Implementing WordPress Security Keys & Salts (and Generating Your Own) in 2019
I have been hardening down my Fortinet firewall and WordPress servers. I moved the wp-config.php file and added an include into the one on each web site for the new location. I added the security keys and salts to the moved wp-config.php file for all the web sites. I changed all the SQL passwords for each site. I changed the .htacess to stop browsing. I added some plugins for brute force login attacks. I removed the webalizer servers, logs, and other etc files from the servers. I removed other directories and files that are no longer need and could pose and issue to security. I changed all files to chmod 644. Directories are 755. I keep all the LAMP components up to date and check weekly. I keep the WordPress components up to date like themes, plugins, etc. The Fortinet firewall has web filter blocks for wp-admin and other private directories.
I have two .htaccess files: In the web site base folder and one in wp-admin to stop access to it.
base folder : You can add Options – Indexes to stop browsing.
WP-Admin folder: I add
Require ip for both ipv4 and ipv6. I add my workstation, server that hosts the web site, external addresses that I might use. You also add these into /etc/hosts or your Windows hosts file.
Both WordPress servers have been duplicated and moved to Ubuntu 20.04.1 and latest components. I will be migrating to Ubuntu 22.04.
I add the repository for Digital Ocean MariaDB 10.x, PHP 8.1.x, Apache 2.4.x. I install phpMyAdmin’s latest version after installing the base product in Ubuntu. phpMyAdmin is a quick way to create the WordPress databases and user for each web site. I have pages dediicated for each of these. I copy in The Hacker News bug reports on all the components I use. It is best to stay on the latest components for WordPress.