Backend Security Check

[JamesTheClarke]

Before we are able to switch from enjin to WP it's vital that we do a thorough security check in the backend of both WP and the hardware it's stored:

WP

• [x] disable Theme Editor
• [ ] disable Plugin Editor
• [ ] change default Login url
• [ ] install one main WP security plugin (Cerber, Defender, Wordfence, Sucuri etc.)

Synology NAS

• [x] install anti-virus software

@enrico-ghidoni I can give you temporary access to the NAS for this if you need it. Feel free to mention any tickboxes I need to add to the OP that we should investigate for security purposes.

[JamesTheClarke]

I've disabled Theme Editor and Plugin Editor via wp-config.php

define( 'DISALLOW_FILE_EDIT', true );

When all plugins are fully installed it's probably good to also disable the plugin editor:¨

define( 'DISALLOW_FILE_MODS', true );

Reference: https://www.siteground.com/kb/how-to-disable-theme-editor-and-plugin-editor-in-wordpress-admin-panel/

[enrico-ghidoni]

A few points to check (from https://www.wpbeginner.com/wordpress-security/)

• [ ] Apply least privilege principle, make sure that the admin account is well protected with a strong password and username is changed. The account should also be usable by the least amount of members as possible, perhaps even avoid using it at all and delegating roles to website maintainers would be better.
• [ ] The hosting solution. No idea on what you were thinking @JamesTheClarke, but a managed hosting solution would provide a better security than hosting it ourselves, as we would need to implement all sorts of system hardening processes and AFAIK nobody is a security expert in the community. Plus it takes continuous effort and we would stress out our current infrastructure with the web traffic.
• [ ] Full website backups, WP plugins are available for this
• [ ] Setup an auditing software (as far as I understood it's some sort of HIDS) for monitoring and security alerts (the source article I read suggests the Sucuri plugin, which also does firewalling)
• [ ] HTTPS is a MUST have
• [ ] Stored XSS protection by disabling PHP file execution (can be done through Sucuri)
• [ ] Limit login attempts (also done if Sucuri firewall is enabled)
• [ ] Change database wp_ prefix
• [ ] Disable directory indexing

Additional TODOs:

• [ ] check vulnerabilities for each installed plugin

Priority:

1. High priority tasks (need to be done before release):
   • HTTPS
   • securing admin account
   • user permissions check
   • plugins vulnerability check
   • full-site backups
   • disable directory indexing
   • Stored XSS protection
   • limit login attempts
   • change database tables prefix
2. Medium priority tasks (can be done after release)
   • Setup auditing software