1. Download wordpress and upload it to your FTP ( FileZilla )
Englisch ( http://wordpress.org/download/ )
2. Configure your wp-config.php
Firstly, you have to fill in the database information like :
define(‚DB_NAME‘, ‚Databasename‘);
define(‚DB_USER‘, ‚Databaseuser‘);
define(‚DB_PASSWORD‘, ‚Databasepassword‘);
define(‚DB_HOST‘, ‚localhost‘);
define(‚DB_CHARSET‘, ‚utf8‘);
define(‚DB_COLLATE‘, “);
It woud be good if you’ll use another prefix then the standard „wp_“, so use somethink like that:
$table_prefix = ‚myblog123_‘;
Disallow File Edit ( will disallow file editing via wp-admin, but some designs like for example mystique needs that option, so activate it after you have setting up your design options )
define(‚DISALLOW_FILE_EDIT‘, true);
Please let the Debug Function disabled ( false ) for security reasons, enable it only if you have problems and wants to see the errors.
define(‚WP_DEBUG‘, false);
Generate a security key @ https://api.wordpress.org/secret-key/1.1/ and add this in your file
It could be look like :
define(‚AUTH_KEY‘, ‚Y5x@O^>N#A(Oa__aNW3-[2Z%3(4A> _OHx,3So%N=AzZ[O+1w&gBQ v$@pAn/7|[‚);
define(‚SECURE_AUTH_KEY‘, ‚2:(WG|>])]7.vT$O$u|?hh| D0Q8|nH%QL=9bS,6@uw_5^d$pr-1n5(/+^|y.R;U‘);
define(‚LOGGED_IN_KEY‘, ‚M`ZfZZ}5UqIDT8{_Oqa x$)XK{S)dQq L=B*-!]3B-i`K}W9NT52fJ68G?QZ$E2N‘);
define(‚NONCE_KEY‘, ‚,OgC~-2U/kcq[7s_OqRM]469V5In{/xo]|mI`fOSoO_ 3c|s(na7ScJeixx/Fxul‘);
3. Install WordPress
When you install wordpress, please do not use „admin“ as account. You can change your display name every time (wp-admin/profile.php). A secure password is really important, i would use this generator http://www.gaijin.at/olspwgen.php. Could be look like this one : sN@KMqhKxlWV2oqubl]Esö0&8uYq@!vbgI!QDHJFpj5yb@>Z
4. Configure folder/file rights
The config.php should have 440 or 400 at its best, if these settings do not work, use 644.
4. Install plugins
Anti-Vorratsdatenspeicherung 2.0 ( saves the ip’s as MD5 hash ) so its better to use version 1, Ips will be saved as 127.0.0.1 , User-Agents and Emails won’t be saved.
http://wordpress.org/extend/plugins/remove-ip/ Emails and user agent will be saved / IP’s will be saved as 127.0.0.1
AntiSpam Bee Alternative to Askimet, to block spam in comments, pingbacks.
Jetpack WordPress Statistics and more, you need a wordpress.com account to use it.
block-bad-queries/ protect wordPress against malicious url requests
WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor
WordPress Firewall 2 http://wordpress.org/extend/plugins/wordpress-firewall-2/
Secure WordPress by WebsiteDefender http://www.websitedefender.com/secure-wordpress-plugin/
Informations to the last 3 Plugins : http://blog.yakuza112.org/?p=6352 ( only german )
4.1 Error, FTP Login data required @ plugin installation ?!
Here are 2 options
1. The unsecure, edit your wp-config like :
define(‚FS_METHOD‘, ‚ftpext‘); // forces the filesystem method: „direct“, „ssh“, „ftpext“, or „ftpsockets“
define(‚FTP_BASE‘, ‚/puplic_html/blog/‘); // absolute path to root installation directory
define(‚FTP_CONTENT_DIR‘, ‚/puplic_html/blog/wp-content/‘); // absolute path to „wp-content“ directory
define(‚FTP_PLUGIN_DIR ‚, ‚/puplic_html/blog/wp-content/plugins/‘); // absolute path to „wp-plugins“ directory
define(‚FTP_PUBKEY‘, ‚/home/username/.ssh/id_rsa.pub‘); // absolute path to your SSH public key
define(‚FTP_PRIVKEY‘, ‚/home/username/.ssh/id_rsa‘); // absolute path to your SSH private key
define(‚FTP_USER‘, ‚username‘); // either your FTP or SSH username
define(‚FTP_PASS‘, ‚password‘); // password for FTP_USER username
define(‚FTP_HOST‘, ‚ftp.domain.de:21‘); // hostname:port combo for your SSH/FTP server
