WordPress.org
Get WordPress

Plugin Directory

Changeset 2184904


Ignore:
Timestamp:
11/02/2019 11:48:32 AM (6 years ago)
Author:
astrasecuritysuite
Message:

More info added to readme.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • wp-security-hardening/trunk/readme.txt

    r2184307 r2184904  
    1616== Description ==
    1717
    18 WP Hardening by AstraSecurity is a tool which performs a real-time security audit of your website to find missing security best practices. Using our ‘Security Fixer’ you can also fix these with a single click from your WordPress backend.
     18WP Hardening by Astra Security is a tool which performs a real-time security audit of your website to find missing security best practices. Using our ‘Security Fixer’ you can also fix these with a single click from your WordPress backend.
    1919
    2020It is a task to achieve the basic WordPress security measures without using multiple plugins. Ironically, this induces higher risk of a compromisation for websites with so many plugins at work. Multiple plugins also ask for better maintenance, updates, which many webmasters failed to comply. WP Hardening plugin solves this problem and more.
     
    2323
    2424<strong>About Astra</strong>
    25 <p><br />Astra Web Security is a Techstars company &amp; the winner of the French Tech Ticket Program. Awarded as The Most Innovative Security Company at the Global Conference on Cyber Security.<br />
     25<p><br />Astra Security is a Techstars company &amp; the winner of the French Tech Ticket Program. Awarded as The Most Innovative Security Company at the Global Conference on Cyber Security.<br />
    2626
    2727Astra's vision is to make cyber security a five minute affair for businesses</p>
     
    3131==Features==
    3232
    33 ##Hardening Audit##
     33###Hardening Audit###
    3434<ol>
    35     <li>WordPress Version Check
    36     <br>It checks if your website is on the latest version or not.</li>
    37     <li>Checking Outdated Plugins
    38     <br>It checks if your website is running the updated plugins or not.</li>
    39     <li>Checking PHP Version
    40     <br>WP Hardening also checks if your website is running on a secure version of PHP.</li>
    41     <li>Checking File & Folder Permissions
    42 <br>WP Hardening also checks if your website is built on the secured version of PHP or not.</li>
    43     <li>Database Password Strength
    44 <br>We check the strength of passwords used on your database. Not having a secured password can become an easy target for Brute-Force attacks.</li>
    45     <li>Checking Firewall Protection
    46 <br>We’ll check if your website is being protected by a firewall or not. Firewalls leverage a great monitoring and filtering system on your website. Check out the features of Astra firewall here. </li>
     35  <li><strong>WordPress Version Check</strong>
     36    <br>It checks if your website is on the latest version or not.
     37  </li>
     38  <li><strong>Checking Outdated Plugins</strong>
     39    <br>It checks if your website is running the updated plugins or not.
     40  </li>
     41  <li><strong>Checking PHP Version</strong>
     42    <br>WP Hardening also checks if your website is running on a secure version of PHP.
     43  </li>
     44  <li><strong>Checking File &amp; Folder Permissions</strong>
     45    <br>WP Hardening also checks if your website is built on the secured version of PHP or not.
     46  </li>
     47  <li><strong>Database Password Strength</strong>
     48    <br>We check the strength of passwords used on your database. Not having a secured password can become an easy target for Brute-Force attacks.
     49  </li>
     50  <li><strong>Checking Firewall Protection</strong>
     51    <br>We’ll check if your website is being protected by a firewall or not. Firewalls leverage a great monitoring and filtering system on your website. Check out the features of Astra firewall here.
     52  </li>
    4753</ol>
    4854
    4955##Security Fixers##
    5056
    51 <strong>Admin & API Security</strong>
     57**Admin & API Security**
    5258
    5359<ol>
    54     <li>Stop User enumeration
    55 <br>Hackers & bad bots can easily find usernames in WordPress by visiting URLs like yourwebsite.com/?author=1. This can significantly help them in performing larger attacks like Bruteforce & SQL injection.</li>
    56     <li>Change login url
    57 <br>Prevent admin password brute-forcing by changing the URL for the wp-admin login area. You can change the url only when this fixer is disabled.</li>
    58     <li>Disable XMLRPC
    59 <br>XMLRPC is often targeted by bots to perform brute force & DDoS attacks (via pingback) causing considerable stress on your server. However, there are some services which rely on xmlrpc. Be sure you definitely do not need xmlrpc before disabling it. If you are using Astra firewall, then you’re safe against xmlrpc attacks automatically.</li>
    60     <li>Disable WP API JSON
    61 <br>Since 4.4 version, WordPress added JSON REST API which largely benefits developers. However, it’s often targeted for bruteforce attacks just like in the case of xmlrpc. If you are not using it, best is to disable it.</li>
    62     <li>Disable File Editor
    63 <br>If a hacker is able to get access to your WordPress admin, with the file editor enabled it becomes quite easy for them to add malicious code to your theme or plugins. If you are not using this, it’s best to keep the file editor disabled.</li>
     60  <li><strong>Stop User Enumeration</strong>
     61Hackers &amp; bad bots can easily find usernames in WordPress by visiting URLs like <em>yourwebsite.com/?author=1</em>. This can significantly help them in performing larger attacks like Bruteforce &amp; SQL injection.</li>
     62  <li><strong>Change Login URL</strong>
     63Prevent admin password brute-forcing by changing the URL for the wp-admin login area. You can change the url only when this fixer is disabled.</li>
     64  <li><strong>Disable XMLRPC</strong>
     65XMLRPC is often targeted by bots to perform brute force &amp; DDoS attacks (via pingback) causing considerable stress on your server. However, there are some services which rely on xmlrpc. Be sure you definitely do not need xmlrpc before disabling it. If you are using Astra firewall, then you’re safe against xmlrpc attacks automatically.</li>
     66  <li><strong>Disable WP API JSON</strong>
     67Since 4.4 version, WordPress added JSON REST API which largely benefits developers. However, it’s often targeted for bruteforce attacks just like in the case of xmlrpc. If you are not using it, best is to disable it.</li>
     68  <li><strong>Disable File Editor</strong>
     69If a hacker is able to get access to your WordPress admin, with the file editor enabled it becomes quite easy for them to add malicious code to your theme or plugins. If you are not using this, it’s best to keep the file editor disabled.</li>
    6470</ol>
    6571
    6672
    67 <strong>Disable Information Disclosure & Remove Meta information</strong>
     73**Disable Information Disclosure & Remove Meta information**
    6874
    6975<ol>
    70     <li>Hide WordPress version number
    71 <br>This gives away your WordPress version number making life of a hacker simple as they’ll be able to find targeted exploits for your WordPress version. It’s best to keep this hidden, enabling the button shall do that.</li>
    72     <li>Remove WordPress Meta Generator Tag
    73 <br>The WordPress Meta tag contains your WordPress version number which is best kept hidden</li>
    74     <li>Remove WPML (WordPress Multilingual Plugin) Meta Generator Tag
    75 <br>This discloses the WordPress version number which is best kept hidden.</li>
    76     <li>Remove Slider Revolution Meta Generator Tag
    77 <br>Slider revolution stays on the radar of hackers due to its popularity. An overnight hack in the version you’re using could lead your website vulnerable too. Make it difficult for hackers to exploit the vulnerabilities by disabling version number disclosure here</li>
    78     <li>Remove Visual Composer / WPBakery Page Builder Meta Generator Tag
    79 <br>Common page builders often are diagnosed with a vulnerability putting your website’s security at risk. With this toggle enabled, the version of these page builders will be hidden making it difficult for hackers to find if you’re using a vulnerable version.</li>
    80     <li>Remove Version from Stylesheet
    81 <br>Many CSS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.</li>
    82     <li>Remove Version from Script
    83 <br>Many JS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.</li>
     76  <li><strong>Hide WordPress version number</strong>
     77    This gives away your WordPress version number making life of a hacker simple as they’ll be able to find targeted exploits for your WordPress version. It’s best to keep this hidden, enabling the button shall do that.
     78  </li>
     79  <li><strong>Remove WordPress Meta Generator Tag</strong>
     80    The WordPress Meta tag contains your WordPress version number which is best kept hidden
     81  </li>
     82  <li><strong>Remove WPML (WordPress Multilingual Plugin) Meta Generator Tag</strong>
     83    This discloses the WordPress version number which is best kept hidden.
     84  </li>
     85  <li><strong>Remove Slider Revolution Meta Generator Tag</strong>
     86    Slider revolution stays on the radar of hackers due to its popularity. An overnight hack in the version you’re using could lead your website vulnerable too. Make it difficult for hackers to exploit the vulnerabilities by disabling version number disclosure here
     87  </li>
     88  <li><strong>Remove Visual Composer / WPBakery Page Builder Meta Generator Tag</strong>
     89    Common page builders often are diagnosed with a vulnerability putting your website’s security at risk. With this toggle enabled, the version of these page builders will be hidden making it difficult for hackers to find if you’re using a vulnerable version.
     90  </li>
     91  <li><strong>Remove Version from Stylesheet</strong>
     92    Many CSS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
     93  </li>
     94  <li><strong>Remove Version from Script</strong>
     95    Many JS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
     96  </li>
    8497</ol>
    8598
    86 <strong>Basic Server Hardening</strong>
     99**Basic Server Hardening**
    87100<ol>
    88     <li>Hide Directory Listing of WP includes
     101    <li>strong>Hide Directory Listing of WP includes</strong>
    89102WP-includes directory gives away a lot of information about your WordPress to hackers. Disable it by simply toggling the option to ensure you make reconnaissance of hackers difficult</li>
    90103</ol>
     
