Prelaunch WordPress checklist – Performance and Security

P
Before launching any website, its always good to have a proper checklist. This post is the checklist, which I use before the launch of any web application. I have fine tuned this one for WordPress based websites. So let’s call it WordPress checklist. The focus, as usual, is performance and security.

WordPress checklist – Performance Factors

Above scores are only a guideline. Every website is different and has different needs. It is very different to achieve the high score on all. This journal made good grades in almost all the above factors, except for pingdom. That said, detailed tuning of nginx and PHP-FPM is for another post.

WordPress checklist – Security factors

  • Wpscan vulnerability scan report – Online tool
  • Qualy’s SSL Lab – SSL Test – Must get A+ (No reason why you should not)
  • hsts preload
  • nmap report – an online tool is here
  • Wordfence or Sucuri plugin installed – I don’t have a preference.  I use wordfence
  • all plugins and server updated
  • Naxsi or ModSecurity WAF installed – I prefer Naxsi
  • Disable XML-RPC – This is optional
  • servertoken is off (Nginx | Apache)

Basic Nginx hardening is for another journal.

A word on Wpscan

wpcan is a godsend tool. If you cant use an online tool for some reason, please use an offline version. Things to note on wpscan report are

  • Not all positives are positives.
  • Your server should provide minimal information for a hacker. Any version number is an issue for me.
  • Minimal plugin exposure listed is better.
As usual, I keep updating my GitHub for updated files. Like Naxsi or nginx config. Feel free to download it and use it.
 
I am not perfect by any chance, so if there is any improvement you wanted to add, please feel free to ping. I will add those as appropriate.

About the author

nagu

Business leader, Technology Consultant and a Polyglot programmer. Infectious passion for Innovations and new technologies. Respects good UX. Current interests are in Microservices, ethical hacking and lockpicking!.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By nagu

Nagu Gopalakrishnan

Business leader, Technology Consultant and a Polyglot programmer. Infectious passion for Innovations and new technologies. Respects good UX. Current interests are in Microservices, ethical hacking and lockpicking!.

About Me