Microsoft Azure Open Source Development Support Team Blog
Support for Open Source Technologies on Microsoft Azure App Service
Best Practices for WordPress Security on Azure
WordPress Security is often an overlooked feature. Customers are quick to configure their site, but often forget to fine tune the security aspect. Here we have compiled steps that will help make your WordPress site more robust on Azure.
More information can also be found at the official WordPress.org site:
Customize and modify default settings in wp-config.php
By default, WordPress use table prefix wp_ to create database tables during installation, to secure the access to database tables,
recommend to use different table prefix from the default value.
As WordPress use bare cookies instead of PHP sessions to track login state, it is important to have authentication cookie for the website. While installing WordPress, you are asked to provide the values of keys & salts, however, you may choose to skip this step for faster installation. In this case, WordPress insert default value for keys & salts (put your unique phrase here).After the WordPress site is installed, you can edit wp-config.php, using the secret-key servicelinkto generate a set of keys & salts.
2) WordPress admin Username and Password
The default or commonly used administrator login name can be admin or administrator, do not use them as the username.
During WordPress installation, you are provided a strong admin login password, use the strong password, dont use weak passwords like test123, which are easy to guess and break through.
WordPress can automatically update itself to a new minor release without any user input. For major updates, WordPress shows a notification that an update is available and a user can initiate the update. WordPress has auto update enabled by default, you should keep this default setting. In the case you have disabled auto update, you should update WordPress periodically.
You should also keep all plugins and theme updated with most current version as well.
WordPress provide a built-in editor for editing files from your browser. This feature is enabled by default, allows administrator users to edit PHP files for plugins and theme from WordPress Dashboard. However, this is also give attackers a tool to execute code if they break login.
WordPress has a constant DISALLOW_FILE_EDIT, to disable editing from Dashboard. You can modify it in wp-config.php: define(DISALLOW_FILE_EDIT, true);
It removes the edit_themes, edit_plugins and edit_files capabilities of all users. This will stop some attacks from inserting and executing malicious code.
Azure provides functionality to backup your web sites automatically. Read more about ithere.
Use web.config to disable access to wp-config.php and limit access to wp-login.php
Restrict web access to wp-config.php
system.webserver security requestFiltering denyUrlSequences add sequence=wp-config.php / /denyUrlSequences /requestFiltering /security /system.webserver
Restrict access to wp-login.php by IP addresses
location path=wp-login.php system.webServer security !– this line blocks all IP addresses, except those listed below — ipSecurity allowUnlisted=false add ipAddress=xxx.xxx.xxx.xxx allowed=true / add ipAddress=xxx.xxx.xxx.xxx allowed=true / /ipSecurity /security /system.webServer /location
Consider renaming this file (ex: login.php or secure_xyz_login.php)
In addition to the WordPress login/password, usePHP HTTP Authentication
This is WordPress API and if you dont have any plugins requiring it, then you should disallow access by renaming it.
If you find that unauthorized IP addresses are requesting access to the site, consider implimentingStatic IP Restrictions. Alternatively, you can also restrictDynamic IP Addresses.
In i, use the following setting to reduce XSS attacks:
To configure IIS to send theX-Frame-Optionsheader, add this your sitesWeb.configfile:
This article was put together by Mangesh Sangapu andYi Wang. Shout-out to Cory Fowler and Sunitha Muthukrishna for additional tips.
Heres some more resources from :