Home Security My full list of WP security settings, plugins, etc..

My full list of WP security settings, plugins, etc..

Posted on by

I am convinced that for most WordPress users one of the popular all-in-one security plugins like WordFence or All In One WP Security & Firewall is a good solution. I like to tinker though, and to choose the best tool for me for each aspect of security. I also like light solutions, and a layered approach to security.

My full list of WP security settings

This is my full list of WP security settings and other security things:

  • Free Plugins:
  • In my Custom Plugin
    • Auto-update WP, themes, and plugins
    • Remove Windows Live Writer link from header data
    • Remove EditURI (XML-RPC) link from header data
    • Disable password reset
    • Disable login using email account name
    • Disable login hints
    • Disable login Remember Me option
  • In main htaccess
    • Set ErrorDocument for 400, 401, 403, and 500 to short text strings (e.g. “400: Sorry, bad request.”)
    • The excellent 6G Firewall from Jeff Starr of Perishable Press
    • Add security headers to protect against XSS attacks, page-framing, click-jacking, and content-sniffing
    • Block directory browsing
    • Block access to wp-config.php, xmlrpc.php, .htaccess, readme.html, license.txt, install.php, installer.php
  • In other htaccess
    • Block php execution in /wp-content/uploads/ – and –  /wp-includes/ folders
  • In wp-config.php:
    • Disable the Plugin and Theme Editor
    • Disable PHP error reporting
    • Disable custom HTML
  • In Cloudflare:
    • Hide IP address for A and CNAME records
    • Enable DNSSEC for my most most important sites
    • Full (strict) SSL
    • Always use HTTPS
    • Enable HSTS for my most important sites
    • Enable the latest version of the TLS protocol
    • Security Level: Medium
    • Challenge Passage: 4 hours
    • Page rules for login security
    • Email address obfuscation
    • Hotlink protection
  • Miscellaneous
    • Non-obvious admin username (e.g. not ‘admin’)
    • Strong passwords for my admin account, cPanel, host, registrar, email, Cloudflare – any account associated with administering my site
    • Two factor authentication (used selectively – on accounts that matter most)
    • TLS (i.e. HTTPS) using Let’s Encrypt

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.