Professional Documents
Culture Documents
2 3 3 0 B r i g g s R o a d , C o l u m b u s , O h i o 4 3 2 2 3 t e l e p h o n e : 6 1 4 . 3 5 1 . 1 2 3 7 f a x : 6 1 4 . 3 5 1 . 9 0 1 5 w w w. m i c r o s o l v e d . c o m
1. Install all updates for your Operating System. 2. Ensure you're using the most up to date version of Apache & WordPress. 3. Install Apache's mod_security and the packages necessary to run it. 4. Ensure Apache is running as it's own user. ps auwwfx | grep apache Should output something like this : www-data 2880 0.0 0.4 45168 5028 ? 15:18 0:00 \_/usr/ sbin/apache2 -k start 5. Configure mod_security (/etc/apache2/conf.d/security). <Directory /> Order Deny,Allow Deny from all
C o p y r i g h t , 2 0 1 0 , M i c r o S o l v e d , I n c . , C o l u m b u s , O H , a l l r i g h t s r e s e r v e d
Protecting our digital assets is an endless job. While this is by no means a complete solution to make your site hackproof, it's a good foundation for layered security.
Te n S t e p s t o H a r d e n i n g Wo r d p r e s s
Options None AllowOverride None </Directory> <Directory /web> Order Allow,Deny Allow from all </Directory> ServerSignature Off ServerTokens Prod TraceEnable Off 6. Disable PHP Globally (to be enabled on a per-site basis). Edit /etc/apache2/mods-enabled/php5.conf <IfModule mod_php5.c> #AddType application/x-httpd-php .php .phtml .php3 #AddType application/x-httpd-php-source .phps </IfModule> 7. Enable PHP for WordPress. Edit /etc/apache2/sites-enabled/000-default Comment out cgi & doc lines Add the following: <IfModule mod_php5.c> AddType application/x-httpd-php .php .phtml .php3 AddType application/x-httpd-php-source .phps </IfModule> 8. Change your login name. In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.
C o p y r i g h t , 2 0 1 0 , M i c r o S o l v e d , I n c . , C o l u m b u s , O H , a l l r i g h t s r e s e r v e d
Te n S t e p s t o H a r d e n i n g Wo r d p r e s s
Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select Attribute all posts and links to: and select your new username from the drop-down bar. This will transfer all the posts to your new user account. Press Confirm Deletion. 9. Protect your wp-admin directory. Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel. 10. Encrypt your login. Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily sniff out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
Protecting our digital assets is an endless job. While this is by no means a complete solution to make your site hackproof, it's a good foundation for layered security. The MSI Team always looks for innovative approaches to practical issues, such as this one. In addition to this research, we are always prepared to help secure your environment by conducting assessments of critical internet applications, vulnerability and risk assessments to help identify and measure your risk tolerance, and penetration testing to evaluate your network against the threat of a real malicious attack. We are also proud to offer a plethora of consulting services which can be custom tailored to fit the needs of any organization. Working your business, is your business. Securing your data, is ours. Give us a call today at 614-351-1237 ext. 206 and talk with our account representative, Constance Matthews, to learn more.
C o p y r i g h t , 2 0 1 0 , M i c r o S o l v e d , I n c . , C o l u m b u s , O H , a l l r i g h t s r e s e r v e d
Te n S t e p s t o H a r d e n i n g Wo r d p r e s s