Hardening WordPress. Few steps to more secure installation

Embed Size (px)

Text of Hardening WordPress. Few steps to more secure installation

  • HARDENING WORDPRESS

    Few steps to more secure installa1on

    marcin at chwedziak.pl

    WORDUP WROCAW #2 27.06.2013

    Update: 28.01.2015

  • @*raeth

    WORDUP WROCAW #2 27.06.2013

    Marcin Chwedziak

    twiFer.com/Kraethgithub.com/Kraeth

  • chwedziak.pl software development

  • June 11, 2013

    securitytracker.com

    WordPress Bug in 'class-phpass.php' Lets Remote Users Deny Service

  • April 15, 2013

    webmonkey.com

    WordPress Hackers Exploit Username "Admin"

  • April 14, 2013

    phys.org

    Admin Password Spells Trouble In Recent WordPress AFacks

  • April 12, 2013

    krebsonsecurity.com

    Brute Force AFacks Build WordPress Botnet

  • April 11, 2013

    blog.hostgator.com

    Global WordPress Brute Force Flood

  • Only 60% of all WordPress websites are up to date with latest version.

    based on pingoma1c.com data

  • Almost 40% of WordPress installa*ons use old and poten*ally insecure versions.

    At the same Kme

    based on pingoma1c.com data

  • There are around 670 million websites on the web.

    June 2013 Web Server Survey, NetcraC Ltd.

  • More than 67 million (10%) use WordPress!

    wordpress.com/stats

  • Every minute hundreds of thousands IPs are being aHacked.

  • Including the one that runs your server.

  • How to deal with it?

  • CONTROL HAVE A PLANLIMIT

  • CONTROL

    Number of possible system entry points should be reduced to minimum.

  • Access to le system.

  • Access to le system.

    Use SFTP or FTPS instead of FTP.

  • SFTP (SSH File Transfer Protocol) allows using key-based authen*ca*on.

    Google: SSH with public key

  • FTPS encrypts our password while connec*ng.

    Regular FTP connec1on allows to sni the password.

  • Access to le system.

    Wisely manage le permissions.

  • Root directory: only you.htaccess is an excep*on, but

  • /wp-admin/: only you

  • /wp-includes/: only you

  • /wp-content/: you and Apache

  • /wp-content/themes/: youFile edit within WordPress should be disabled too:

    define('DISALLOW_FILE_EDIT', true);

  • /wp-content/plugins/: you

  • Access to le system.

    Move wp-cong.php one level up

  • Order allow,deny Deny from All

    or block access to it using .htaccess

  • Access to le system.

    Block direct access to PHP les.

  • # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule!^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

    # BEGIN WordPress

    Remember this wont work with Mul1Site!

  • Access to database.

  • Access to database.

    Separate WordPress database.

  • Access to database.

    Change default table prex from wp_ to e.g. kraken_.

  • Modify constant inside wp-cong.php.

    Dont forget to alter tables in MySQL!

  • Access to admin panel.

  • Access to admin panel.

    If you use admin account change its name!

  • Access to admin panel.

    Add BasicAuth for /wp-admin/.

  • Create .htaccess and .htpasswd les

  • Order allow,deny Allow from All Satisfy any

    and dont forget to exclude admin-ajax.php!

  • Access to admin panel.

    Use extra plugins to block unsuccessful signins.

  • LIMIT

    System conguraKon should minimize number of acKons to perform ager granKng access.

  • Always have a recent WordPress version.

  • Same for all your plugins! And if you stop using any remove them.

  • Disable le edit from WordPress panel.

  • Limit MySQL user to have access only to WordPress database.

  • define('DISALLOW_UNFILTERED_HTML', true);

  • HAVE A PLAN

    We should always be ready to act if there was a security incident.

  • Be prepared to replay the installa*on at any *me.

  • Backup your website regularly.

  • Both database and WordPress les.

  • The more you publish, the more you should backup.

  • Hide all PHP errors from being displayed.

  • define('WP_DEBUG', false); define('WP_DEBUG_LOG', false); define('WP_DEBUG_DISPLAY', false); @ini_set('display_errors', 0);

  • But remember to collect them for analysis.

  • hHps://github.com/ryanbagwell/wordpress-sentry

  • Review event log.

  • ModSecurity OSSEC

    File monitor

    Log monitor

  • The most eec*ve way of being secured is preven*on.

    WORDUP WROCAW #2 27.06.2013

  • However, to sleep well regularly monitor your website.

    WORDUP WROCAW #2 27.06.2013

  • Ques*ons?

  • THANK YOU FOR YOUR ATTENTION

    Hardening WordPress. Few steps to more secure installa1on.

    marcin at chwedziak.pl

    WORDUP WROCAW #2 27.06.2013

    Update: 28.01.2015