sLa NGjI's on "W3 Total Cache critical Vulnerability disclosed"

alexwoolfson wote:

Is it better to leave minify turned off?

@alexwoolfson

Turn Minify to manual and take advantage of HTML minification. Minify CSS and JS manual ... this work better ;)

MediaInk wrote:

Disk cache is not working for me at all. Also reloaded 0.9.2.4; have still the same problem on the site tried to the the upgrade.

@MediaInk

0.9.2.5 versione release is only simply security fix: all problems discovered on 0.9.2.4 version is the same and unfixed, and also on 0.9.2.5 have some negative unfixed problems ... Nothing, for now, was fixed!

@DigiP

Default password on WordPress since version 3.1 is 12 characters (alphanumeric+simbles)

Foe my personal opinion best numbers is 15 characters! (alphanumeric+simbles) Strong Password Generator

For some for some reason of general security is recommended chmod:

/.htaccess 404
/favicon.ico 404
/robots.txt 404
/index.php 400
/wp-blog-header.php 400
/wp-config.php 400
/xmlrpc.xml 400 if CMS 404 if BLOG
All others files 604

/ 705
/wp-admin/ 701 (dir and subdir)
/wp-content/ 705 (dir and subdir)
/wp-includes/ 701 (dir and subdir)

This WP-Trik described take advantage of 404 not found HEADER error reply (same of default /wp-includes/) ;)

delete /wp-content/index.php
delete /wp-content/plugins/index.php
delete /wp-content/themes/index.php
delete /wp-content/upload/index.php

Change default wp_ table prefix with wp_????????_ (?=alphanumeric character)

wp-config.php

define('FS_CHMOD_FILE',0604);
define('FS_CHMOD_DIR',0705);
define('DISALLOW_FILE_EDIT',true);
define('DISALLOW_FILE_MODS',true);//disable dashboard update link

.htaccess rules:

IndexIgnore *
Options -Indexes
#
# WP Upgrade Protection
#
<Files upgrade.php>
Order Allow,Deny
Deny From All
</Files>
#
<Files upgrade-functions.php>
Order Allow,Deny
Deny From All
</Files>
#
# WP Install Prevention
#
<Files install.php>
Order Allow,Deny
Deny From All
</Files>
#
<Files install-helper.php>
Order Allow,Deny
Deny From All
</Files>
#
<Files setup-config.php>
Order Allow,Deny
Deny From All
</Files>
#
<Files wp-config-sample.php>
Order Allow,Deny
Deny From All
</Files>
#
# WP Default Protection
#
<Files .htaccess>
Order Allow,Deny
Deny From All
</Files>
#
<Files wp-config.php>
Order Allow,Deny
Deny From All
</Files>
#
<Files readme.txt>
Order Allow,Deny
Deny From All
</Files>
#
<Files readme.html>
Order Allow,Deny
Deny From All
</Files>
#
<Files license.txt>
Order Allow,Deny
Deny From All
</Files>
#
<Files gpl-2.0.txt>
Order Allow,Deny
Deny From All
</Files>
#
RewriteEngine On
RewriteBase /
#
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule .* - [L
#
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
#
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]
#
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]
#
# Block the include-only files
#
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
#
# Skip WordPress 404 Error for Static Files
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} \.(php|css|js|htc|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ [NC]
RewriteRule .* - [L]
#
# BEGIN WordPress

Hardening WordPress and Changing File Permissions