general, security, wordpress,


agowa338 agowa338 Dec 21, 2015 · 4 mins read
Share this

By default WordPress has a few external dependencies. For security reasons it's a good idea to prevent external dependencies or completely remove them when possible. Also this prevents you from writing a whole lot of text into your privacy policy. And it's always a good idea to remove unused things that can cause you a lot of trouble...

  1. Google Fonts
      Some fonts are fetched from Google. So Google can create a list of nearly all pages a user visited. To disable this, you have to install the Plug-in "Disable Google Fonts"
  2. Emojis
      The emojis are pictures (instead of characters) from So you may become liable if something goes wrong there. To disable this, you have to install the Plug-in "Disable Emojis"
  3. Registration
      Turn it off (until you really know what you do with all consequences). Settings => General
  4. Update Services
      Turn it off (until you really know what you do with all consequences). Settings => Writing
  5. E-Mail Publishing
      Turn it off (until you really know what you do with all consequences). Settings => Writing
      Turn it off (until you really know what you do with all consequences). Settings => Discussion
      If you don't want to disable it, it's a good idea to enable manual approval.
      Enable leave "Name and E-Mail-Address" but note, you have to write about that in your privacy policy.
      Don't enable notification of other weblogs, because that can lead to triggering DOS protections and so others may think you're trying to attack them.
      Disable the "Show Avatar" option. The WordPress Avatars are also fetched from a external site. It may also be a legal issue in some countries, because you are liable for the pictures others provide.
  7. Plugins
      Don't install and enable every possible plugin. Many have big security wholes that can lead to your site being used in the next fishing e-mail "You have won..." for hosting there viruses.
      Disable all default plugins, you don't need them.
      Remember that if a plugin is communication with another server you would have to mention that in your privacy policy, so don't install stuff where you cannot verify that it does not.
      Also plugins can prevent you from updating to a save WordPress version if a bug was found because the Plugin author has not yet released an update.
  8. Updates
      Regularly (at least once a month) log into your WordPress to look if there are any updates. If you have any updates, make an additional Backup and press start.
  9. Users and Permissions
      Don't use your Administrative WordPress user to publish!!!!
      Don't name your user Admin, Administrator or root!!!!
      If you cannot think about a good name, use an online user name generator.
      Use very long and Complex Passwords (at least for your admin user), you don't have to remember it, if you use e. g. KeePass.
      If you have problems remembering your publishing users password just think about your favorite song and write the lyrics with random capitalization or replacements. That way its easy to remember for you but very hard to brute force (length) and impossible for dictionary attacks (randomizations you made). Remember longer is better than random:

    • "jsdga": 0.002970344 seconds to crack using a desktop PC
    • "Hell0": 0.229033208 seconds to crack using a desktop PC
    • "StarWars": On the top 60 passwords list.
    • "JUST LETTERS": 546 years to crack using a desktop PC (But it's probably guessable ;-) )
      Note: Password attacks are normally not performed by desktop PCs instead they are done on rented or hacked high-end servers e. g. Amazon AWS so brute forcing them becomes a lot easier because that systems have a 24/7 uptime, high bandwidth and very fast CPUs (I know GPUs would be better but not many root server have good ones).
  10. Publishing
      Don't set your website live (.htaccess user name "user" and password "123" is enough) until you have checked all law requirements. You may have to provide your full address and name, depending where you live. As long as your site requires a password to be accessed and even if it's as simple as "user" and "123" it's enough to be protected from sue (but you really should contact a lawyer before you believe me).
      On many places around the world there is something called "Notice and Take down" which means if you were notified about something wrong you have to correct that (like if someone posted harassment in your comments
  11. URL-Shortener
      Don't use them. If you use a e. g. and that domain get sold, hacked or the operators decide to redirect to a landing page with (e. g. pornographic ads) you may become liable for that.
      If you really want to use an URL shortener, than use your own. There are products like: Your Own URL Shortener
      But don't use them without knowledge. They may have a "calling home" (or contacting other servers) function that you better disable in certain countries.
  12. FINALY
      Don't use anything before you have RTFM (read the fucking manual).
      Don't use anything before you trust it (e. g. for liability reasons).
      Think about what you're about to do before you do it.
Written by agowa338