1.運行最新版本的wordpress
2.運行最新版本的主題和插件
3.有選擇性地選擇插件和主題
4.移除數據庫中失效的用戶
5.安詳設置-阻止目次列表(網站根目次下的.htacess:Options -Indexes)
6.巨大的安詳鍵(AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,
AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT)
7.限制會見wp-admin目次
8.禁用文件編輯
9.阻止wordpress用戶名列舉(詳見:http://www.acunetix.com/blog/articles/wordpress-username-enumeration-using-http-fuzzer/)
10.為所有的登錄和wp-admin啟用HTTPS:define('FORCE_SSL_LOGIN',
true);define('FORCE_SSL_ADMIN', true);
11.限制會見插件和主題文件
# Restrict access to PHP files from plugin and theme
directories
RewriteCond %{REQUEST_URI}
!^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI}
!^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI}
!^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI}
!^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*.php)$ - [R=404,L]
12.阻止php文件的執行
<directory "="" var="" www="" wp-content="" uploads=""><Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>
Deny from All
13.關掉你的debug日志:define( 'WP_DEBUG', false );
,
