Security
Installer un plugin de sécurité
Changer l’URL de connexion
- WPS Hide Login par WPServeur, NicolasKulka, tabrisrp
Limiter le nombre de tentatives de connexion
- WPS Limit Login par WPServeur, NicolasKulka, tabrisrp
- Limit Login Attempts Reloaded par WPChef
Désactiver l’éditeur
Ajouter dans wp-config.php :
define(‘DISALLOW_FILE_EDIT’, true);Sécuriser le header dans .htaccess
Ajouter dans .htaccess :
Options -Indexes
# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Content-Security-Policy "default-src 'self' *.paypal.com *.paypalobjects.com; script-src 'self' 'unsafe-inline' *.wp.com; style-src 'self' 'unsafe-inline' *.jquery.com; media-src 'self' *.issuu.com *.youtube.com *.vimeo.com *soundcloud.com *bandcamp.com; child-src 'self' *.issuu.com *.youtube.com *.vimeo.com *soundcloud.com *bandcamp.com; form-action 'self' 'unsafe-inline' 'unsafe-eval'"
</IfModule>Peut induire des problèmes au click de checkbox ! En ce cas commenter la ligne Header set Content-Security-Policy... en mettant un # en début de ligne.
Vérifier le niveau de sécurité du site avec securityheaders.com.
source : medium.com/@AmDee_Elyssa/10-wordpress-tips-to-make-your-website-secure
Tips
10 useful tips for WordPress dashboard customization
Keep logged in on WordPress for a longer period
Add the code to functions.php and adjust the amount of seconds if needed ( line 3).
add_filter( 'auth_cookie_expiration', 'stay_logged_in_for_1_year' );
function stay_logged_in_for_1_year( $expire ) {
return 31556926; // 1 year in seconds
}Remove dashboard menus
Paste the code into functions.php file from your theme directory. The following example will remove all menus named in the $restricted array.
function remove_menus () {
global $menu;
$restricted = array(__('Dashboard'), __('Posts'), __('Media'), __('Links'), __('Pages'), __('Appearance'), __('Tools'), __('Users'), __('Settings'), __('Comments'), __('Plugins'));
end ($menu);
while (prev($menu)){
$value = explode(' ',$menu[key($menu)][0]);
if(in_array($value[0] != NULL?$value[0]:"" , $restricted)){unset($menu[key($menu)]);}
}
}
add_action('admin_menu', 'remove_menus');Require a featured image before you can publish posts
If your blog layout is set to display a featured image, it can be useful to prevent post publishing th post without the features image set.
This code has to be pasted into your functions.php file.
add_action('save_post', 'wpds_check_thumbnail');
add_action('admin_notices', 'wpds_thumbnail_error');
function wpds_check_thumbnail( $post_id ) {
// change to any custom post type
if( get_post_type($post_id) != 'post' )
return;
if ( ! has_post_thumbnail( $post_id ) ) {
// set a transient to show the users an admin message
set_transient( "has_post_thumbnail", "no" );
// unhook this function so it doesn't loop infinitely
remove_action('save_post', 'wpds_check_thumbnail');
// update the post set it to draft
wp_update_post(array('ID' => $post_id, 'post_status' => 'draft'));
add_action('save_post', 'wpds_check_thumbnail');
} else {
delete_transient( "has_post_thumbnail" );
}
}
function wpds_thumbnail_error() {
// check if the transient is set, and display the error message
if ( get_transient( "has_post_thumbnail" ) == "no" ) {
echo "<div id='message' class='error'><p><strong>You must add a Featured Image before publishing this. Don't panic, your post is saved.</strong></p></div>";
delete_transient( "has_post_thumbnail" );
}
}Add custom login logo
function my_custom_login_logo() {
echo '<style type="text/css">
h1 a { background-image:url('.get_bloginfo('template_directory').'/images/custom-login-logo.gif) !important; }
</style>';
}
add_action('login_head', 'my_custom_login_logo');
Place a custom logo in dashboard
copy the code below and paste it to your functions.php file
add_action('admin_head', 'my_custom_logo');
function my_custom_logo() {
echo '<style type="text/css">
#header-logo { background-image: url('.get_bloginfo('template_directory').'/images/custom-logo.gif) !important; }</style>';
}Remove dashboard widgets
Dashboard widgets can be pretty useful. For example, a WordPress developers can display your Google Analytics stats. Though, sometimes you don’t need it, or at least don’t need some of them.
The code below will allow you to remove WordPress’ dashboard widgets once you paste it in your functions.php file.
function example_remove_dashboard_widgets() {
// Globalize the metaboxes array, this holds all the widgets for wp-admin
global $wp_meta_boxes;
// Remove the incomming links widget
unset($wp_meta_boxes['dashboard']['normal']['core']['dashboard_incoming_links']);
// Remove right now
unset($wp_meta_boxes['dashboard']['normal']['core']['dashboard_right_now']);
unset($wp_meta_boxes['dashboard']['side']['core']['dashboard_primary']);
unset($wp_meta_boxes['dashboard']['side']['core']['dashboard_secondary']);
}
// Hook into the 'wp_dashboard_setup' action to register our function
add_action('wp_dashboard_setup', 'example_remove_dashboard_widgets' );Remove dashboard widgets for specific user roles
function customize_meta_boxes() {
//retrieve current user info
global $current_user;
get_currentuserinfo();
//if current user level is less than 3, remove the postcustom meta box
if ($current_user->user_level < 3)
remove_meta_box('postcustom','post','normal');
}
add_action('admin_init','customize_meta_boxes');Add custom widgets to WordPress dashboard
function example_dashboard_widget_function() {
// Display whatever it is you want to show
echo "Hello World, I'm a great Dashboard Widget";
}
// Create the function use in the action hook
function example_add_dashboard_widgets() {
wp_add_dashboard_widget('example_dashboard_widget', 'Example Dashboard Widget', 'example_dashboard_widget_function');
}
// Hook into the 'wp_dashboard_setup' action to register our other functions
add_action('wp_dashboard_setup', 'example_add_dashboard_widgets' );Change WordPress dashboard colors
function custom_colors() {
echo '<style type="text/css">#wphead{background:#069}</style>';
}
add_action('admin_head', 'custom_colors');Provide custom help messages
function my_admin_help($text, $screen) {
// Check we're only on my Settings page
if (strcmp($screen, MY_PAGEHOOK) == 0 ) {
$text = 'Here is some very useful information to help you use this plugin...';
return $text;
}
// Let the default WP Dashboard help stuff through on other Admin pages
return $text;
}
add_action( 'contextual_help', 'my_admin_help' );Reduce amount of post revisions
Post revisions are very useful, but they also clutter your database. In order to save space, you can consider limiting the amount of post revisions automatically saved by WordPress.
This code has to be pasted in your wp-config.php file, located at the root of your WordPress install.
define( 'WP_POST_REVISIONS', 3 );Disable WordPress Login Hints
Paste the code below into your functions.php file to prevent login error messages to be displayed.
function no_wordpress_errors(){
return 'GET OFF MY LAWN !! RIGHT NOW !!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );