A high risk client wants to use #WordPress. I may be ultimately responsible.

I believe I can handle doing things correctly at the LAM but the P concerns me. How to harden WP? My first thoughts are lock down the users table and move wp-config.php out of the web root. Change control on core and I handle updates.

How else to harden wp? Jokes welcome but bonus points for actual suggestions.



I wrote some profiles for it. I would be very careful about plugins. As I'm the packager I follow some of the wp security notices. There are a lot about plugins even security ones.

Think about making the system automatically update vs the fact that means your webserver can write files that are executed by it. Same with plugin and themes.

I use my debian package which is not writable and use apparmor to temporarily write deny

Sign in to participate in the conversation
Mastodon on Dropbear

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!