WordPress/Hardening

Revision as of 01:41, 5 October 2014

Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.

Secure Updates/Installations

Creating a new user

create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts

~$ sudo adduser wp-user

It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No

Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
passwd: Authentication token manipulation error
passwd: password unchanged
Try again? [y/N] n

Create ssh keys

~$ sudo su - wp-user
~$ ssh-keygen -t rsa -b 4096

when it prompts to ask where to save the key, use this:

 /home/wp-user/wp_rsa

hit enter through the passphrase prompts
It should then confirm it has created the keys

Your identification has been saved in /home/wp-user/wp_rsa.
Your public key has been saved in /home/wp-user/wp_rsa.pub

setting file/folder permissions for wp user