Hardening WordPress

replace wp_ db prefix
rename folders wp-content, uploads, plugins, wp-admin, wp-include

define('UPLOADS', 'media' ); // we renamed uploads and moved it level up
define('WP_CONTENT_DIR', '/path/to/wordpress/dir/content'); // no host name, no trailing slash
define('WP_CONTENT_URL', 'http://example.com/content');
define('WP_PLUGIN_DIR', '/path/to/wordpress/dir/content/mod'); // no host name, no trailing slash
define('WP_PLUGIN_URL', 'http://example.com/content/mod');

change cookie’s names

define('USER_COOKIE', 'my_user_cookie' );
define('PASS_COOKIE', 'my_pass_cookie' );
define('AUTH_COOKIE', 'my_auth_cookie' );
define('SECURE_AUTH_COOKIE', 'my_sec_cookie' );
define('LOGGED_IN_COOKIE', 'my_logged_cookie' );
define('TEST_COOKIE', 'my_test_cookie' );

Sources:

https://wpcerber.com/turn-wordpress-into-fort-knox/
https://developer.wordpress.org/advanced-administration/security/hardening/

file permission

# security
Read more
```
# before setup
chown www-data:www-data  -R * # Let Apache be owner
find . -type d -exec chmod 755 {} \;  # rwxr-xr-x
find . -type f -exec chmod 644 {} \;  # rw-r--r--

# after setup
chown <username>:<username>  -R * 
chown www-data:www-data wp-content
```
Source:
- https://wordpress.org/documentation/article/hardening-wordpress/#file-permissions
- https://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress
- https://wordpress.org/documentation/article/changing-file-permissions/
- https://httpd.apache.org/docs/2.2/misc/security_tips.html
Input / output

# security

July 15, 2023
Read more
Never trust user’s inputs, even from admin or database.

Validation checks an input over a list of requirements.
```
in_array( mixed $needle, array $haystack, bool $strict = false ): bool
ctype_alnum( mixed $text ): bool
strlen( string $string ): int
...
```
https://developer.wordpress.org/apis/security/data-validation/

Sanitizing cleans a input, removing / transforming all unwanted piece of data.
```
// For text inputs:
sanitize_text_field( string $str ): string 

// Use specific sanitazing functions like for e.g.:
sanitize_email( string $email ): string
```
https://developer.wordpress.org/apis/security/sanitizing/

Escaping ouputs is the process of securing output data by stripping out unwanted data. It is best to do the output escaping as late as possible, ideally as data is being outputted.
```
esc_html( string $text ): string // will remove HTML tags
esc_url( string $url, string[] $protocols = null, string $_context = 'display' ): string
esc_attr( string $text ): string
esc_js( string $text ): string

// escaping with localization
esc_html_e( 'Hello World', 'text_domain' );
// can become ->
echo esc_html( __( 'Hello World', 'text_domain' ) );
```
https://developer.wordpress.org/apis/security/escaping/

Source: https://developer.wordpress.org/apis/security/common-vulnerabilities/
Force SSL admin connection

# security, wp-config.php

July 18, 2023
Read more
```
define( ‘FORCE_SSL_ADMIN’, true );
```
Disallow file editing

# security, wp-config.php
Read more
```
define( 'DISALLOW_FILE_EDIT', true );
```

REST API /users/

# functions.php, security

July 13, 2023

To enumerate users :

curl -L http://$1/wp-json/wp/v2/users

To prevent this :

add_filter( 'rest_endpoints', function( $endpoints ) {

    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }

	if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }

	return $endpoints;

});

Hardening WordPress

file permission

Input / output

Force SSL admin connection

Disallow file editing

REST API /users/