WordPress

Security

Installer un plugin de sécurité

Changer l’URL de connexion

  • WPS Hide Login par WPServeur, NicolasKulka, tabrisrp

Limiter le nombre de tentatives de connexion

  • WPS Limit Login par WPServeur, NicolasKulka, tabrisrp
  • Limit Login Attempts Reloaded par WPChef

Désactiver l’éditeur

Ajouter dans wp-config.php :

define(‘DISALLOW_FILE_EDIT’, true);

Sécuriser le header dans .htaccess

Ajouter dans .htaccess :

Options -Indexes

# Security Headers
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-Content-Type-Options "nosniff"
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
    Header set Content-Security-Policy "default-src 'self' *.paypal.com *.paypalobjects.com; script-src 'self' 'unsafe-inline' *.wp.com; style-src 'self' 'unsafe-inline' *.jquery.com; media-src 'self' *.issuu.com *.youtube.com *.vimeo.com *soundcloud.com *bandcamp.com; child-src 'self' *.issuu.com *.youtube.com *.vimeo.com *soundcloud.com *bandcamp.com; form-action 'self' 'unsafe-inline' 'unsafe-eval'"
</IfModule>

Peut induire des problèmes au click de checkbox ! En ce cas commenter la ligne Header set Content-Security-Policy... en mettant un # en début de ligne.

Vérifier le niveau de sécurité du site avec securityheaders.com.

source : medium.com/@AmDee_Elyssa/10-wordpress-tips-to-make-your-website-secure

Tips

10 useful tips for WordPress dashboard customization

Keep logged in on WordPress for a longer period

Add the code to functions.php and adjust the amount of seconds if needed ( line 3).

add_filter( 'auth_cookie_expiration', 'stay_logged_in_for_1_year' );
function stay_logged_in_for_1_year( $expire ) {
  return 31556926; // 1 year in seconds
}

Remove dashboard menus

Paste the code into functions.php file from your theme directory. The following example will remove all menus named in the $restricted array.

function remove_menus () {
    global $menu;
    $restricted = array(__('Dashboard'), __('Posts'), __('Media'), __('Links'), __('Pages'), __('Appearance'), __('Tools'), __('Users'), __('Settings'), __('Comments'), __('Plugins'));
    end ($menu);
    while (prev($menu)){
            $value = explode(' ',$menu[key($menu)][0]);
            if(in_array($value[0] != NULL?$value[0]:"" , $restricted)){unset($menu[key($menu)]);}
    }
}
add_action('admin_menu', 'remove_menus');

Require a featured image before you can publish posts

If your blog layout is set to display a featured image, it can be useful to prevent post publishing th post without the features image set.

This code has to be pasted into your functions.php file.

add_action('save_post', 'wpds_check_thumbnail');
add_action('admin_notices', 'wpds_thumbnail_error');

function wpds_check_thumbnail( $post_id ) {
  // change to any custom post type 
  if( get_post_type($post_id) != 'post' )
      return;

  if ( ! has_post_thumbnail( $post_id ) ) {
    // set a transient to show the users an admin message
    set_transient( "has_post_thumbnail", "no" );
    // unhook this function so it doesn't loop infinitely
    remove_action('save_post', 'wpds_check_thumbnail');
    // update the post set it to draft
    wp_update_post(array('ID' => $post_id, 'post_status' => 'draft'));

    add_action('save_post', 'wpds_check_thumbnail');
  } else {
    delete_transient( "has_post_thumbnail" );
  }
}

function wpds_thumbnail_error() {
  // check if the transient is set, and display the error message
  if ( get_transient( "has_post_thumbnail" ) == "no" ) {
    echo "<div id='message' class='error'><p><strong>You must add a Featured Image before publishing this. Don't panic, your post is saved.</strong></p></div>";
    delete_transient( "has_post_thumbnail" );
  }
}

Add custom login logo

function my_custom_login_logo() {
    echo '<style type="text/css">
        h1 a { background-image:url('.get_bloginfo('template_directory').'/images/custom-login-logo.gif) !important; }
    </style>';
}

add_action('login_head', 'my_custom_login_logo');

Place a custom logo in dashboard

copy the code below and paste it to your functions.php file

add_action('admin_head', 'my_custom_logo');

function my_custom_logo() {
   echo '<style type="text/css">
         #header-logo { background-image: url('.get_bloginfo('template_directory').'/images/custom-logo.gif) !important; }</style>';
}

Remove dashboard widgets

Dashboard widgets can be pretty useful. For example, a WordPress developers can display your Google Analytics stats. Though, sometimes you don’t need it, or at least don’t need some of them.

The code below will allow you to remove WordPress’ dashboard widgets once you paste it in your functions.php file.

function example_remove_dashboard_widgets() {
        // Globalize the metaboxes array, this holds all the widgets for wp-admin
        global $wp_meta_boxes;

        // Remove the incomming links widget
        unset($wp_meta_boxes['dashboard']['normal']['core']['dashboard_incoming_links']);       

        // Remove right now
        unset($wp_meta_boxes['dashboard']['normal']['core']['dashboard_right_now']);
        unset($wp_meta_boxes['dashboard']['side']['core']['dashboard_primary']);
        unset($wp_meta_boxes['dashboard']['side']['core']['dashboard_secondary']);
}

// Hook into the 'wp_dashboard_setup' action to register our function
add_action('wp_dashboard_setup', 'example_remove_dashboard_widgets' );

Remove dashboard widgets for specific user roles

function customize_meta_boxes() {
     //retrieve current user info
     global $current_user;
     get_currentuserinfo();

     //if current user level is less than 3, remove the postcustom meta box
     if ($current_user->user_level < 3)
          remove_meta_box('postcustom','post','normal');
}

add_action('admin_init','customize_meta_boxes');

Add custom widgets to WordPress dashboard

function example_dashboard_widget_function() {
        // Display whatever it is you want to show
        echo "Hello World, I'm a great Dashboard Widget";
} 

// Create the function use in the action hook
function example_add_dashboard_widgets() {
        wp_add_dashboard_widget('example_dashboard_widget', 'Example Dashboard Widget', 'example_dashboard_widget_function');
}
// Hook into the 'wp_dashboard_setup' action to register our other functions
add_action('wp_dashboard_setup', 'example_add_dashboard_widgets' );

Change WordPress dashboard colors

function custom_colors() {
   echo '<style type="text/css">#wphead{background:#069}</style>';
}

add_action('admin_head', 'custom_colors');

Provide custom help messages

function my_admin_help($text, $screen) {
    // Check we're only on my Settings page
    if (strcmp($screen, MY_PAGEHOOK) == 0 ) {

        $text = 'Here is some very useful information to help you use this plugin...';
        return $text;
    }
    // Let the default WP Dashboard help stuff through on other Admin pages
    return $text;
}

add_action( 'contextual_help', 'my_admin_help' );

Reduce amount of post revisions

Post revisions are very useful, but they also clutter your database. In order to save space, you can consider limiting the amount of post revisions automatically saved by WordPress.

This code has to be pasted in your wp-config.php file, located at the root of your WordPress install.

define( 'WP_POST_REVISIONS', 3 );

Disable WordPress Login Hints

Paste the code below into your functions.php file to prevent login error messages to be displayed.

function no_wordpress_errors(){
  return 'GET OFF MY LAWN !! RIGHT NOW !!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );