A very select few security-focused plugins are worth keeping around, like
WordFence. Every plugin, theme and add-on is additional attack surface, and
some popular plugins and themes have a horrifying track record with regard
to security. WordPress core has gotten a lot better recently, but there are
still some whopper vulnerabilities disclosed on occasion.
For most people, I recommend giving it lenient enough file permissions that
it can automatically apply its own updates. The most severe WP
vulnerabilities are Remote Code [Inclusion|Execution]. Disallowing _www
write access to the document root isn't going to save you from those, but
allowing write access and enabling automatic updates means critical patches
are applied faster than you'd normally be able to do it yourself.
I have experimented in my development environment with a "split
installation" where two different virtual hosts entries serve WP from two
different document roots but are pointed to the same database: A full-blown
normal install on 127.0.0.1 that you access through something such as an
SSH dynamic proxy, then a copied, locked-down install on the public IP
address. The locked-down install doesn't even have wp-admin, and uses
database credentials that are limited to SELECT queries only. This took a
lot of extra work to keep maintained, and updates applied to, and obviously
things like user-login and comments won't work on the public-facing site.
I'm not convinced this experiment is worth the hassle, because if you're
that paranoid, you're likely already looking at static-site generators and
getting away from WP by any means possible.
On Sun, Jun 4, 2017 at 4:34 PM, flipchan <flipchan@riseup.net> wrote:
> Delete ALL readme and don't install plugins
>
> On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat <rosjat@ghweb.de>
> wrote:
> >Hi there,
> >
> >
> >well if it would be up to me I would skip wordpress for good but well
> >it's not my decition.
> >
> >So I was wondering if there is some recommendations on what to block in
> >
> >the httpd.conf and what file permissions to use.
> >
> >For now I have:
> >
> >- like wordpress suggest 0755 on dirs and 0644 on files
> >
> >- wp-config.php setting to 0400 is not going to work at all I need at
> >least a 0644 or nothing shows up
> >
> >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php,
> >/wp-includes, /wp-includes/*.php and /wp-admin
> >
> >
> >so if there is something I can do further to harden things just let me
> >know :)
> >
> >
> >advice is most apreciated
> >
> >
> >Regards
> >
> >
> >--
> >Markus Rosjat fon: +49 351 8107223 mail: rosjat@ghweb.de
> >
> >G+H Webservice GbR Gorzolla, Herrmann
> >Königsbrücker Str. 70, 01099 Dresden
> >
> >http://www.ghweb.de
> >fon: +49 351 8107220 fax: +49 351 8107227
> >
> >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss!
> >Before you print it, think about your responsibility and commitment to
> >the ENVIRONMENT
>
> --
> Take Care Sincerely flipchan layerprox dev
No comments:
Post a Comment