Download pptx - Hardening WordPress Security

Hardening WordPress Security

WordPress Day 2015 - Pordenone, Italy

What is security?(http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)

Risk reduction

SECURITYBecause sometimes a Rottweiler is not enough

Why we need more security?

WordPress Popularity, Market Share and Responsibility

No CMS

WordPress

Joomla

Drupal

0 10 20 30 40 50 60 70

Usage of content management systems for websites

Market Share Usage

http://w3techs.com/technologies/overview/content_management/all

What are the dangers?

- Social Engineering- Human Mistakes- Brute Force Attacks- WordPress Vulnerabilities- Web Server Vulnerabilities- Network Vulnerabilities- FTP- File Permissions- And other beautiful things…

Solutions

Backup!Modern Task Runner for PHP

Use strong passwords

Insecure examples

adminmysite123mysitenamemyname4321password

Secure examples

-yCpHuHJ68fRtB805i"kaN4Y]99Z)[/ylaJN&3388wu1530Cx;73kRz\N1/K>9'51]9~495°1'N434g&h51I78x3?M

Stay updated!

Update WordPress CoreUpdate ThemesUpdate Plugins

Remove Version Reference

Deny access / delete readme.html

Deny access / delete readme.html

# .htaccess<files readme.html>Order allow,denyDeny from all</files>

Remove WordPress Version

// ** functions.phpfunction wp_remove_version() { return '';}add_filter('the_generator', 'wp_remove_version');

Secure your login

Secure your login- .htaccess Authentication- Limit attempts- Restrict to certain IPs- Hide- Capcha- Two Factor Authentication- HTTPS

.htaccess Authentication(example with http://www.htaccesstools.com/)

.htaccess Authentication(example with http://www.htaccesstools.com/)

Limit attempts

Restrict to certain IPs

# .htaccessorder deny,allowdeny from allallow from 1.2.3.4

Restrict to certain IPs

Hide your login# BEGIN Hidden loginRewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L]RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword

RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-adminRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.phpRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-areaRewriteCond %{QUERY_STRING} !âction=logoutRewriteCond %{QUERY_STRING} !âction=lostpasswordRewriteCond %{REQUEST_METHOD} !POSTRewriteRule ^wp-login\.php http://%{SERVER_NAME}/secured-area? [R,L]

RewriteCond %{QUERY_STRING} ^loggedout=trueRewriteRule . http://%{SERVER_NAME}/? [L]# END Hidden login

Hide your login

Captcha on login

Two-Factor Authentication

Is there anything more?

Admin user

Admin user- Don’t use «admin» as username- Or change «admin» role

Change WordPress Structure


From this..


..to this

Change WordPress Structure# BEGIN WordPress<IfModule mod_rewrite.c>

RewriteEngine OnRewriteBase /RewriteRule îndex\.php$ - [L]

# RedirectRewriteRule ^wp-admin$ wp-admin/ [R,L]RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L]

RewriteCond %{REQUEST_FILENAME} !-f [OR]RewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^ - [L]RewriteRule ^(.*\.php)$ /$1 [L]RewriteRule . /index.php [L]

</IfModule># END WordPress


// ** index.phpdefine( 'WP_USE_THEMES', true );require( __DIR__ . '/application/wp-blog-header.php‘ );

// ** wp-config.phpdefine('WP_CONTENT_DIR', dirname(__FILE__) . '/public' );define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' );define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' );define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );

Htaccess Tips and Tricks

Disable Directory Browsing

# .htaccessOptions All -Indexes

Protect your .htaccess

# .htaccess<files .htaccess>Order allow,denyDeny from all</files>

Protect your configuration

# .htaccess<files wp-config.php>Order allow,denyDeny from all</files>

Deny access to xmlrpc.php

# .htaccess<files xmlrpc.php>Order allow,denyDeny from all</files>

Prevent WordPress users listing

http://www.yourbeautifulsite.org/?author=1http://www.yourbeautifulsite.org/?author=2http://www.yourbeautifulsite.org/?author=3http://www.yourbeautifulsite.org/?author=4[…]

# .htaccessRewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]

Deny php execution from upload directory

# /path/to/upload-folder/.htaccess<Files ~ "\.(xls|doc|rtf|pdf|zip|mp3|flv|swf|png|gif|jpg|ico|js|css|kmz|ttf|woff|woff2)$">Allow from all</Files>

Rewrite assets permalinks

# .htaccessRewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L]RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L]RewriteRule îmg/(.*) /public/themes/mytheme/images/$1 [QSA,L]

WP-config Tricks

WP-config Tricks

- Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/)

- Override File Permissions- Change WP Db Prefix

Disable Plugins install/updates

// ** wp-config.phpdefine( DISALLOW_FILE_EDIT', true );define( DISALLOW_FILE_MODS', true );

Check installed Themes/Plugins

- Remove inactive themes/plugins- Remove useless themes/plugins- Evaluate code integration

Blackhole

Blackhole(http://perishablepress.com/blackhole-bad-bots/)

# END Blackholde

<ifModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|register|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L]</ifModule>

# END Blackhole

Tools

Tools

Sucury Security Plugin

Help us to check our WordPress Project Vulnerabilities

Monitoring time series database for monitoring your application

https://influxdb.com/

Web Server Infrastructure

Codex References

http://codex.wordpress.org/Hardening_WordPresshttp://codex.wordpress.org/Administration_Over_SSLhttp://codex.wordpress.org/Editing_wp-config.php

Questions?

NO

Thanks

Mattia Piovano@shadow_droid

https://joind.in/15557