This is a full installation of WordPress with the following changes :
- All the "twentyxxxxxxx" themes are removed
- Default plugins "akismet" and "hello dolly" are removed
- The
wp-content
folder is renamed toassets
- Language support is enabled and set to
en_CA
by default. Lang files are stored inlang
uploads
folder is renamed tomedia
.
Several methods were used to make it easier to secure your wordpress installation as follows :
You should copy wp-config-sample.php
to wp-config.php
making any adjustments for your site. (database credentials, etc), prior to running the WordPress installation script as you normally would.
While the .htaccess file is pre-configiured, you will still need to make some minor adjustments such as:
- Change
example.com
andexample\.com
to your domain. - Update
123\.123\.123\.123
to the IP address you wish to allow access to thewp-admin/
folder
Edit the lockitdown.sh
script, and change the last line so the path is the same as your uploads path (if you changed it from assets/media
).
You will then want to run the lockitdown.sh
script from your wordpress root (included), and delete it after. This will set the access modifiers on all files to 404
(read, none, read), and on all folders to 515
(read+exec, exec, read+exec). It will also ensure the directory assigned for uploading is writable.
After this, it will delete the WordPress install script, license.txt, and readme.html files. You should delete the lockitdown.sh
script after running it.
There is now a .htaccess
file inside assets/media
which disables all exec file handlers (scripts will not run from this folder), so even if an attacker uploads a file here, it will not execute.
There is a plugin we wrote called "lock-it-down" and is the ONLY plugin in this installation. Enabling this plugin will do the following:
- Prevent WordPress from overwriting your
.htaccess
file - Disable the author archives page.
- Disable user registration.
- Turns off the multiple sizes for image uploads. Only the original will be used.
- Disable theme and plugin automatic updates.
After completing your installation, you should ensure that the credentials used for the database settings, are limited to only what you need.