Wordpress distilled - secure and not piggy


#1

Any suggestions for a new wordpress install would be appreciated. I’m semi technical, but I can’t create mod_rewrite rules off the top of my head.

I used the beautiful one-click WP installer, and have verified it is up and working, so to speak (if barren).

Before I open access up, I’d like to change any file permissions, or restrict anything via specific .htaccess file blocks if that will help, security wise. I do have a fixed IP.

So far, I’ve only edited wp-config.php to have :

define(‘FORCE_SSL_ADMIN’, true);

which works; any attempt to log in now goes over SSL, and the admin pages show up over https. I know that’s barely scratching the surface of course.

Also, any quick pointers on how to insure this install doesn’t become a hoggish app? I have read a bit about cache plugins, but if anyone has a favorite that has worked well at DH that’s great. I do not know if the plugins that were installed by default were from wordpress.org, or picked by DH folks.

The defaults were (are) : Akismet, Disable WordPress Core, Disable WordPress Plugin Updates, Extended Comment Options, Hello Dolly, podPress, WordPress Hashcash, WP-FLV, ““WP Super Cache””. Most needed upgrades, which was pretty painless.

I know this is all beginner bits, but would love to see more in the Wiki. Edit Dates would help tell if something might / might not be as relevant. Numerous good articles still via http://wiki.dreamhost.com/Category:WordPress

Don’t want to install the wrong cache, or theme, or widget, or . . . so am going to wait for a little group input first. I can leave it bare bones, and locked down to one IP for all of it for the moment, until it’s ready to hit daylight.

Thanks in advanced for your input, more experienced WP folks :slight_smile:

responses to this thread will be emailed to me, thanks.


#2

.htaccess block in web directories for your eyes only (eg. wp-admin dir).

order deny,allow deny from all allow from x.x.x.xWP Super Cache appears to be the all-time favourite caching solution.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#3

Full of win. I appreciate the suggestion for the wp-admin directory, and have implemented that. Is there a known list of other files that should be protected? I know, paranoia, but being a sysadmin on other things tends to make me cautious before releasing something into the wild. I want to make sure others don’t have to contact me, hosting wise :slight_smile:

WP Super Cache, good deal. It’s installed, I’ll just enable it.

I am trying to segregate this blog on it’s own mysql interface, username / home folder, etc. to make it more portable, in case it ever does cause a problem. Not that I expect it to, it’s just a good learning exercise I think for a semi-tech person.

Appreciate the input sXi.

responses to this thread will be emailed to me, thanks.


#4

Scripts run with the file user’s privs, and as such any file limitations imposed by us as admins over SFTP can be changed programatically, so at the end of the day it’s all going to fall on how secure the base script itself is. I believe a vanilla WP instsallation is regarded as a relatively secure application - just gotta be careful with any plugins/mods.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#5

You might find WordPress’s own codex to be of interest here with regards to making WordPress as secure as possible. There is “good stuff” to be found in Hardening Wordpress. :slight_smile:

–rlparker
–DreamHost Tech Support


#6

Good deal all around. This is not for some uber bidness blog, or anything.

Still, I’m looking to make it efficient, and “nice -n19”, and relatively spam/hack resistant. I’ll surely follow up on the codex site, thanks!

responses to this thread will be emailed to me, thanks.


#7

Why would you want to nice -n19 it?

-Scott


#8

Just a jest, I mean that it should be efficient and not wasteful.

I’m used to having 8-32 cores of my own, and this is on an 8 core shared server. So best to be streamlined, when I can.

As well, I consider vulnerabilities destined to cause problems not just for me, but for others; this gets other sysadmins involved, and that’s not happy :slight_smile:

Although I do tend to run every cron process that I can at that level of niceness; who care if a report takes another minute to gen? I won’t see it till hours later; best to share slices with others :wink:

responses to this thread will be emailed to me, thanks.