WAF Tuning SOP A WAF in blocking mode on day one breaks your own admin. Tune it. — Step 1: Deploy in detection/log-only mode for 7 days. Capture the false positives first. — Step 2: Build rules for th…
Login Lockout Policy SOP Rate-limit by behavior, not just IP — attackers rotate IPs. — Step 1: Lock after 5 failed attempts per username, 20 minutes. Track the username, not only the IP. — Step 2: Add…
File Permission Audit SOP Wrong permissions are the quietest backdoor. Audit, don't assume. — Step 1: Directories to 755, files to 644: find . -type d -exec chmod 755 {} \; then -type f to 644. — Step…
XML-RPC Disable + Verify SOP Disabling the toggle isn't enough — confirm the endpoint is actually dead. — Step 1: Block /xmlrpc.php at the web server, not just via plugin. Plugins load too late to sto…
WordPress Salt Rotation SOP Rotating auth keys invalidates every active session and forces re-login. Run after any suspected compromise. — Step 1: Pull fresh keys from api.wordpress.org/secret-key/1.1…
New-Site Hardening SOP The master pre-launch pass. Don't go live until every box is checked. — Step 1: HTTPS enforced site-wide, HSTS set, mixed content cleared. — Step 2: Admin account is not named "…