A very select few security-focused plugins are worth keeping around, like WordFence. Every plugin, theme and add-on is additional attack surface, and some popular plugins and themes have a horrifying track record with regard to security. WordPress core has gotten a lot better recently, but there are still some whopper vulnerabilities disclosed on occasion.
For most people, I recommend giving it lenient enough file permissions that it can automatically apply its own updates. The most severe WP vulnerabilities are Remote Code [Inclusion|Execution]. Disallowing _www write access to the document root isn't going to save you from those, but allowing write access and enabling automatic updates means critical patches are applied faster than you'd normally be able to do it yourself. I have experimented in my development environment with a "split installation" where two different virtual hosts entries serve WP from two different document roots but are pointed to the same database: A full-blown normal install on 127.0.0.1 that you access through something such as an SSH dynamic proxy, then a copied, locked-down install on the public IP address. The locked-down install doesn't even have wp-admin, and uses database credentials that are limited to SELECT queries only. This took a lot of extra work to keep maintained, and updates applied to, and obviously things like user-login and comments won't work on the public-facing site. I'm not convinced this experiment is worth the hassle, because if you're that paranoid, you're likely already looking at static-site generators and getting away from WP by any means possible. On Sun, Jun 4, 2017 at 4:34 PM, flipchan <flipc...@riseup.net> wrote: > Delete ALL readme and don't install plugins > > On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat <ros...@ghweb.de> > wrote: > >Hi there, > > > > > >well if it would be up to me I would skip wordpress for good but well > >it's not my decition. > > > >So I was wondering if there is some recommendations on what to block in > > > >the httpd.conf and what file permissions to use. > > > >For now I have: > > > >- like wordpress suggest 0755 on dirs and 0644 on files > > > >- wp-config.php setting to 0400 is not going to work at all I need at > >least a 0644 or nothing shows up > > > >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, > >/wp-includes, /wp-includes/*.php and /wp-admin > > > > > >so if there is something I can do further to harden things just let me > >know :) > > > > > >advice is most apreciated > > > > > >Regards > > > > > >-- > >Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de > > > >G+H Webservice GbR Gorzolla, Herrmann > >Königsbrücker Str. 70, 01099 Dresden > > > >http://www.ghweb.de > >fon: +49 351 8107220 fax: +49 351 8107227 > > > >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! > >Before you print it, think about your responsibility and commitment to > >the ENVIRONMENT > > -- > Take Care Sincerely flipchan layerprox dev