WordPress Best Practices for Security
WordPress Security Best Practices on Azure App Services (Windows/Linux)
Best Practices
When it comes to Security, there are a few Best Practices recommended when using Azure App Services.
- Modifications in
wp-config.php
file:- Change default
$table_prefix
fromwp_
to a unique string - Utilize the encoding for Keys and Salts
- Disable File Editing with:
define('DISALLOW_FILE_EDIT', true);
- This will remove
edit_themes
,edit_files
, andedit_plugins
capabilities to all users.
- This will remove
- Change default
- DO NOT use weak passwords or usernames like: admin, administrator, test123, password, etc.
- Keep WordPress updated.
- Backup regularly
- Use Backups for Azure App Services.
- Web Server config modifications (IIS and Apache)
- Restrict access to
wp-config.php
- Limit access to
wp-config.php
- Prevent clickjacking with header:
X-FRAME-OPTIONS = SAMEORIGIN
- Restrict access to
- Delete
xml-rpc.php
if not used - Enable Static/Dynamic IP Restrictions
- PHP modifications:
- Reduce XSS Attacks:
- Add
session.cookie_httponly = true
inphp.ini
or.user.ini
- Add
- Reduce XSS Attacks:
- Use a WordPress security plugin
Modifications in wp-config.php
- Change the
$table_prefix
fromwp_
to something unique.- Example:
$table_prefix = 'mysite_';
- Example:
- Utilize the encoding for Keys and Salts
- You can generate these using the following: https://api.wordpress.org/secret-key/1.1/salt/
- Disable File Editing by adding
define('DISALLOW_FILE_EDIT', true);
- This will remove
edit_themes
,edit_files
, andedit_plugins
capabilites to all users.
- This will remove
WordPress Updates
You can enable various levels of auto updates for WordPress by adding the following in your wp-config.php
file.
define('WP_AUTO_UPDATE_CORE', true);
- When set to
true
- Development, minor, and major updates are all enabled. - When set to
false
- Development, minor, and major updates are all disabled. - When set to
'minor'
- Minor updates are enabled, development, and major updates are disabled.
Backup Regularly
Follow these steps in the Azure App Service documentation for backing up your site with the Backup feature. https://docs.microsoft.com/en-us/azure/app-service/manage-backup
Web Server config
- Restrict access to
wp-config.php
- Apache:
<Files wp-config.php> # Apache 2.2 Order Deny,Allow Deny from all # Apache 2.4+ Require all denied </Files>
- IIS
<location path="wp-config.php"> <system.webServer> <security> <ipSecurity allowUnlisted="false" /> </security> </system.webServer> </location>
- Apache:
- Limit access to
wp-login.php
- Apache
<Files wp-login.php> # Apache 2.2 Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.xxx Allow from xxx.xxx.xxx.xxx # Apache 2.4+ Require all denied Require ip xxx.xxx.xxx.xxx Require ip xxx.xxx.xxx.xxx </Files>
- IIS
<location path="wp-login.php"> <system.webServer> <security> <ipSecurity allowUnlisted="false"> <add ipAddress="xxx.xxx.xxx.xxx" allowed="true" /> </ipSecurity> </security> </system.webServer> </location>
- Apache
- Prevent clickjacking by adding an addditional header:
X-FRAME-OPTIONS = SAMEORIGIN
- Apache
# Inside the apache2.conf or httpd.conf file Header always append X-Frame-Options SAMEORIGIN
- IIS
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> </system.webServer>
- Apache
Enable Static/Dynamic IP Restrictions
IP restrictions can be enabled in App Services by setting up access restrictions. More information on this can be found here: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
- Dynamic IP Restrictions
- Apache
# Requires libapache2-modsecurity to be installed # ex. apt-get install libapache2-modsecurity SecRuleEngine On <LocationMatch "^/.*"> # initialise the state based on X-Forwarded-For ip address SecRule REQUEST_HEADERS:X-Forwarded-For "@unconditionalMatch" "phase:2,initcol:ip=%{MATCHED_VAR},pass,nolog,id:100" # if greater then burst_rate_limit then pause set RATELIMITED var and then return 509 SecRule IP:ACCESS_COUNT "@gt " "phase:2,deny,status:509,setenv:RATELIMITED,skip:1,nolog,id:102" # if above rule doesnt match increment the count SecAction "phase:2,setvar:IP.access_count=+1,pass,nolog,id:103" # set the base rate to one per second SecAction "phase:5,deprecatevar:IP.access_count=1/1,pass,nolog,id:104" # set a header when ratelimited Header always set Retry-After "10" env=RATELIMITED </LocationMatch> ErrorDocument 509 "Rate Limit Exceeded"
- IIS
<system.webServer> <security> <dynamicIpSecurity enableLoggingOnlyMode="true"> <denyByConcurrentRequests enabled="true" maxConcurrentRequests="10" /> <denyByRequestRate enabled="true" maxRequests="30" requestIntervalInMilliseconds="300" /> </dynamicIpSecurity> </security> </system.webServer>
- Apache
PHP Modifications
- Reduce Cross Site Scripting (XSS) attacks:
- Add
session.cookie_httponly = true
in thephp.ini
,.user.ini
, or custom.ini
file being loaded into PHP.
- Add
WordPress security plugin
There are many different WP Security plugins out there that you could use. Using any one of them could help provide better overall security for your WordPress site compared to not having one at all. A list of some well known plugins are below:
- Wordfence Security: https://wordpress.org/plugins/wordfence/
- All In One WP Security: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
- Sucuri Security: https://wordpress.org/plugins/sucuri-scanner/