Wordpress Security & Hardening Steps


Published on

Steps to make a WordPress installation more secure

Published in: Technology, Business
  • NOTE: on slide 26 I have .htaccess code to block access to the wp-content folder … now that google has changed their algorithm and wants to see a site’s responsive behavior this is probably not a good idea since that may lead google to assume that the site is not “mobile ready”
    Are you sure you want to  Yes  No
    Your message goes here
  • A quick FYI to those who use Backup Buddy. The .htaccess controls I use here will get in the way of the final step of migrating a site using backup buddy ... to rectify remove the .htaccess protections and then re-instate after your migration is complete
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Wordpress Security & Hardening Steps

  1. 1. HARDENING A WORDPRESS SITE Jeff McNear Plasterdog Web Design 847/849-7060 jeff@plasterdog.com FOR MORE WORDPRESS INFO: http://jeffmcnear.com
  2. 2. WHILE A HACKING INCIDENT DOES SEEM APOCALYPTIC, IT IS SURVIVABLE, AND EVEN AVOIDABLE IF: You anticipate the destruction with backups You have some sort of early alert system You make your site more difficult to compromise than provided for by a default install
  3. 3. RESOURCES: CODEX: http://codex.wordpress.org/Hardening_WordPress CODE POET: “LOCKING DOWN WORDPRESS” http://build.codepoet.com/2012/07/10/locking-down-wordpress/ - Rachel Baker | Brad Williams | John Ford DIGGING INTO WORDPRESS: http://digwp.com/book/ - Chris Coyier & Jeff Starr THE TAO OF WORDPRESS: http://wp-tao.com/ - Jeff Starr .htaccess made easy: http://htaccessbook.com/ - Jeff Starr
  4. 4. TYPICAL PATHS OF INFECTION: The overwhelmingly vast majority of all attacks are automated Entry Via Login to the Site or Database Entry Via vulnerable files or folders TYPICAL POINTS OF ENTRY Insecure server configuration Poor password security practices Outdated code (WordPress core, Plugins & Themes, PHP version)
  5. 5. TYPICAL TYPES OF INFECTION: Roughly 85% of website attacks are Cross-Site Scripting (aka XSS)* Purpose is to inject links into the site itself May be simply spam links intended to fool search engines Can be malicious code that is used to embed coding into the visitor’s machine Intent is to steal information like passwords *Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. The more malicious infections are designed to breed and spread from machine to machine
  6. 6. WHAT ARE THE RISKS OF INFECTION? Unwelcome links inserted into your header or footer (very common: WordPress Pharma hack … only visible in search results!) Your site can become a cause for infection of those who visit it Visitors will be automatically re-directed to another website Search engines will detect insertions and will first publish warnings, and eventually de-list the site Individual ISPs will also detect insertions and will deny access to the site
  7. 7. FIRST LEVEL SECURITY: SIMPLE THINGS THAT ANY SITE OWNER CAN DO: Many hardening techniques do not require any special tools, knowledge or expertise … just some common sense
  8. 8. KEEP A CLEAN MACHINE Eventually we are all going to visit a virused website – have a regular scanning & anti-virus routine Remember that you too are vulnerable to inserted code that will monitor & record your keystrokes
  9. 9. TRANSFER FILES IN THE MOST SECURE MANNER AVAILABLE Ideally we should all be using SFTP rather than regular old FTP Some would even say that having an SSL for any website is a good idea At very least when uploading files use a secure connection
  10. 10. KEEP YOUR CODE CURRENT A significant portion of core update work has to do with security issues The WordPress project has made it dead easy to keep your code current There is no excuse! ALSO: Inactive Themes and Plugins can be vulnerable to infection … if you aren’t using them, there is no reason to keep them!
  11. 11. AVOID ALLOWING ACCESS WHEN NOT NECESSARY Shut down open registration If you’re not using comments and pingbacks deactivate them Eliminate inactive users Be selective about permission levels Do not allow shared logins Never use “admin” as a login name – most “brute-force” attacks on Wordpress will focus on the “admin” login name If you display author information DO NOT show the login name! Use complex and secure passwords!
