Description
Gauntlet Security can find opportunities for improving the security of your site. It checks many aspects of the site’s configuration including file permissions, server software, PHP, database, plugins, themes, and user accounts. The plugin will give each check a pass, warning, or fail and explain in clear language how you can fix the issue.
How you ultimately choose to patch these issues is up to you but whatever method you use, this plugin should always provide an accurate report. It does not make changes to your database or to any of your files and it should be compatible with all other security plugins.
Checks and recommendations include:
Set correct file and directory permissions
Turn off directory indexing
Prevent code execution in the uploads directory
Block files in the includes directory
Prevent access to stray files which could be useful to attackers
Keep PHP up-to-date
Disable dangerous PHP functions
Disable allow_url_include and allow_url_fopen PHP flags
Turn off the display of PHP errors
Don’t advertise the PHP version you are running
Use a strong database password
Change the default database table prefix
Keep WordPress up-to-date
Turn off file editing in the control panel
Set security keys in WP-Config file
Don’t advertise the WordPress version you are running
Turn off self-registration
Force SSL when accessing the admin area
Review the development activity and reputation of all plugins
Remove unused themes from the server
Rename the plugin directory
Move the active theme to an alternate location
Do not use TimThumb
Do not use common user names (such as “admin”)
Do not use weak passwords
Do not have a user with an ID = 1
Minimize the number of admin users
Users should not display their login usernames publicly
Prevent username enumeration through standard author URLs
…more tests planned
Check the screenshots for more detail on some of the above features.
Many of these security checks are based on recommendations from the WordPress codex: https://codex.wordpress.org/Hardening_WordPress.
Disclaimer
Some of the tips included in this plugin only require making small changes to configuration files (.htaccess, php.ini, wp-config.php, functions.php). Others require more in-depth changes to the filesystem or database. Before attempting any of these fixes, you should be comfortable experimenting and know how to undo any change you make. That includes making backups and knowing how restore your site from those backups. I can’t guarantee that the recommendations or sample code provided in this plugin will not break your site or that they will prevent it from being hacked.
Requirements
Apache web server
WordPress 3.4 minimum
PHP 5.2.7 minimum