7. Security

Jump to bottom

alex_prokopenko edited this page Dec 4, 2017 · 4 revisions

WordPress Starter has several security improvements (which works on the major LAMP servers).

Search bots

We improved standard robots.txt file with rules to hide WordPress backend and other files, which should not be indexed.

Folders access

.htaccess files deny access to:

Main project configuration files (.env, environments/*)
Block execution of PHP scripts inside uploads folder (main media files storage)
Block all files which started with dot (usually these are system files)

WordPress Salts

By default installer will generate WordPress salts automatically. To replace them you can change .env variables:

AUTH_KEY
SECURE_AUTH_KEY
LOGGED_IN_KEY
NONCE_KEY
AUTH_SALT
SECURE_AUTH_SALT
LOGGED_IN_SALT
NONCE_SALT

Salts can be generated with:

Custom composer command: composer wp:salts
WordPress generator: https://api.wordpress.org/secret-key/1.1/salt/

WP Admin HTTP Authentication

We recommend to set one more level of security - add additional HTTP password protection. You can do this with our composer script:

composer wp:secure -u "login" -p "password"

Next: mu-plugins autoloader