wp-config Hardening SOP One file holds the keys to everything. Harden it line by line. — Step 1: Move wp-config.php one directory above the web root where the host allows it. — Step 2: Set DISALLOW_FI…
Post-Compromise Triage SOP When a site is hit, panic-restoring overwrites the evidence. Work the order. — Step 1: Take the site offline or behind maintenance — stop ongoing damage first. — Step 2: Sna…
Backup Restore Drill SOP A backup you've never restored is a guess. Test the recovery, not the backup. — Step 1: Confirm backups cover files AND database, stored off the production host. — Step 2: Ver…
TLS Configuration SOP A padlock isn't a config audit. Verify the actual handshake. — Step 1: Disable TLS 1.0 and 1.1 at the server; allow 1.2 and 1.3 only. — Step 2: Remove weak ciphers — no RC4, no 3…
WP-Cron Control SOP The default wp-cron.php fires on visitor traffic and is a public DoS handle. Take it server-side. — Step 1: Set DISABLE_WP_CRON to true in wp-config.php. — Step 2: Add a real syste…
Plugin Vetting SOP Every plugin is code you didn't write running as your site. Vet before install. — Step 1: Check last-updated date. Older than 12 months or untested with current core: reject. — Step…