Implementing WordPress Security Keys & Salts (and Generating Your Own) in 2019

I have been hardening down my Fortinet firewall and WordPress servers.  I moved the wp-config.php file and added an include into the one on each web site for the new location.   I added the security keys and salts to the moved wp-config.php file for all the web sites.  I changed all the SQL passwords for each site.  I changed the .htacess to stop browsing.  I added some plugins for brute force login attacks.   I removed the webalizer servers, logs, and other etc files from the servers.   I removed other directories and files that are no longer need and could pose and issue to security.  I changed all files to chmod 644.   Directories are 755.   I keep all the LAMP components up to date and check weekly. I keep the WordPress components up to date like themes, plugins, etc.  The Fortinet firewall has web filter blocks for wp-admin and other private directories.

 I have two .htaccess files:  In the web site base folder and one in wp-admin to stop access to it. 

base folder :  You can add Options – Indexes to stop browsing.

WP-Admin folder: I add

Require ip for both ipv4 and ipv6.   I add my workstation, server that hosts the web site, external addresses that I might use.   You also add these into /etc/hosts or your Windows hosts file.  

How did I repoint www to wp for my web sites?

On Godaddy DNS, I setup A records for wp and www pointing to my ISP IP address.

In the etc/https/sites-available/  conf files I added

ServerAlias *
Redirect “/” “”

The ServerAlias is the old www address.  The redirect points to the new SSL server address.   The redirect is much faster now since it happens in the website itself. 

Both WordPress servers have been duplicated and moved to Ubuntu 20.04.1 and latest components.  

 I add the repository for Digital Ocean MariaDB 10.x,  PHP 7.4.x, Apache 2.4.x.   I install phpMyAdmin’s latest version after installing the base product in Ubuntu.   phpMyAdmin is a quick way to create the WordPress databases and user for each web site.   I have pages dediicated for each of these.    I copy in The Hacker News bug reports on all the components I use.  It is best to stay on the latest components for WordPress.