I was reading the Wordpress Whitepaper v1.2 at BlogSecurity.net and read some useful tips to making Wordpress more secure. My question is could/would any of these recomendations make IPB more secure? I have also included what I know about already :D
For example:
[*]They mention when creating the database user to only give GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP permissions. Is this the same for IPB?[*]With regards to the sql tbl prefix:
$INFO['sql_tbl_prefix'] = '';
Is this safe to have blank, just something like ibf_, ipb_ etc or would it be better as they suggest to have something more random i.e 95MkN8 to prevent database injection threats?[*]They also have the ability for generating secret keys at which creates something like this for Wordpress.
https://api.wordpress.org/secret-key/1.1/
define('AUTH_KEY', 'l4Zyc=XP3D4C1b`#k~Zj1TYh,dT/C/:9+{wx,ZhVXI]8!O7VIXDjs]iPhpPx[zmp');
define('SECURE_AUTH_KEY', ')EU[Nf`FRl9mYvh4Xzc.h:2DI`Jv-v!5l27d=]Ks1K$f{}3z/|a:o-d2pedu.Dyq');
define('LOGGED_IN_KEY', 'Z/=ujR`e^1fuGnb[4} 4FP!ASkozQ~>(!~Xbd@4coz-Kp ,07%|O;_xSWw`p13&m');
define('NONCE_KEY', ' g-y+$I&WBL?nD4.;Xw<f:x|*36FDEn9<)D<6EFO~vE_BlN6Uta?F2Y_`(]dQD-L');
I think IPB has something like this from what I remember but wasn't too sure so thought I would mention it [*]Creating a very secure password for the Admin CP, FTP, MySQL etc goes without saying but how many people actually do? I generate a 16 alphanumeric password with special characters included.[*]Restrict access to the Admin CP by:
Renaming the folder and changing the new name in the initdata.php file i.e
define( 'CP_DIRECTORY', 'XP3D4C1b' );
CHMODing the directory to 501 as suggested:
Restricting access by requesting a password using .htpasswd and .htaccessRestricting access to it by entering static IP addresses of those admins who have permission to it. What do you think of these ideas? Please give your feedback as I am sure it will benefit many IPB owners and administrators :D