lbon

I have got the power since 2001 (-;

In the above case, I have to be authenticated as lars on the wordpress server. I do not use basicauth on the server, but I limit “dangorous” files only to be access through VPN or a certain RFC1918 net.

Mayby I can put authenticate just when doing the updates…

Will think of it…

Thanks!

Regards, Lars.

Yup, secconsult send that link to me too.

Even before reading this, I have done my own hardening. For instance… instead of accessing /wp-admin directly on port 80, you will have to access it through VPN and similar things.

The only point where I am a bit unclear is how to optimally set chown and chmod for the WP files. Even after reading the document both of you provided.

Regards, Lars.

It is running on my own OpenBSD box and will still be running on this when it goes live.

www is owner on all files and as it is now, chmod is 777 everywhere… I would like to correct this before going “live” (-;

Therefor I would like to have some knowledge about minimum required permissions for WP to run correctly.

Regards, Lars.

Yup – fs-direct was one of the things I found out by googling, but it was not enough.

Great link about security and you plugin! I will give it a go.

Reg. the link. It says:

“The WordPress administration area: all files should be writable only by your user account.”

What is “your user account” here. The account that the webserver is running under or the account that I use to logon to the console?

Regards, Lars.