Atlantian WordPress Guidelines

Accessibility

Security

Web Application Firewall

All Atlantian WordPress sites should have the dreamhost web filter enabled by default, which is managed by the kingdom webminister through the dreamhost site panel. Individual wordpress sites should also enable a local firewall plugin and configure it to actively block detected threats. Wordfence is the currently recommended plugin.

History Auditing

It is recommended to install the Simple History plugin, or one that creates a similar event log. It should be easy to monitor account logins/changes, page updates, and installation or update of plugins and themes.

Simple History example image showing changes made to posts.
Simple History example image showing login attempts.

User Accounts

It is required by policy that an account with administrator privileges remain in control of the kingdom webminister. New accounts for any wordpress in Atlantia may only be provided to members that are warranted by the office of the Webminister. A warrant can be requested for any member.

HTTPS Only

All wordpress sites should be issued an SSL certificate and load only over https. The kingdom webminister can issue free Let’s Encrypt certificates from the dreamhost panel to any site. Newly created sites typically have an SSL certificate generated automatically. With the adoption of HSTS policies, your site may become inaccessible if it does not use a valid SSL certificate.

HTTP Security Headers (Advanced)

There are a range of headers that the webserver can send to visiting browsers in order to help protect visitors from various forms of hijacking or injection attacks, as well as preventing the site from being easily spoofed by targeted phishing campaigns.

It is strongly recommended to implement standard security headers which are missing from wordpress, including:

  • Strict-Transport-Security “max-age=63072000;” “expr=%{HTTPS} == ‘on'”
  • X-XSS-Protection “1; mode=block”
  • X-Content-Type-Options “nosniff”
  • Referrer-Policy “strict-origin-when-cross-origin”
  • Expect-CT “max-age=7776000, enforce”
  • Access-Control-Allow-Origin “null”
  • Access-Control-Allow-Methods “GET,PUT,POST,DELETE”
  • Access-Control-Allow-Headers “Content-Type, Authorization
  • X-Frame-Options “SAMEORIGIN”
  • X-Permitted-Cross-Domain-Policies “none”

These headers can be added to the site .htaccess file if you have ssh/sftp access, or you can add most of them with a single plugin “Headers Security Advanced & HSTS WP”. Note that the headers added by the plugin can not be customized if there are any conflicts.

A Content Security Policy header is also recommended, but requires some custom design based on your content. Consult the kingdom webminister for assistance.

Performance

Content Enhancement