Hello, I am trying to harden the wordpress security and I am going to restrict permissions.
directories: 555 since with 550 fails to load css files
php files: 400 - so far wordpress seems to work
I know that no one will be able to update themes / plugins / wp core and I am also aware that users won’t be able to upload files to the media folder
cache plugins may fail too if they cannot create new folders.
Apart from that, is there anything else I shold take into account?
I like the plugin and it was in the to do things so I will definitely give a try. To block by country… maybe it would be faster to do it at a server level with ipsets? Or it is okay to use both tools. Maybe this one to spot offender countries and then manually ban countries with ipsets.
I have no idea what a security header is :s so I suppose I need templates for that.
Do give it a try and see all the settings for yourself. I think you can you both options at the same time. I use this plugin to block all access to backend, redirecting every IP outside my preset countries to the frontend. (For the Geo location API settings I use both the IP2Location and the GeoLite2 api. For the last one you can sign up for free at Maxmind
Security headers are directives used by web applications to configure security defenses in web browsers. Based on these directives, browsers can make it harder to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking. Headers can also be used to configure the browser to only allow valid TLS communication and enforce valid certificates, or even enforce using a specific server certificate.
With this tool you can scan your website’s to see their score:
The only thing that I need to have a perfect cache solution is the ability to define different expire times policies depending on the URL so that I can have the pages that are updated frequently updated soon but those that receive no visits, have a cached version just in case Google pays a visit.
The thing is that if I remember correctly the method used to purge the cache is equivalent to rm -Rf * so… that can’t be easily done.
If the plugin could pass a list of urls to be purged to the API and then only the elements of the list would be purged that would be awesome.
For now it is the best solution so far so… we’ll give it a try at the office.