0x640x610x670x6f asciitohex

Hardening WordPress

Securing WordPress using a combination of configuration changes and plugins.

`.htaccess` and `wp-config.php` tasks

1. Add keys to `wp-config.php`

2. Hide `.htaccess` and `wp-config.php`

Moved to git repository: https://github.com/denji/nginx-tuning

NGINX Tuning For Best Performance

For this configuration you can use web server you like, i decided, because i work mostly with it to use nginx.

Generally, properly configured nginx can handle up to 400K to 500K requests per second (clustered), most what i saw is 50K to 80K (non-clustered) requests per second and 30% CPU load, course, this was 2 x Intel Xeon with HyperThreading enabled, but it can work without problem on slower machines.

You must understand that this config is used in testing environment and not in production so you will need to find a way to implement most of those features best possible for your servers.

I'll enumerate below a suite of guides I've followed to setup a Ubuntu server:

Adjusting child processes for PHP-FPM (Nginx)

When setting these options consider the following:

How long is your average request?
What is the maximum number of simultaneous visitors the site(s) get?
How much memory on average does each child process consume?

Determine if the max_children limit has been reached.

sudo grep max_children /var/log/php?.?-fpm.log.1 /var/log/php?.?-fpm.log

	-- Query the database to calculate a recommended innodb_buffer_pool_size
	-- and get the currently configured value
	-- The rollup as the bottom row gives the total for all DBs on the server, where each other row is recommendations per DB.

	SELECT
	TABLE_SCHEMA,
	CONCAT(CEILING(RIBPS/POWER(1024,pw)),SUBSTR(' KMGT',pw+1,1))
	Recommended_InnoDB_Buffer_Pool_Size,
	(
	SELECT CONCAT(CEILING(variable_value/POWER(1024,FLOOR(LOG(variable_value)/LOG(1024)))),SUBSTR(' KMGT',FLOOR(LOG(variable_value)/LOG(1024))+1,1))

	if (typeof console != "undefined")
	if (typeof console.log != 'undefined')
	console.olog = console.log;
	else
	console.olog = function() {};

	console.log = function(message) {
	console.olog(message);
	$('#debugDiv').append('<p>' + message + '</p>');
	};

	<?php


	/**
	*
	* Gmail attachment extractor.
	*
	* Downloads attachments from Gmail and saves it to a file.
	* Uses PHP IMAP extension, so make sure it is enabled in your php.ini,
	* extension=php_imap.dll


	" _ _ "
	" _ /\|\| . . \|\|\ _ "
	" ( } \\|\|D ' ' ' C\|\|/ { % "
	" \| /\__,=_[_] ' . . ' [_]_=,__/\ \|"
	" \|_\_ \|----\| \|----\| _/_\|"
	" \| \|/ \| \| \| \| \\| \|"
	" \| /_ \| \| \| \| _\ \|"

	It is all fun and games until someone gets hacked!

-<?php
-require dirname(__FILE__).'/wp-blog-header.php';
-$wpdb->query("DELETE FROM wp_terms WHERE term_id IN (SELECT term_id FROM wp_term_taxonomy WHERE taxonomy LIKE 'pa_%')");
-$wpdb->query("DELETE FROM wp_term_taxonomy WHERE taxonomy LIKE 'pa_%'");
-$wpdb->query("DELETE FROM wp_term_relationships WHERE term_taxonomy_id not IN (SELECT term_taxonomy_id FROM wp_term_taxonomy)");
-$wpdb->query("DELETE FROM wp_term_relationships WHERE object_id IN (SELECT ID FROM wp_posts WHERE post_type IN ('product','product_variation'))");
-$wpdb->query("DELETE FROM wp_postmeta WHERE post_id IN (SELECT ID FROM wp_posts WHERE post_type IN ('product','product_variation'))");
-$wpdb->query("DELETE FROM wp_posts WHERE post_type IN ('product','product_variation')");