Hardening WordPress. Few steps to more secure installation

Embed Size (px)

Text of Hardening WordPress. Few steps to more secure installation


    Few steps to more secure installa1on

    marcin at chwedziak.pl

    WORDUP WROCAW #2 27.06.2013

    Update: 28.01.2015

  • @*raeth

    WORDUP WROCAW #2 27.06.2013

    Marcin Chwedziak


  • chwedziak.pl software development

  • June 11, 2013


    WordPress Bug in 'class-phpass.php' Lets Remote Users Deny Service

  • April 15, 2013


    WordPress Hackers Exploit Username "Admin"

  • April 14, 2013


    Admin Password Spells Trouble In Recent WordPress AFacks

  • April 12, 2013


    Brute Force AFacks Build WordPress Botnet

  • April 11, 2013


    Global WordPress Brute Force Flood

  • Only 60% of all WordPress websites are up to date with latest version.

    based on pingoma1c.com data

  • Almost 40% of WordPress installa*ons use old and poten*ally insecure versions.

    At the same Kme

    based on pingoma1c.com data

  • There are around 670 million websites on the web.

    June 2013 Web Server Survey, NetcraC Ltd.

  • More than 67 million (10%) use WordPress!


  • Every minute hundreds of thousands IPs are being aHacked.

  • Including the one that runs your server.

  • How to deal with it?



    Number of possible system entry points should be reduced to minimum.

  • Access to le system.

  • Access to le system.

    Use SFTP or FTPS instead of FTP.

  • SFTP (SSH File Transfer Protocol) allows using key-based authen*ca*on.

    Google: SSH with public key

  • FTPS encrypts our password while connec*ng.

    Regular FTP connec1on allows to sni the password.

  • Access to le system.

    Wisely manage le permissions.

  • Root directory: only you.htaccess is an excep*on, but

  • /wp-admin/: only you

  • /wp-includes/: only you

  • /wp-content/: you and Apache

  • /wp-content/themes/: youFile edit within WordPress should be disabled too:

    define('DISALLOW_FILE_EDIT', true);

  • /wp-content/plugins/: you

  • Access to le system.

    Move wp-cong.php one level up

  • Order allow,deny Deny from All

    or block access to it using .htaccess

  • Access to le system.

    Block direct access to PHP les.

  • # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule!^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

    # BEGIN WordPress

    Remember this wont work with Mul1Site!

  • Access to database.

  • Access to database.

    Separate WordPress database.

  • Access to database.

    Change default table prex from wp_ to e.g. kraken_.

  • Modify constant inside wp-cong.php.

    Dont forget to alter tables in MySQL!

  • Access to admin panel.

  • Access to admin panel.

    If you use admin account change its name!

  • Access to admin panel.

    Add BasicAuth for /wp-admin/.

  • Create .htaccess and .htpasswd les

  • Order allow,deny Allow from All Satisfy any

    and dont forget to exclude admin-ajax.php!

  • Access to admin panel.

    Use extra plugins to block unsuccessful signins.


    System conguraKon should minimize number of acKons to perform ager granKng access.

  • Always have a recent WordPress version.

  • Same for all your plugins! And if you stop using any remove them.

  • Disable le edit from WordPress panel.

  • Limit MySQL user to have access only to WordPress database.

  • define('DISALLOW_UNFILTERED_HTML', true);


    We should always be ready to act if there was a security incident.

  • Be prepared to replay the installa*on at any *me.

  • Backup your website regularly.

  • Both database and WordPress les.

  • The more you publish, the more you should backup.

  • Hide all PHP errors from being displayed.

  • define('WP_DEBUG', false); define('WP_DEBUG_LOG', false); define('WP_DEBUG_DISPLAY', false); @ini_set('display_errors', 0);

  • But remember to collect them for analysis.

  • hHps://github.com/ryanbagwell/wordpress-sentry

  • Review event log.

  • ModSecurity OSSEC

    File monitor

    Log monitor

  • The most eec*ve way of being secured is preven*on.

    WORDUP WROCAW #2 27.06.2013

  • However, to sleep well regularly monitor your website.

    WORDUP WROCAW #2 27.06.2013

  • Ques*ons?


    Hardening WordPress. Few steps to more secure installa1on.

    marcin at chwedziak.pl

    WORDUP WROCAW #2 27.06.2013

    Update: 28.01.2015