WordPress Hardening

3,994 views

Published on

Any idea to make more difficult to exploit my WordPress without plugins.
(last update: November 2012)

Published in: Technology

WordPress Hardening

  1. 1. WORDCAMP BOLOGNA 2012
  2. 2. WORDPRESS HARDENING (V3)
  3. 3. WordCamp Bologna 2012About me  37 years old  Born in Turin (Italy)  Co-Founder mavida.com  WordPress Lover  http://maurizio.mavida.com  https://twitter.com/miziomon  http://www.linkedin.com/in/mauriziopelizzone
  4. 4. WordCamp Bologna 2012Why we need «hardening» ?
  5. 5. WordCamp Bologna 2012
  6. 6. WordCamp Bologna 2012Dangers
  7. 7. WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
  8. 8. WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
  9. 9. WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
  10. 10. WordCamp Bologna 2012
  11. 11. WordCamp Bologna 2012Somesolutions
  12. 12. WordCamp Bologna 2012Delete readme.html
  13. 13. WordCamp Bologna 2012Prevent user enumeration (?author=n)RewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
  14. 14. WordCamp Bologna 2012Hide wp_(login|admin|registrazion) 1. Block Access to login / admin 2. Prepare custom login url 3. Check key presence
  15. 15. WordCamp Bologna 2012 RewriteRule ^login /wp-login.php?key=12345g& RewriteCond %{HTTP_REFERER} !^wp-admin … RewriteCond %{QUERY_STRING} !^key=12345 RewriteRule ^app/wp-login.php http://%{SERVFull code here: https://gist.github.com/3003290
  16. 16. WordCamp Bologna 2012Deny php executionOptions All -IndexesOrder Allow,DenyDeny from all<Files ~ ".(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$"> Allow from all</Files><Files permitted-filename.php> Allow from all</Files>
  17. 17. WordCamp Bologna 2012Shrink plugins number 1. Remove inactive plugin 2. Remove useless plugin 3. Remove dangerous plugin 4. (Evaluate code integration)
  18. 18. WordCamp Bologna 2012DISALLOW PLUGIN INSTALL / UPDATE /** * edit your wp-config.php */ define(DISALLOW_FILE_EDIT, true); define(DISALLOW_FILE_MODS,true);
  19. 19. WordCamp Bologna 2012Use STRONG password Insecure Password Secure Password • giulia76 • D7u8hI928FJYusx • password • Z5BLl20T8by1524 • 123456 • TLv7p64P63V5Hr1 • qwerty • 6b83668I15qRP2I • matrix • Um2d4Ejd9T1ExPr http://strongpasswordgenerator.com/
  20. 20. WordCamp Bologna 2012CHANGE DIRECTORY STRUCTURE
  21. 21. WordCamp Bologna 2012Rename wp-content/** * edit your wp-config.php */define( WP_CONTENT_DIR, dirname( __FILE__ ) . /public );define( WP_CONTENT_URL, http:// . $_SERVER[HTTP_HOST] . /public );
  22. 22. WordCamp Bologna 2012Change Upload Directory
  23. 23. WordCamp Bologna 2012Move WordPress Core/** * edit your wp-config.php */define( WP_SITEURL, http:// . $_SERVER[SERVER_NAME] . /wordpress-core/);define( WP_HOME, http:// . $_SERVER[SERVER_NAME]);/** * edit your index.php */define(WP_USE_THEMES, true);require(./wordpress-core/wp-blog-header.php);
  24. 24. WordCamp Bologna 2012Structure Example
  25. 25. CUSTOM STRUCTURE EXAMPLE #1 WordCamp Bologna 2012
  26. 26. CUSTOM STRUCTURE EXAMPLE #2 WordCamp Bologna 2012
  27. 27. WordCamp Bologna 2012Codex References• http://codex.wordpress.org/Hardening_WordPress• http://codex.wordpress.org/Administration_Over_SSL• http://codex.wordpress.org/Editing_wp-config.php
  28. 28. WordCamp Bologna 2012BLACKHOLE
  29. 29. BLACKHOLE WordCamp Bologna 2012 http://perishablepress.com/blackhole-bad-bots/
  30. 30. WordCamp Bologna 2012RULES FOR BLACKHOLERewriteEngine OnRewriteBase /RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L]RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]
  31. 31. WordCamp Bologna 2012BLACKHOLE PLUGIN<?php/*Plugin Name: blackholePlugin URI: http://maurizio.mavida.com/Description: blackholeLicense: GPLVersion: 0.1Author: Maurizio PelizzoneAuthor URI: http://maurizio.mavida.com*/if (!is_admin()){ include($_SERVER[DOCUMENT_ROOT] . "/blackhole/blackhole.php"); }
  32. 32. WordCamp Bologna 2012FILE MONITOR
  33. 33. WordCamp Bologna 2012
  34. 34. WordCamp Bologna 2012AVOID FTP
  35. 35. WordCamp Bologna 2012?
  36. 36. Other WordCamp Bologna 2012 Thank you Maurizio Pelizzone @miziomon maurizio@mavida.com http://maurizio.mavida.com

×