  12. 12. PREPARE FOR THE WORST: Backup: Database The active theme .htaccess file wp-config.php robots.txt index.php Record the list of active plugins Register your site with WebMaster tools: GOOGLE: http://www.google.com/webmasters/tools BING: http://www.bing.com/toolbox SITE SCANNING TOOLS: http://sitecheck.sucuri.net/scanner/ https://www.stopbadware.org/clearinghouse/ search http://www.unmaskparasites.com/
  13. 13. THE REASONS WEBMASTER TOOL CONNECTION IS IMPERITIVE: You cannot communicate directly with Google or Bing without establishing the connection Diagnostic tools are made available Automatic alerts can be requested You can appeal for review and redemption
  14. 14. SECOND LEVEL SECURITY: Configuring the site correctly at the point of original install There are small adjustments that can: • Make it more difficult for an attacker to edit your files • Obscure the structure of your WordPress deployment • Lock down access to crucial files and directories
  16. 16. ELIMINATE A COUPLE OF FILES: (root)/readme.html ISSUE: relates information about the version of WordPress at point of install (root)/wp-admin/install.php ISSUE: if for some reason the connection between WordPress and the database are broken, then this file will activate and display the installation setup page
  17. 17. DISABLE THE FILE EDITOR As long as this is still enabled, anyone with admin access to your site will be able to modify files at will ADD TO THE wp-config.php file: //DISABLES FILE EDITING define('DISALLOW_FILE_EDIT', true);
  18. 18. DENY INFORMATION TO POTENTIAL ATTACKERS: IN THE ACTIVE THEME’S functions.php FILE: //REMOVES VERSION INFO remove_action('wp_head', 'wp_generator'); //OBSCURES LOGIN FAILURE MESSAGE add_filter('login_errors',create_function('$a', "ret urn null;"));
  19. 19. GIVE WORDPRESS A SEPARATE DIRECTORY: IF ALL OF THE CORE FILES ARE IN AN UN-EXPECTED PLACE THEY ARE LESS LIKELY TO BE FOUND: • Copy (NOT MOVE!) the index.php and .htaccess files from the directory into the root of your site • In your root directory's index.php Change the line that says: require('./wp-blog-header.php'); to require('./newdirectoryname/ wp-blog-header.php'); • Go to the General panel. In the box for Site address (URL): change the address to the root directory's URL
  20. 20. MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO THE WP-CONFIG FILE These security keys help encrypt the data that is stored in the cookies, which is data that helps WordPress identify your computer as one that is logged into your WordPress website as a certain user. If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies.
  22. 22. THIRD LEVEL SECURITY: TIGHTENING DOWN SERVER SETTINGS VIA .htaccess FILES “The ability to include .htaccess files in specific directories gives you more control of your site’s configuration, optimization, and security.” -Jeff Starr While hosting in an environment optimized for WordPress is ideal … it is not always available….
  23. 23. BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE AN .htaccess FILE ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT WITH THIS CODE ONLY: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /”site-folder-name”/ RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L] </IfModule> # END WordPress
  24. 24. NEXT: INCLUDE THE FOLLOWING (outside the WP generated code) #PROTECT HTACCESS FILE <files .htaccess> order allow,deny deny from all </files> # SECURE WP-CONFIG.PHP <Files wp-config.php> Order Deny,Allow Deny from all </Files> # BLOCK THE INCLUDE-ONLY FILES. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
  25. 25. AN ADDITIONAL RULE WORTH ADDING: # CANONICAL FAVICONS - A COMMON POINT OF ATTACK <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC] RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC] RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L] </IfModule>
  26. 26. SPECIFIC .HTACCESS TO PROTECT WP-CONTENT protects php files | allows access to images, CSS, java-script and XML files, but denies for any other type # PREVENT ACCESS TO WP-CONTENT Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS /wp-content/uploads/.htaccess /wp-includes/.htaccess <Files *.php> deny from all </Files>
