WordPress

WordPress: Requirement for Deployment to Production

by nasrulhazim.m

WordPress Plugins

  1. DuplicatorCreate a backup of your WordPress files and database. Duplicate and move an entire site from one location to another in a few steps. Create a full snapshot of your site at any point in time.
  2. Better Search and Replace A small plugin for running a search/replace on your WordPress database.

Linux Commands

# Find something in a file
# This will be useful when you need to find hardcoded IP/domain in files
grep -rnw '/path/to/somewhere/' -e "pattern"

Recommended requirement for WordPress is PHP 5.6, MySQL 5.5 and make sure to enable Apache mod_rewrite module.

Apache: Required Modules

  • mod_authz_host
  • log_config_module
  • expires_module
  • deflate_module
  • headers_module
  • setenvif_module
  • mime_module
  • autoindex_module
  • dir_module
  • alias_module
  • rewrite_module
  • negotiation_module
  • ssl_module
  • php5_module

PHP: Required Modules

  • cURL
  • Date/Time
  • DOM
  • POSIX Regex
  • Filter
  • FTP
  • GD
  • Hash
  • Iconv
  • JSON
  • libxml
  • Multibyte String
  • MySQL
  • OpenSSL
  • PCRE
  • SimpleXML
  • Sockets
  • SPL
  • Tokenizer
  • XML Parser
  • XMLReader
  • Zlib
  • Mcrypt

Increase Upload Limit & Post Limit in .htaccess

# Set Upload Limit
php_value post_max_size 25M
php_value memory_limit 128M
php_value upload_max_filesize 25M

# Suhosin - if Suhosin installed
php_value suhosin.post.max_vars 20000
php_value suhosin.request.max_vars 20000

Hardening

# Changing directory permissions recursively
find /var/www/html -type d -exec chmod 755 {} ;

# Changing file permissions recursively
find /var/www/html -type f -exec chmod 644 {} ;

.htaccess

# Prevent direct access to wp-login.php
<Files wp-login.php>
order deny,allow
Deny from all
</Files>

# Prevent people from browsing the content of directories
Options All -Indexes

# Protect the .htaccess file itself
<Files .htaccess>
order allow,deny
deny from all
</Files>

# Securing wp-includes
# Block the include-only files. Place this outside of WordPress block to prevent overwrite
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Securing wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

wp-config.php

# wp-config.php
define('DISALLOW_FILE_EDIT', true);

# Turn Off PHP Error Reporting
error_reporting(0);
@ini_set(‘display_errors’, 0);

WordPress Plugin – All In One WP Security & Firewall

References:

  1. WordPress Requirement
  2. WordPress Hardening
  3. Keeping WordPress Secure the Ultimate Guide
  4. What are PHP Extensions and Libraries WordPress Needs
  5. PHP Security Best Practice

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven + 16 =

You may like

Migrate from WordPress to Laravel – Part 1

December 22, 2017

WordPress: Handling Plugin Activation

February 27, 2016