Drupal vs. Wordpress

[Mike Clarke]

On Thu, 9 Nov 2017 09:31:03 +0200
Eugeniy Khvastunov <khvastunov at gmail.com> wrote:

> How you securing you wp/joomla/drool?
> Maybe you can recommend some WAF or modules for Web server?

As far as Wordpress goes I regard Wordfence <https://wordpress.org/plugins/wordfence/> as an essential security plugin. There's also some general advice on securing and hardening a Wordpress site at https://www.wordfence.com/learn/

I also add these .htaccess rules to deny access to certain files:

# BEGIN protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# END protect wp-config.php

# BEGIN protect temporary editor files
<files ~ "(\.swp|~)$">
order allow,deny
deny from all
</files>
# END protect temporary editor files

# BEGIN protect readme,txt
<files readme.txt>
order allow,deny
deny from all
</files>
# END protect readme,txt

# BEGIN restrict access to "includes" directories
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# END restrict access to "includes" directories

# Don't allow directory browsing
Options -Indexes

# Return "Not found" instead of "Forbidden"
ErrorDocument 403 /path-to/my/404.php

-- 
Mike Clarke