Hardening WordPress Security
WordPress Day 2015 - Pordenone, Italy

What is security?
(http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)

Risk reduction

SECURITYBecause sometimes a Rottweiler is not enough

Why we need more security?

WordPress Popularity, Market Share and
Responsibility

0 10 20 30 40 50 60 70
No CMS
WordPress
Joomla
Drupal
Usage of content management systems for websites
Market Share Usage
http://w3techs.com/technologies/overview/content_management/all

What are the dangers?

- Social Engineering
- Human Mistakes
- Brute Force Attacks
- WordPress Vulnerabilities
- Web Server Vulnerabilities
- Network Vulnerabilities
- FTP
- File Permissions
- And other beautiful things…

Solutions

Backup!
Modern Task Runner for PHP

Use strong passwords
Insecure examples
admin
mysite123
mysitename
myname4321
password
Secure examples
-yCpHuHJ68fRtB805i
"kaN4Y]99Z)[/ylaJN
&3388wu1530Cx;73kR
zN1/K>9'51]9~495°
1'N434g&h51I78x3?M

Stay updated!
Update WordPress Core
Update Themes
Update Plugins

Remove Version Reference

Deny access / delete readme.html

Deny access / delete readme.html
# .htaccess
<files readme.html>
Order allow,deny
Deny from all
</files>

Remove WordPress Version
// ** functions.php
function wp_remove_version() {
return '';
}
add_filter('the_generator', 'wp_remove_version');

Secure your login

Secure your login
- .htaccess Authentication
- Limit attempts
- Restrict to certain IPs
- Hide
- Capcha
- Two Factor Authentication
- HTTPS

.htaccess Authentication
(example with http://www.htaccesstools.com/)

.htaccess Authentication
(example with http://www.htaccesstools.com/)

Limit attempts

Restrict to certain IPs
# .htaccess
order deny,allow
deny from all
allow from 1.2.3.4

Restrict to certain IPs

Hide your login
# BEGIN Hidden login
RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L]
RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
# END Hidden login

Hide your login

Captcha on login

Two-Factor Authentication

Is there anything more?

Admin user

Admin user
- Don’t use «admin» as username
- Or change «admin» role

Change WordPress Structure

Change WordPress Structure
From this..

Change WordPress Structure
..to this

Change WordPress Structure
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
# Redirect
RewriteRule ^wp-admin$ wp-admin/ [R,L]
RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ - [L]
RewriteRule ^(.*.php)$ /$1 [L]
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Change WordPress Structure
// ** index.php
define( 'WP_USE_THEMES', true );
require( __DIR__ . '/application/wp-blog-header.php‘ );
// ** wp-config.php
define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' );
define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' );
define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' );
define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );

Htaccess Tips and Tricks

Disable Directory Browsing
# .htaccess
Options All -Indexes

Protect your .htaccess
# .htaccess
<files .htaccess>
Order allow,deny
Deny from all
</files>

Protect your configuration
# .htaccess
<files wp-config.php>
Order allow,deny
Deny from all
</files>

Deny access to xmlrpc.php
# .htaccess
<files xmlrpc.php>
Order allow,deny
Deny from all
</files>

Prevent WordPress users listing
http://www.yourbeautifulsite.org/?author=1
http://www.yourbeautifulsite.org/?author=2
http://www.yourbeautifulsite.org/?author=3
http://www.yourbeautifulsite.org/?author=4
[…]
# .htaccess
RewriteCond %{QUERY_STRING} (^|&)author=
RewriteRule . http://%{SERVER_NAME}/? [L]

Deny php execution from upload directory
# /path/to/upload-folder/.htaccess
<Files
~
".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn
g|gif|jpg|ico|js|css|kmz|ttf|woff|woff
2)$">
Allow from all
</Files>

Rewrite assets permalinks
# .htaccess
RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L]
RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L]
RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]

WP-config Tricks

WP-config Tricks
- Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/)
- Override File Permissions
- Change WP Db Prefix

Disable Plugins install/updates
// ** wp-config.php
define( DISALLOW_FILE_EDIT', true );
define( DISALLOW_FILE_MODS', true );

Check installed Themes/Plugins
- Remove inactive themes/plugins
- Remove useless themes/plugins
- Evaluate code integration

Blackhole

Blackhole
(http://perishablepress.com/blackhole-bad-bots/)
# END Blackholde
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule
^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg
ister|timthumb|function|system|test|t|jsp|asp|aspx)$
error/403.html [L]
</ifModule>
# END Blackhole

Tools

Tools
Sucury Security Plugin

Help us to check our WordPress Project Vulnerabilities

Monitoring time series database for monitoring your application
https://influxdb.com/

Web Server Infrastructure

Codex References
http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Administration_Over_SSL
http://codex.wordpress.org/Editing_wp-config.php

Questions?

Thanks
Mattia Piovano
@shadow_droid
https://joind.in/15557