WHM Setting & Wordpress prevent securities settings suggestions

Current : Hide login password from cgi scripts   Off need to make On

This setting allows you to hide the REMOTE_PASSWORD environment variable from scripts that the cpsrvd daemon's CGI handler executes.

Currently : Referrer safety check      Off need to make On

Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help prevent XSRF attacks but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled.

Currently Verify signatures of 3rdparty cPaddons. Off need to make On

When this option is enabled, cPanel will verify GPG signatures of all 3rdparty cPaddons. This setting is only available if Signature Validation is enabled.

Currently Prevent “nobody” from sending mail     Off need to make On

Prevent the user “nobody” from sending out mail to remote addresses (PHP and CGI scripts generally run as “nobody” if you are using mod_php or have Suexec disabled.)

Currently Enable SPF on domains for newly created accounts    Off need to make On

Enable this option to deny spammers the ability to send email when they forge your domain’s name as the sender (spoofing).

Currently  :  Proxy subdomains   On need to make Off

Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)

Currently : Proxy subdomain creation   On need to make Off

Automatically create cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)

Currently Password Strength Configuration         0  need to make 8

This feature allows you to specify a minimum password strength for accounts that your server hosts. hosted by your server.

Currently Compiler Access    Enable need to make Disable          

This option disables compiler access for unspecified users in order to help prevent attacks on your server.

Currently Shell Fork Bomb Protection  Disable need to make Enable

This option limits the amount of server resources that users with terminal access may use

Currently FTP Server Configuration   Allow Anonymous Uploads  is Yes need to make No

Allowing anonymous FTP uploads in generally considered to weaken the security of the server. Setting this option to "No" is recommended

Currently Manage Shell Access  is Enable for all need to make off exclude root user

This interface allows you to select which users will have shell access on your server and whether that shell access is Normal or Jailed.

Currently File ETag   its For ALL need to make none

This directive configures the file attributes that are used to create the ETag response header field when the request is file based.

Note: “None” means that if a document is file based, no ETag field will be included in the response.

Currently expose_php is on need to make off

From Developer End

Upto Date Wordpress Version and Plugin version too

Two way authentications is required for website Admin panel or Wp-login.php Admin panel access from limited IP

Change table prefix or don’t use default table prefix for new website.

Use wordpress keysgenrater for wp-config.php

Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

 Secure wp-config.php

# protect wp-config.php


Order deny,allow
Deny from all


2.       Limit Access to the Wp-Content Directory 

     Order deny,allow

Deny from all
Allow from all


3.       Prevent script injection

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

Protect your .htaccess file

# STRONG HTACCESS PROTECTION
<file>

order allow,deny
deny from all
satisfy all

</file>