I am about to launch a woo commerce store and wanted to know if there’s any ways to harden my WordPress installation further. I currently have it proxied behind Cloudflare with some rules setup to protect wp-login.php.
I saw that I can move the plugin and themes folder. I’m wondering if there is any benefit to that at all or if it may cause more trouble with third-party plugins and such than its worth?
>*I saw that I can move the plugin and themes folder. I’m wondering if there is any benefit to that at all or if it may cause more trouble with third-party plugins and such than its worth?*
That won’t help – it doesn’t actually do anything, from a security POV. Just follow standard best practice – keep everything up to date at all times, and use strong passwords. If you want a bit of added protection, install Wordfence. CF Country blocking WAF rules also filters out a massive amount of malicious traffic.
Because wp does not utilize urlrewrite to force all request to single file and route directing based on url get params, every file is exposed to the internet as an accessible file. There is no way to change this with out breaking your site. Best you can you can is only install highly trusted plug-ins and stay up to date.
You want to block xmlrpc in CF, Nginx and WP. You want to block the methods of enumerating users via the user api and the author=2 method. Block Russia and China plus. Fail2ban for abusers. Never run your endpoint un-proxied with the orange cloud off it will reveal your IP. Never reveal your IP, lol. Block server farms.
That’s just off the top of my head too.