Download pdf - Hardening WordPress. Few steps to more secure installation

HARDENING WORDPRESS

Few steps to more secure installa1on

marcin at chwedziak.pl

WORDUP WROCŁAW #2 — 27.06.2013

Update: 28.01.2015

@*raeth


Marcin Chwedziak

twiFer.com/Kraethgithub.com/Kraeth

chwedziak.pl software development

June 11, 2013

securitytracker.com

WordPress Bug in 'class-‐phpass.php' Lets Remote Users Deny Service

April 15, 2013

webmonkey.com

WordPress Hackers Exploit Username "Admin"

April 14, 2013

phys.org

Admin Password Spells Trouble In Recent WordPress AFacks

April 12, 2013

krebsonsecurity.com

Brute Force AFacks Build WordPress Botnet

April 11, 2013

blog.hostgator.com

Global WordPress Brute Force Flood

Only 60% of all WordPress websites are up to date with latest version.

based on pingoma1c.com data

Almost 40% of WordPress installa*ons use old and poten*ally insecure versions.

At the same Kme…

based on pingoma1c.com data

There are around 670 million websites on the web.

June 2013 Web Server Survey, NetcraC Ltd.

More than 67 million (10%) use WordPress!

wordpress.com/stats

Every minute hundreds of thousands IPs are being aHacked.

Including the one that runs your server.

How to deal with it?

CONTROL HAVE A PLANLIMIT

CONTROL

Number of possible system entry points should be reduced to minimum.

Access to file system.


Use SFTP or FTPS instead of FTP.

SFTP (SSH File Transfer Protocol) allows using key-‐based authen*ca*on.

Google: SSH with public key

FTPS encrypts our password while connec*ng.

Regular FTP connec1on allows to sniff the password.


Wisely manage file permissions.

Root directory: only you.htaccess is an excep*on, but…

/wp-‐admin/: only you

/wp-‐includes/: only you

/wp-‐content/: you and Apache

/wp-‐content/themes/: youFile edit within WordPress should be disabled too:

define('DISALLOW_FILE_EDIT', true);

/wp-‐content/plugins/: you


Move wp-‐config.php one level up…

<Files wp-config.php> Order allow,deny Deny from All </Files>

… or block access to it using .htaccess


Block direct access to PHP files.

# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress

Remember this won’t work with Mul1Site!

Access to database.

Access to database.

Separate WordPress database.

Access to database.

Change default table prefix from wp_ to e.g. kraken_.

Modify constant inside wp-‐config.php.

Don’t forget to alter tables in MySQL!

Access to admin panel.


If you use admin account – change its name!


Add BasicAuth for /wp-‐admin/.

Create .htaccess and .htpasswd files…

<Files admin-ajax.php> Order allow,deny Allow from All Satisfy any </Files>

…and don’t forget to exclude admin-‐ajax.php!


Use extra plugins to block unsuccessful signins.

LIMIT

System configuraKon should minimize number of acKons to perform ager granKng access.

Always have a recent WordPress version.

Same for all your plugins! And if you stop using any — remove them.

Disable file edit from WordPress panel.

Limit MySQL user to have access only to WordPress database.

define('DISALLOW_UNFILTERED_HTML', true);

HAVE A PLAN

We should always be ready to act if there was a security incident.

Be prepared to replay the installa*on at any *me.

Backup your website regularly.

Both database and WordPress files.

The more you publish, the more you should backup.

Hide all PHP errors from being displayed.

define('WP_DEBUG', false); define('WP_DEBUG_LOG', false); define('WP_DEBUG_DISPLAY', false); @ini_set('display_errors', 0);

But remember to collect them for analysis.

hHps://github.com/ryanbagwell/wordpress-‐sentry

Review event log.

ModSecurity OSSEC

File monitor

Log monitor

The most effec*ve way of being secured is preven*on.


However, to sleep well regularly monitor your website.


Ques*ons?

THANK YOU FOR YOUR ATTENTION

Hardening WordPress. Few steps to more secure installa1on.

marcin at chwedziak.pl


Update: 28.01.2015