{{tag>linux security wordpress}}

====== Server hardening ======
===== General tips =====
  * Check all open/listening ports on each server and make sure everything looks ok there (no unexpected connections, etc.)
  * Get local user accounts on all servers
  * If SSH is enabled for remote management, I would disable password auth and switch to private key - if already in place, generate a new key
  * Check sudoers on all servers and make sure the proper users/groups are in there
  * Check all groups (local/directory server) to make sure no accounts are hanging around from the old admin
  * Along with users/groups, disable/remove any test/dummy accounts in case someone is using it as a back way in
  * 
  * On Linode, check out the access settings to make sure there aren't any rules in there to allow management from anywhere (or non company locations)
  * On Linode, make sure only appropriate users have access to the account

===== WordPress =====

  * Comb through the list of users with access and be sure to remove any former employees/admins
  * Check permissions carefully to make sure users have the appropriate access rights
  * Disable file editing in the admin using wp-config.php
  * Isolate user account for site from others
  * Make .htaccess inaccessible to site user (but accessible to www-data)
  * Make wp-config.php read-only
  * Remove any unused plugins
  * Check security reports on existing ones for outstanding or frequent issues
  * Check when plugins were last updated by author in repository - old / un-maintained plugins candidates for replacement or removal
  * Reduce permissions on DB account for site to SELECT / UPDATE / INSERT / DELETE (you will need to unlock when adding or updating plugins that use custom tables)
  * Setup wp-cli to automatically update plugins nightly (wp-cli plugin update —all)
  * Setup wp-fail2ban plugin, use wordpress-hard profile.
  * Globally disable access to xml-rpc.php in Apache config (403, helps prevent brute force and other quiet attacks) - unless actually used.
  * Globally disable access to any .log or .git files in Apache config
  * Consider WordFence or Sucuri plug-in for file integrity checks / monitoring
  * Setup daily backups of site
====== Tested on ======
  * 

====== See also ======

====== References ======
  * https://www.reddit.com/r/linuxadmin/comments/8uldes/my_first_security_audit_any_tips/