [URL]http://www.websitedefender.com/secure-wordpress-plugin/[/URL]
Informations to the last 3 Plugins : [URL]http://blog.yakuza112.org/?p=6352[/URL] ( only german )
4.1 Error, FTP Login data required @ plugin installation ?!
Here are 2 options
1. The unsecure, edit your wp-config like :
[CODE]define(‘FS_METHOD’, ‘ftpext’); // forces the filesystem method: “direct”, “ssh”, “ftpext”, or “ftpsockets”
define(‘FTP_BASE’, ‘/puplic_html/blog/’); // absolute path to root installation directory
define(‘FTP_CONTENT_DIR’, ‘/puplic_html/blog/wp-content/’); // absolute path to “wp-content” directory
define(‘FTP_PLUGIN_DIR ‘, ‘/puplic_html/blog/wp-content/plugins/’); // absolute path to “wp-plugins” directory
define(‘FTP_PUBKEY’, ‘/home/username/.ssh/id_rsa.pub’); // absolute path to your SSH public key
define(‘FTP_PRIVKEY’, ‘/home/username/.ssh/id_rsa’); // absolute path to your SSH private key
define(‘FTP_USER’, ‘username’); // either your FTP or SSH username
define(‘FTP_PASS’, ‘password’); // password for FTP_USER username
define(‘FTP_HOST’, ‘ftp.domain.de:21′); // hostname:port combo for your SSH/FTP server[/CODE]
2. The secure, fill in your ftp login data and save the password in your browser.
[IMG]http://blog.yakuza112.org/wp-content/uploads/2012/02/WordPress_1329498847006.png[/IMG]
5. Keep wordpress and plugins up to date
Check regulary if there are new WordPress and or Plugin Updates (/wp-admin/update-core.php)
If you want to be informed, use : [URL]https://websitedefender.com[/URL].
6. Remove the WordPress version / ( Error Messages )
Search in the theme folder the file functions.php and add these lines :
Remove the WP version :
[CODE]function no_generator() { return ”; }
add_filter( ‘the_generator’, ‘no_generator’ );[/CODE]
Remove the WP – Login / Error Messages :
[CODE]
function explain_less_login_issues(){ return ‘ERROR: Entered credentials are incorrect.’;}
add_filter( ‘login_errors’, ‘explain_less_login_issues’ );[/CODE]
7. Delete unsecure files
[COLOR=#FF8C00]readme.html
/wp-admin/install.php[/COLOR]
8. Add some index.php files ( or index.html )
At the end you should add the index file (just create an empty file) in “unsecure” folders like “[COLOR=#FF8C00]uploads[/COLOR]“, “[COLOR=#FF8C00]themes[/COLOR]“.
9. Add an .htaccess File in your Webroot ( puplic_html/.htaccess, for example )
[CODE]RewriteEngine On
RewriteBase /
####################################################################################
# www2nowww
RewriteCond %{HTTP_HOST} ^([^.]+)\.blog.yakuza112\.org$ [NC]
RewriteRule ^(.*)$ http://blog.yakuza112.org/$1 [R=301,L]
####################################################################################
# Adding Slash
RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
#Disable Directory Listing
Options -Indexes
####################################################################################
# Schutz der wp-config.php
Order deny,allow
deny from all
####################################################################################
php_flag display_errors off
php_flag log_errors off
php_flag register_globals off
php_flag session.use_trans_sid off
####################################################################################
####################################################################################
order allow,deny
allow from all
####################################################################################
####################################################################################
####################################################################################
####################################################################################
####################################################################################
### PERISHABLE PRESS 4G BLACKLIST ###
# ESSENTIALS
RewriteEngine on
ServerSignature Off
Options All -Indexes
Options +FollowSymLinks
####################################################################################
# FILTER REQUEST METHODS
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]
####################################################################################
# BLACKLIST CANDIDATES
Order Allow,Deny
Allow from all
Deny from 75.126.85.215 „# blacklist candidate 2008-01-02 = admin-ajax.php attack “
Deny from 128.111.48.138 „# blacklist candidate 2008-02-10 = cryptic character strings “
Deny from 87.248.163.54 „# blacklist candidate 2008-03-09 = block administrative attacks “
Deny from 84.122.143.99 „# blacklist candidate 2008-04-27 = block clam store loser “
Deny from 210.210.119.145 „# blacklist candidate 2008-05-31 = block _vpi.xml attacks “
Deny from 66.74.199.125 „# blacklist candidate 2008-10-19 = block mindless spider running “
Deny from 203.55.231.100 „# 1048 attacks in 60 minutes“
Deny from 24.19.202.10 „# 1629 attacks in 90 minutes“
####################################################################################
# QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
#RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
# RewriteCond %{QUERY_STRING} ^.*([|]|(|)||’|“|;|?|*).* [NC,OR]
# RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ – [F,L]
####################################################################################
# Datei zum Regeln von IP-Bereichen
Order deny,allow
Allow from all
# Disable this IPs
#deny from 127.1.1.1 [/CODE]
;)
© 2008 ¥akuza112 Inc.
[/php]
![[English] Install and secure wordpress BBCODE](https://blog.yakuza112.org/wp-content/uploads/2012/09/UC-90x60.jpg)
![[English] Install and secure wordpress BBCODE](https://blog.yakuza112.org/wp-content/uploads/2012/12/yakuza112_firewall_bg.png)
![[Source] Carberp - Download](https://blog.yakuza112.org/wp-content/uploads/2012/03/virus-128x122.png)
