HARDENING WORDPRESS
Few steps to more secure installa1on
marcin at chwedziak.pl
WORDUP WROCŁAW #2 — 27.06.2013
Update: 28.01.2015
@*raeth
WORDUP WROCŁAW #2 — 27.06.2013
Marcin Chwedziak
twiFer.com/Kraethgithub.com/Kraeth
chwedziak.pl software development
June 11, 2013
securitytracker.com
WordPress Bug in 'class-‐phpass.php' Lets Remote Users Deny Service
April 15, 2013
webmonkey.com
WordPress Hackers Exploit Username "Admin"
April 14, 2013
phys.org
Admin Password Spells Trouble In Recent WordPress AFacks
April 12, 2013
krebsonsecurity.com
Brute Force AFacks Build WordPress Botnet
April 11, 2013
blog.hostgator.com
Global WordPress Brute Force Flood
Only 60% of all WordPress websites are up to date with latest version.
based on pingoma1c.com data
Almost 40% of WordPress installa*ons use old and poten*ally insecure versions.
At the same Kme…
based on pingoma1c.com data
There are around 670 million websites on the web.
June 2013 Web Server Survey, NetcraC Ltd.
More than 67 million (10%) use WordPress!
wordpress.com/stats
Every minute hundreds of thousands IPs are being aHacked.
Including the one that runs your server.
How to deal with it?
CONTROL HAVE A PLANLIMIT
CONTROL
Number of possible system entry points should be reduced to minimum.
Access to file system.
Access to file system.
Use SFTP or FTPS instead of FTP.
SFTP (SSH File Transfer Protocol) allows using key-‐based authen*ca*on.
Google: SSH with public key
FTPS encrypts our password while connec*ng.
Regular FTP connec1on allows to sniff the password.
Access to file system.
Wisely manage file permissions.
Root directory: only you.htaccess is an excep*on, but…
/wp-‐admin/: only you
/wp-‐includes/: only you
/wp-‐content/: you and Apache
/wp-‐content/themes/: youFile edit within WordPress should be disabled too:
define('DISALLOW_FILE_EDIT', true);
/wp-‐content/plugins/: you
Access to file system.
Move wp-‐config.php one level up…
<Files wp-config.php> Order allow,deny Deny from All </Files>
… or block access to it using .htaccess
Access to file system.
Block direct access to PHP files.
# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
Remember this won’t work with Mul1Site!
Access to database.
Access to database.
Separate WordPress database.
Access to database.
Change default table prefix from wp_ to e.g. kraken_.
Modify constant inside wp-‐config.php.
Don’t forget to alter tables in MySQL!
Access to admin panel.
Access to admin panel.
If you use admin account – change its name!
Access to admin panel.
Add BasicAuth for /wp-‐admin/.
Create .htaccess and .htpasswd files…
<Files admin-ajax.php> Order allow,deny Allow from All Satisfy any </Files>
…and don’t forget to exclude admin-‐ajax.php!
Access to admin panel.
Use extra plugins to block unsuccessful signins.
LIMIT
System configuraKon should minimize number of acKons to perform ager granKng access.
Always have a recent WordPress version.
Same for all your plugins! And if you stop using any — remove them.
Disable file edit from WordPress panel.
Limit MySQL user to have access only to WordPress database.
define('DISALLOW_UNFILTERED_HTML', true);
HAVE A PLAN
We should always be ready to act if there was a security incident.
Be prepared to replay the installa*on at any *me.
Backup your website regularly.
Both database and WordPress files.
The more you publish, the more you should backup.
Hide all PHP errors from being displayed.
define('WP_DEBUG', false); define('WP_DEBUG_LOG', false); define('WP_DEBUG_DISPLAY', false); @ini_set('display_errors', 0);
But remember to collect them for analysis.
hHps://github.com/ryanbagwell/wordpress-‐sentry
Review event log.
ModSecurity OSSEC
File monitor
Log monitor
The most effec*ve way of being secured is preven*on.
WORDUP WROCŁAW #2 — 27.06.2013
However, to sleep well regularly monitor your website.
WORDUP WROCŁAW #2 — 27.06.2013
THANK YOU FOR YOUR ATTENTION
Hardening WordPress. Few steps to more secure installa1on.
marcin at chwedziak.pl
WORDUP WROCŁAW #2 — 27.06.2013
Update: 28.01.2015