Best security practices – hardening WordPress

  • Resolved mysticalcode

    (@mysticalcode)


    5 years, 4 months ago

    Hi @nagdy

    Thank you very much for this plugin. I like the idea of rotating WordPress salts. I also like the idea of set and leave by periodically getting this done automatically – sort of like a set and forget. Don’t you think that it’s counter-intuitive though to leave wp-config.php writeable?

    The manual approach is good however some network admins & developers would forget to put the file back to un-writable. This happens quite a lot in my experience.

    Perhaps a combination of:

    • shell script fired by contrab schedule to change the permissions
    • and a PHP script to fire the salt rotations

    …will be the best way to implement this?

    I haven’t played with this idea but I’m thinking of safeguards to ensure the WordPress will only fire the routine if the request came from the server (or valid servers if with load balancer).

    Appreciate your thoughts. Thanks, mate.

    MC

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Nagdy

    (@nagdy)

    5 years, 4 months ago

    Hi @mysticalcode,

    Thanks for passing by!

    The plugin does shuffle the salts only when the file is writable, which means it does not change the permissions of the file.

    Your idea looks like a perfect plan to me, I didn’t test it though as with all of my sites, I set the plugin and forget about it (I built the plugin for personal use and published it here so people can make use of it or even improve which is happened by the way 🙂 )

    stone74955

    (@stone74955)

    5 years, 1 month ago

    Regarding “Best security practices” should I set Salts to a “daily” or “monthly” setting? What are the benefits gained?

    Plugin Author Nagdy

    (@nagdy)

    5 years, 1 month ago

    @stone74955 thanks for stopping by.

    Daily will lock you out of WordPress (and other users) every day and you’ll need to login again. On the other hand, it will make sure that your salt keys are refreshed, so more security gained.

    For most of the sites I personally use this plugin on, I set it to be weekly.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Best security practices – hardening WordPress’ is closed to new replies.