    115128=Will this plugin help me with malware infected website?=
    116129
    117 No, this plugin will help you harden your WordPress Security. However, you can opt for malware cleanup & firewall from within the plugin offered by Astra Web Security.
     130No, this plugin will help you harden your WordPress Security. However, you can opt for malware cleanup & firewall from within the plugin offered by Astra Security.
    118131
    119132=How will I get informed about my website’s security?=
     
    129142=Will this plugin help me to fix issues?=
    130143
    131 You will find a comprehensive step by step guides in the recommendation to fix the detected issues. The ‘Security Fixer’ option will help you to fix most of the security recommendations by just a click. If you have any questions contact us over <a href=”mailto:hello@getastra.com”>mail</a>
     144You will find a comprehensive step by step guides in the recommendation to fix the detected issues. The ‘Security Fixer’ option will help you to fix most of the security recommendations by just a click. If you have any questions contact us over <a href="mailto:name@email.com">mail</a>
    132145
    133146=What are the terms & conditions?=
     
    1471601. This is the main dashboard; you’ll find a concise overview of your website’s present security. Buttons “Start a new audit”, “Security Fixers”, “Request malware cleanup”, “View Help docs”, on the dashboard take you to the respective sections.
    1481612. 'Audit Recommendation' section on the same page details the audit results. Whereas the “Recommendations” sub-section show improvement areas with links to comprehensive guide to implement those practices.
    149 3. 'Passed test' subsection shows already implemented best practices.
     1623. 'Passed test' sub-section shows already implemented best practices.
    1501634. The 'Security Fixers' section contains 13 vital security hardening areas. You can optimize these with a single click.
    1511645. The first section in the security fixer is of 'Admin & API Security'. You can find the details of each test by hovering.
Note: See TracChangeset for help on using the changeset viewer.