WordPress security checklist

This is a list of security items to check when setting up WordPress websites or web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

• Disable TLS 1.0 and 1.1
• Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Put WP rewrite rules in vhost config – default rules
• Disable the autoindex module
• Disable the auth_basic module
• Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
• Configure security response headers:
  • Disallow MIME sniffing
  • Remove X-Powered-By
  • Configure X-Frame-Options
  • Configure Strict-Transport-Security – h5bp snippet
  • Configure Content-Security-Policy – h5bp snippet – may need adapting
• Forbid access to files that don’t need to be accessible – h5bp snippet
• Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
• (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
• (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
• (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
• (for WP) Forbid access to PHP files in wp-content
• (for WP) Forbid access to PHP files in wp-includes
• (for WP) Forbid manual uploading of themes and plugins – snippet
• (for WP) Forbid user enumeration
• (for WP) Forbid GET requests to core REST API endpoints
• (for WP) Configure Content-Security-Policy for wp-admin

PHP

• Disable eval if not needed – PHP diseval extension

WordPress

• Set DISALLOW_FILE_EDIT to true
• Set WP_DEBUG_DISPLAY to false
• Set WP_DEBUG_LOG to true
• Remove inactive themes except one (fallback)
• Remove inactive plugins
• Disable gravatars (one less thing to set CSP for)
• (via plugin) Require strong passwords for all users
• (via plugin) Require multi-factor authentication for admins – plugin
• (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

• Apache HTTP Server 2.4 - Documentation - Access Control
• H5BP - Apache HTTP server boilerplate configs
• Mozilla Observatory
• Mozilla SSL Configurator Generator
• Qualys SSL Server Test
• Security Headers - Analyse your HTTP response headers

Possible additions and improvements for the future

• Try Snuffleupagus when version 0.6.0 comes out
  • github.com/jvoisin/snuffleupagus/issues/328

Changelog

• 2020-07-14
  • Added Mozilla Observatory to resources.