Website Security Hardening

We have created a comprehensive step-by-step guide to harden the website infrastructure, eliminate all identified attack pathways, and deploy multiple layers of defense.

---

1️⃣ Front-end traffic forced through Azure Front Door

All direct traffic to the server is blocked — only AFD can reach nginx.
✔ No direct attacks to nginx
✔ No direct attacks to PHP-FPM
✔ WAF protections now apply to every request

---

2️⃣ SSH access restricted to VPN + MFA only

✔ No external SSH exposure
✔ Impossible to brute force
✔ Impossible to scan or enumerate SSH
✔ Zero Trust access enforced

---

3️⃣ PHP execution disabled in /uploads

The attacker previously used this vector to drop a PHP backdoor.
✔ Uploads are now non-executable
✔ Backdoor method fully removed

---

4️⃣ Malicious MU plug-ins & uploader shells removed

✔ Attacker persistence removed
✔ All unauthorized modifications deleted

---

5️⃣ WordPress core validated with official checksums

✔ Confirmed clean
✔ No modified or injected files

---

6️⃣ Database password rotated

✔ Any stolen credentials invalidated
✔ DB auth fully refreshed

---

7️⃣ Unknown WordPress admin accounts removed

✔ No unauthorized dashboard access
✔ All accounts verified

---

8️⃣ WordPress & plugins updated and cleaned

✔ Vulnerabilities patched
✔ Legacy or unsafe plugins removed

---

9️⃣ Nginx hardened + FPM configuration sanitized

✔ Secure rule set
✔ Safe, minimal surface area
✔ Logs reviewed and clean

---

🔟 Backdoor “probe” PHP files quarantined

✔ No shadow access points remain
✔ No passive scanners
✔ No secondary payloads

---

🛡️ Result: Complete Security Lockdown

The environment is now aligned with hardened WordPress, nginx, and cloud security best practices — with additional monitoring in place for early threat detection.