Just upgrading WordPress because of yet another security scare …
Here’s 4 things you can do to improve the security of your WordPress blog:
1) For some reason, the WordPress documentation recommends that the WordPress MySQL user get GRANT ALL PRIVILEGES, but that’s a bad idea since a privileged MySQL user can not only drop databases, but also read and write to the disk.
After running the WordPress post-installation upgrade.php script and installing your plugins, this drastically more limited GRANT works fine assuming your db and userid name is ‘wordpress’, and your wordpress MySQL password is ‘newpassword’:
mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'wordpress'@'localhost';
mysql> GRANT SELECT, INSERT, UPDATE ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'newpassword';
mysql> FLUSH PRIVILEGES;
Then update wordpress/wp-config.php with the userid and newpassword.
(Generally speaking, only the MySQL userid ‘root’ needs ‘Y’s in the mysql.user table. All other accounts can usually run with 3 or 4 ‘Y’s in the mysql.db table. So SELECT * FROM mysql.user WHERE user != ‘root’ should be a sea of ‘N’s only.)
Use the SHOW GRANTS command to see the current settings:
mysql> SHOW GRANTS FOR 'wordpress'@'localhost';
| Grants for wordpress@localhost
| GRANT USAGE ON *.* TO 'wordpress'@'localhost' IDENTIFIED BY PASSWORD '*hashed*'
| GRANT SELECT, INSERT, UPDATE ON `wordpress`.* TO 'wordpress'@'localhost'
2 rows in set (0.02 sec)
2) You can disable the WordPress banner in content headers by setting $gen=”; in
3) The WordPress PHP files should not be owned by the web server process. Fix that with:
chown -R root:root wordpress/
4) Update your WordPress installation as frequently as necessary.