Hardening WordPress Security

  • View
    830

  • Download
    0

Embed Size (px)

Text of Hardening WordPress Security

Hardening WordPress Security

Hardening WordPress SecurityWordPress Day 2015 - Pordenone, Italy

What is security?(http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)

Risk reduction

SECURITYBecause sometimes a Rottweiler is not enough

Why we need more security?

WordPress Popularity, Market Share and Responsibility

http://w3techs.com/technologies/overview/content_management/all

What are the dangers?

- Social Engineering- Human Mistakes- Brute Force Attacks- WordPress Vulnerabilities- Web Server Vulnerabilities- Network Vulnerabilities- FTP- File Permissions- And other beautiful things

Solutions

Backup!

Modern Task Runner forPHP

Use strong passwordsInsecure examples

adminmysite123mysitenamemyname4321password

Secure examples

-yCpHuHJ68fRtB805i"kaN4Y]99Z)[/ylaJN&3388wu1530Cx;73kRz\N1/K>9'51]9~4951'N434g&h51I78x3?M

Stay updated!Update WordPress CoreUpdate ThemesUpdate Plugins

Remove Version Reference

Deny access / delete readme.html

Deny access / delete readme.html# .htaccess

Order allow,denyDeny from all

Remove WordPress Version// ** functions.phpfunction wp_remove_version() { return '';}add_filter('the_generator', 'wp_remove_version');

Secure your login

Secure your login.htaccess AuthenticationLimit attemptsRestrict to certain IPsHideCapchaTwo Factor AuthenticationHTTPS

.htaccess Authentication(example with http://www.htaccesstools.com/)

.htaccess Authentication(example with http://www.htaccesstools.com/)

Limit attempts

Restrict to certain IPs# .htaccessorder deny,allowdeny from allallow from 1.2.3.4

Restrict to certain IPs

Hide your login# BEGIN Hidden loginRewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L]RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword

RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-adminRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.phpRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-areaRewriteCond %{QUERY_STRING} !^action=logoutRewriteCond %{QUERY_STRING} !^action=lostpasswordRewriteCond %{REQUEST_METHOD} !POSTRewriteRule ^wp-login\.php http://%{SERVER_NAME}/secured-area? [R,L]

RewriteCond %{QUERY_STRING} ^loggedout=trueRewriteRule . http://%{SERVER_NAME}/? [L]# END Hidden login

Hide your login

Captcha on login

Two-Factor Authentication

Is there anything more?

Admin user

Admin userDont use admin as usernameOr change admin role

Change WordPress Structure

Change WordPress StructureFrom this..

Change WordPress Structure

..to this

Change WordPress Structure# BEGIN WordPress

RewriteEngine OnRewriteBase /RewriteRule ^index\.php$ - [L]

# RedirectRewriteRule ^wp-admin$ wp-admin/ [R,L]RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L]

RewriteCond %{REQUEST_FILENAME} !-f [OR]RewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^ - [L]RewriteRule ^(.*\.php)$ /$1 [L]RewriteRule . /index.php [L]

# END WordPress

Change WordPress Structure// ** index.phpdefine( 'WP_USE_THEMES', true );require( __DIR__ . '/application/wp-blog-header.php );// ** wp-config.phpdefine('WP_CONTENT_DIR', dirname(__FILE__) . '/public' );define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' );define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' );define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );

Htaccess Tips and Tricks

Disable Directory Browsing# .htaccessOptions All -Indexes

Protect your .htaccess# .htaccess

Order allow,denyDeny from all

Protect your configuration# .htaccess

Order allow,denyDeny from all

Deny access to xmlrpc.php# .htaccess

Order allow,denyDeny from all

Prevent WordPress users listinghttp://www.yourbeautifulsite.org/?author=1http://www.yourbeautifulsite.org/?author=2http://www.yourbeautifulsite.org/?author=3http://www.yourbeautifulsite.org/?author=4[]# .htaccessRewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]

Deny php execution from upload directory# /path/to/upload-folder/.htaccess

Allow from all

Rewrite assets permalinks# .htaccessRewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L]RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L]RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]

WP-config Tricks

WP-config TricksSet up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/)- Override File PermissionsChange WP Db Prefix

Disable Plugins install/updates// ** wp-config.phpdefine( DISALLOW_FILE_EDIT', true );define( DISALLOW_FILE_MODS', true );

Check installed Themes/PluginsRemove inactive themes/pluginsRemove useless themes/pluginsEvaluate code integration

Blackhole

Blackhole(http://perishablepress.com/blackhole-bad-bots/)# END Blackholde

RewriteEngine OnRewriteBase /RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|register|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L]

# END Blackhole

Tools

Tools

Sucury Security Plugin

Help us to check our WordPress Project Vulnerabilities

Monitoring time series database for monitoring your application

https://influxdb.com/

Web Server Infrastructure

Codex References

http://codex.wordpress.org/Hardening_WordPresshttp://codex.wordpress.org/Administration_Over_SSLhttp://codex.wordpress.org/Editing_wp-config.php

Questions?NO

Thanks

Mattia Piovano@shadow_droidhttps://joind.in/15557