Post on 22-Oct-2014
description
Wordpress SecurityTim Elliott
http://codex.wordpress.org/Hardening_WordPress
Wordpress Vulnerabilities
• It’s Open Source
• Link Injection
• TimThumb
• Social Engineering
The Easy Stuff
• Stay updated!
• Don’t use ‘admin’ user
• Don’t display usernames in post meta
• Change database table prefix from ‘wp_’
• Use strong passwords
The Easy Stuff
• Verify file permissions (files=644 / dir.=755)
• Use secret keys in wp-config.php
• Remove Wordpress version number from theme header
• Run backups often (like everyday)
• Secure wp-includes & wp-config.php
.htaccess# Protect wpconfig.php<files wp-config.php>order allow,denydeny from all</files>
# Protect .htaccess<Files .htaccess> Order Allow,Deny Deny from all </Files>
# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /directory_goes_here/RewriteRule ^index\.php$ - [L]RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /directory_goes_here/index.php [L]</IfModule># END WordPress
# Block the include-only filesRewriteRule ^wp-admin/includes/ - [F,L]RewriteRule !^wp-includes/ - [S=3]RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]RewriteRule ^wp-includes/theme-compat/ - [F,L]
# Disable directory browsingOptions All -Indexes
Helpful Plugins
• WP Security Scan
• BulletProof Security
• TimThumb Vulnerability Scanner
• WordPress File Monitor
• Login Lock
• ManageWP Worker
http://sitecheck.sucuri.net/scanner/http://www.google.com/webmasters/tools/
The Harder Stuff• Lock down wp-admin to specific IP’s
• Add to .htaccess in wp-admin root:
• Force SSL on login (requires certificate)
• Add to wp-config.php: define('FORCE_SSL_ADMIN', true);
• Move wp-content directory
• http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content
# Lockdown wp-adminAuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName “Access Control”AuthType Basicorder deny,allowdeny from allAllow from YOUR_IP_HERE