  27. 27. SOME ADDITIONAL .htaccess RULES: LOCATION: UPLOADS DIRECTORY # secure uploads directory <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$"> Order Deny,Allow Allow from all </FilesMatch> => issue: blocks ability to access pdf related URLs by link
  28. 28. LOCATION: WP-ADMIN DIRECTORY # SECURE WP-ADMIN FILES <FilesMatch "*.*"> Order Deny,Allow Deny from all Allow from 123.456.789 <= the allowed address </FilesMatch> => issue: restricting by IP address is not practical in many cases
  29. 29. LOCATION: ROOT DIRECTORY #Denies “hotlinking” of images <IfModule mod_rewrite.c> RewriteEngine on # ultimate hotlink protection RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org) [NC] RewriteRule .(gif|jpe?g?|png)$ - [F,NC,L] </ifModule> => issue: this disables the theme screenshot display so I don’t use it
  30. 30. LOCATION: ROOT DIRECTORY # MAKES EXPLICIT LOCATION OF ROBOTS.TXT <IfModule mod_rewrite.c> RewriteBase / RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC] RewriteCond %{REQUEST_URI} robots.txt [NC] RewriteRule .* http://example.com/robots.txt [R=301,L] </IfModule> => issue: seems like overkill # MAKES EXPLICIT LOCATION OF SITEMAP <IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$ http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$ http://example.com/sitemap.xml.gz</IfModule> => seems like overkill
  31. 31. WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE, IT WILL PREVENT FILES YOU WANT SECURED FROM BEING INDEXED User-agent: * Disallow: /cgi-bin/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: /tag/ Disallow: /trackback/ Disallow: */trackback/ Disallow: /index.php # separate directive for the main script file of WP Disallow: /*.php$ Disallow: /*.js$ Disallow: /*.inc$ Disallow: /*.css$ Allow: /wp-content/uploads/ Sitemap: http://SITEURL/sitemap_index.xml * *(SEO by Yoast generates a relilable sitemap)
  32. 32. PLUGINS OF NOTE: SITE SCANNERS wp security scan http://wordpress.org/plugins/wp-security-scan Sucuri Security - SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner WordPress File Monitor Plus http://wordpress.org/plugins/wordpress-file-monitor-plus Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. wordpress exploit scanner http://wordpress.org/plugins/exploit-scanner This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. secure wordpress http://wordpress.org/plugins/secure-wordpress
  33. 33. PLUGINS OF NOTE: MORE SCANNERS Wordfence http://wordpress.org/plugins/wordfence/ Better WP Security http://wordpress.org/plugins/better-wp-security/ BulletProof Security http://wordpress.org/plugins/bulletproof-security/
  34. 34. PLUGINS OF NOTE: BACKUP vaultpress http://wordpress.org/plugins/vaultpress/ (subscription) backup buddy http://ithemes.com/purchase/backupbuddy/ (paid) WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid) backwpup http://wordpress.org/plugins/backwpup/ backup to dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/ WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/ WP-DBManager http://wordpress.org/plugins/wp-dbmanager/ BackUpWordPress http://wordpress.org/plugins/backupwordpress/
  35. 35. PLUGINS OF NOTE: LOGIN LIMITATION limit login attempts http://wordpress.org/plugins/limit-login-attempts/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ Stealth Login Page http://wordpress.org/plugins/stealth-login-page/ PLUGINS OF NOTE: CHANGE LOGIN LOCATION lockdown wp-admin http://wordpress.org/plugins/lockdown-wp-admin/ Simple Login Lockdown http://wordpress.org/plugins/simple-login-lockdown/ Login Security Solution http://wordpress.org/plugins/login-security-solution/
  36. 36. PLUGINS OF NOTE: MIXED BAG theme authenticity checker http://wordpress.org/plugins/tac/ Theme-Check http://wordpress.org/plugins/theme-check/ Theme Test Drive http://wordpress.org/plugins/theme-test-drive/ block bad queries http://wordpress.org/plugins/block-bad-queries/ **jeff starr plugin antivirus http://wordpress.org/plugins/antivirus/
  37. 37. NOTHING IS 100% HACK-PROOF, BUT YOU CAN MAKE IT MORE DIFFICULT Keep your code current and work in a clean environment Restrict access to WordPress admin Block access to crucial files Backup crucial files on a regular basis Have a strategy to re-build if the easy solutions elude you