= wordpress
  * /vía: [[http://wpzine.com/wordpress-security-hacks-and-tricks/]]
  * /vía: [[http://www.katharsix.com/la-seguridad-en-wordpress-algunos-consejos/]]
  * /vía: [[http://www.katharsix.com/la-seguridad-en-wordpress-algunos-consejos-ii/]]

  * [[web:security:wordpress:multisite]]

== securizar
  * cambiar usuario "admin"
  * tener el WP actualizado
  * usar contraseñas fuertes
  * aplicar el perfil correspondiente al trabajo a realizar - administrador no ha de ser el perfil por defecto para todos
  * quitar versión de WP, añadiendo una función en el fichero **functions.php**:<code php>function no_generator() { return ''; }
add_filter( 'the_generator', 'no_generator' );</code>
  * Desactivar XML-RPC (plugin -> **Disable XML-RPC-API**)
    * [[https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/]]
    * [[https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites]]
    * [[https://unaaldia.hispasec.com/2022/12/gotrim-la-red-de-bots-que-busca-controlar-cuentas-de-administrador-de-wordpress.html]]
    * <code bash>wget https://<site>/wp-json/wp/v2/users</code>
  * Cambiar dirección login (plugin -> **WPS Hide Login**)

== trucos
  * obligar método https VS ftp al actualizar:<code php; wp-config.php>define('FS_METHOD', 'direct');</code>

== recover & debugging
  * desactivar plugins:[[https://www.ostraining.com/blog/wordpress/disable-a-wordpress-plugin/]]
    * ''wp-content/plugins'', rename
    * DBB -> wp-options -> active_plugins
  * DEBUG:[[https://wordpress.org/support/article/debugging-in-wordpress/]]

== plugins
  * Activity Log
  * All in One WP Security
  * Asesor de Cookies
  * [[http://wordpress.org/extend/plugins/akismet/|Akismet]], el antispam
  * [[http://wordpress.org/extend/plugins/broken-link-checker/|Broken Link Checker]]
  * Contact Form 7 (formularios de contacto sencillos)
  * Disable XML-RPC-API
  * Easy HTTPS redirection
  * Email Log
  * Font Awesome
  * Google Analytics
  * Google Analytics dashboard for WP
  * [[http://wordpress.org/extend/plugins/limit-login-attempts/|Limit Login attempts]]
  * Loginizer Security
  * MailPoet newsletters
  * Media Library Organizer
  * <del>miniOrange 2 factor auth.</del>
  * Obfuscate Email
  * PHP Compatibility Checker
  * User Groups
  * User Groups restrictions
  * Secure WordPress
  * WP 2FA - Two-factor authentication for WordPress
  * WP Construction Mode (diferentes opciones para poner la página "en obras")
  * WP Database Backup
  * WP Email Template lite
  * WP Forms Lite
  * WPS Hide Login
  * WP Maintenance mode
  * [[http://wordpress.org/extend/plugins/wordpress-firewall-2/|WordPress Firewall 2]]
  * WP Super Cache
  * YouTube

== sistemas
  * borrar ficheros y carpetas de instalación:
    * /readme.html
    * /wp-admin/install.php
  * proteger fichero wp-config.php<code apache .htaccess>
<Files wp-config.php>
   order allow,deny
   deny from all
</Files></code>
  * Si es posible, permitir acceso ADMIN solo desde ciertas IPs a los directorios **wp-admin**, **wp-includes**<code php .htaccess># my ip address only
order deny,allow
allow from 213.27.244.178
allow from 62.97.72.29
deny from all</code>
    * No permite acceder a las imágenes desde los buscadores, habría que excluir **wp-includes/upload**\\

  * evitar el acceso a ficheros:<code php .htaccess>
# disable directory browsing
    Options All –Indexes
</code>
  * controlar acceso a directorio UPLOADS o UPGRADE, permitiendo solo ciertos tipos de ficheros<code php .htaccess>
# seguridad de subida de archivos en carpeta
<Files ~ ".*\..*">
    Order Allow,Deny
    Deny from all
</Files>
<FilesMatch "\.(jpg|jpeg|jpe|gif|png|bmp|tif|tiff|doc|pdf|rtf|xls|numbers|odt|pages|key|zip|rar)$">
    Order Deny,Allow
    Allow from all
</FilesMatch>
</code>
    * [[http://ayudawordpress.com/seguridad-en-la-carpeta-uploads-de-wordpress/]]\\