My online software AHP-OS is mainly used in research. Projects handled with AHP-OS cover a wide range of applications like healthcare, climate, risk assessment, supplier selection, hiring, IT, marketing, environment, transport, project management, manufacturing or quality assurance. Some of these projects could contain sensitive data. Therefore I finally decided to secure the site with HTTPS to protect the site and users.
Tag: security
Making your wordpress blog more secure
You find the individual steps easily in a web search. Most critical is the change of SQL table prefixes. I did it manually using phpMyAdmin. When finished, no link was working any longer. Reason: permalinks were set to %postname%. After switching first to default and then back to %postname% everything was fine.
I also struggled with the password protection. Inportant: add the line ErrorDocument 401 default, otherwise you might always get the “page not found” message.
Steps to do:
- Move config.php file one directory above wordpress installation directory
- Remove admin user
(create new user with full rights and delete old user) - Protect wp-admin and wp-includes directories
(read for owner and group only = 751) - Hide wordpress version and login error messages
Add in functions.php (in your ChildTheme directory):
<?php remove_action(‘wp_head’, ‘wp_generator’);
add_filter(‘login_errors’,create_function(‘$a’,”return null;”)); ?> - Delete readme.html file from web root directory
- Password protect wp-admin directory (I used CPanel to create .htaccess).
Modify .htaccess file in wp-admin – add:
ErrorDocument 401 default - Modify .htaccess file in web root:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule> - SQL: change prefixes of database tables from
“wp_” to “new_prefix_”