...
For these reasons it is best to not make the website publicly available until secured or at least, as mentioned choose a very complex password.
Install For a more secure setup, consider Installing one of these plugins.,
| Plugin | Description | ReviewNotes | |
|---|---|---|---|
| Google Authenticator | The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on your Gmail or Google Apps account. The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts. If You need to maintain your blog using an Android/iPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin, but please note that enabling the App password feature will make your blog less secure. | Very good plugin. Tricky part is making Make sure time is synced with same time servers across the phone and server. For example, my iphone was off by 2 minutes because it was set manually to Toronto. Best thing to do is turn on the 4 minute drift allowance. When setting the password make sure there are no spaces otherwise the barcode will not work. | |
| Duo Two-Factor Authentication | This plugin enables Duo Security's two-factor authentication for WordPress logins. Duo provides simple two-factor authentication as a service via:
This plugins allows a WordPress administrator to quickly add strong two-factor authentication to any WordPress instance without setting up user accounts, directory synchronization, servers, or hardware. | Free signup but it looks like only 1000 transactions for the life of the account. Looks very professional. | |
| BAW More Secure Login | Grid Cards | ||
| Login Security Solution | Adds some common defenses against brute force attacks. | Most useful feature I find when used with Google Authenticator is that it blocks user for x number of minutes progressively more as more attempts are tried. Also blocks by cookie and ip address. |
Should have link to how to ssh in to disable plugins if they misbehave.
...
Keep in mind that when creating accounts, Wordpress requires unique email addresses.
| Role | Description | UserNameSample User Name |
|---|---|---|
| Administrator | Administrators have access to all the administration features. | setupadmin |
| Editor | Editors can publish posts, manage posts as well as manage other people’s posts, etc. | perrywhite |
| Author | Authors can publish and manage their own posts, and are able to upload files. | clarkkent, loislane |
| Contributor | Contributors can write and manage their posts but not publish posts or upload media files. | jimmyolsen |
| Subscriber | Subscribers can read comments/comment/receive newsletters, etc. but cannot create regular site content. | lexluthor |
(explain why we do not use the first admin account we created) Creat the real administrator accountCreate your first user,
| Field | Value | Comment |
|---|---|---|
| Site Title | dailyplanet | We like to reference our domain name. |
| Username | setupadmin | This will be the real administration account. Steps to delete tempadmin will follow shortly. |
| Password | As mentioned, WordPress has no facilities to stop dictionary attacks. On top of that, the default setup exposes your administrator account name on the Internet. Choose a very very long and complex password. (Anyone know of a good site that shows how quickly an entered password would be broken with a dictionary attack, put the link here). | |
| Your E-mail | admin@bonsaiframework.com | If there is more than one administrator, you should have a general support email box that only administrators have access to. This email address will be used for password recovery purposes. |
...
| Warning |
|---|
Past this point is not yet organized or complete. |
Lock Down WordPress
WordPress and PHP simply due to the model is inherently insecure when compared to more Enterprise solutions.
As such the Bonsai Framework takes an administrator approach to managing and securing WordPress. Though these instructions allow for multiple clients to co-host, it is recommended to not use a co-hosting model for clients that require enterprise privacy. This is especially problematic if clients are granted shell access. It becomes very complex to protect one client from gaining access to another client's WordPress data.
| Warning |
|---|
WordPress updates through the built in admin interface will fail unless the restrictions are relaxed. With this security approach, privileges must be temporarily be granted as part of the upgrade process. |
Restrict WordPress Database Account
Now that WordPress is setup we can lock down the application database account. As part of good application security, the WordPress application database account should only be granted minimal privileges. Note that during upgrades you will have to increases privileges again.
Connect into MySQL,
| Code Block | ||
|---|---|---|
| ||
mysql -u root -p |
Enter the following MySQL commands,
| Code Block | ||
|---|---|---|
| ||
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'wpdpdbuser'@'localhost';
GRANT SELECT, INSERT, UPDATE ON wpdailyplanetdb.* TO 'wpdpdbuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES; |
Adjust the variables for your application.
wpdailyplanetdb - Name of the database for the WordPress application instance. We use the domain name of the website.
wpdpdbuser - User account for accessing the database.
localhost - Address of the database server. In this example, the database is on the same server so use localhost.
password - Change to password using algorithm based on name of the website domain, in this case dailyplanet.
Verify the changes took effect,
| Code Block | ||
|---|---|---|
| ||
SHOW GRANTS FOR 'wpdpdbuser'@'localhost'; |
| Warning |
|---|
This point onwards still needs to be flushed out. |
File Permissions
From the WordPress article Hardening WordPress we will want to take the approach of creating accounts for select developers or release managers.
wp-config.php - holds the database password and should be locked down (it is thanks to the ACLs)
| Note |
|---|
Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and sub-folders must be owned by www-data with write access. The Bonsai Framework does not endorse this approach. Client administering the WordPress requiring this functionality should understand the security implications. |
...
Writing Next Topics
- Repeat for the second instance.
- Upgrades and Updates
FAQ
Why do some of the php5 installations say to use install libapache2-mod-php5?
...