2. The secure, fill in your ftp login data and save the password in your browser.
5. Keep wordpress and plugins up to date
Check regulary if there are new WordPress and or Plugin Updates (/wp-admin/update-core.php)
If you want to be informed, use : https://websitedefender.com.
6. Remove the WordPress version / ( Error Messages )
Search in the theme folder the file functions.php and add these lines :
Remove the WP version :
function no_generator() { return “; }
add_filter( ‚the_generator‘, ’no_generator‘ );
Remove the WP – Login / Error Messages :
function explain_less_login_issues(){ return ‚ERROR: Entered credentials are incorrect.‘;}
add_filter( ‚login_errors‘, ‚explain_less_login_issues‘ );
7. Delete unsecure files
readme.html
/wp-admin/install.php
8. Add some index.php files ( or index.html )
At the end you should add the index file (just create an empty file) in „unsecure“ folders like „uploads„, „themes„.
9. Add an .htaccess File in your Webroot ( puplic_html/.htaccess, for example )
htaccess Datei :
[php]
RewriteEngine On
RewriteBase /
####################################################################################
# www2nowww
RewriteCond %{HTTP_HOST} ^([^.]+)\.blog.yakuza112\.org$ [NC]
RewriteRule ^(.*)$ http://blog.yakuza112.org/$1 [R=301,L]
####################################################################################
# Adding Slash
RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
#Disable Directory Listing
Options -Indexes
####################################################################################
# Schutz der wp-config.php
Order deny,allow
deny from all
####################################################################################
php_flag display_errors off
#php_flag log_errors off
#php_flag register_globals off
#php_flag session.use_trans_sid off
####################################################################################
####################################################################################
order allow,deny
allow from all
####################################################################################
####################################################################################
####################################################################################
####################################################################################
####################################################################################
### PERISHABLE PRESS 4G BLACKLIST ###
# ESSENTIALS
RewriteEngine on
ServerSignature Off
Options All -Indexes
Options +FollowSymLinks
####################################################################################
# FILTER REQUEST METHODS
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]
####################################################################################
# BLACKLIST CANDIDATES
Order Allow,Deny
Allow from all
Deny from 75.126.85.215 "# blacklist candidate 2008-01-02 = admin-ajax.php attack "
Deny from 128.111.48.138 "# blacklist candidate 2008-02-10 = cryptic character strings "
Deny from 87.248.163.54 "# blacklist candidate 2008-03-09 = block administrative attacks "
Deny from 84.122.143.99 "# blacklist candidate 2008-04-27 = block clam store loser "
Deny from 210.210.119.145 "# blacklist candidate 2008-05-31 = block _vpi.xml attacks "
Deny from 66.74.199.125 "# blacklist candidate 2008-10-19 = block mindless spider running "
Deny from 203.55.231.100 "# 1048 attacks in 60 minutes"
Deny from 24.19.202.10 "# 1629 attacks in 90 minutes"
####################################################################################
# QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
#RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
# RewriteCond %{QUERY_STRING} ^.*([|]|(|)||’|"|;|?|*).* [NC,OR]
# RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ – [F,L]
####################################################################################
# Datei zum Regeln von IP-Bereichen
Order deny,allow
Allow from all
# Disable this IPs
#deny from 127.1.1.1
############################# Update ###############################################
<FilesMatch "(.htaccess|.htpasswd|wp-config.php|liesmich.html|readme.html)">
order deny,allow
deny from all
</FilesMatch>[/php]
more : WordPress Hardening: Mehr Sicherheit gegen Angriffe aus dem Netz
If you have question or comments, lets go ;)
© 2008 – 2013 ¥akuza112 Inc.
[spoiler]BB Code : http://nopaste.me/paste/9105274124fa571efd56c4[/spoiler]
