Post on 15-Apr-2017
transcript
Hardening WordPress Security
WordPress Day 2015 - Pordenone, Italy
What is security?(http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)
Risk reduction
SECURITYBecause sometimes a Rottweiler is not enough
Why we need more security?
WordPress Popularity, Market Share and Responsibility
No CMS
WordPress
Joomla
Drupal
0 10 20 30 40 50 60 70
Usage of content management systems for websites
Market Share Usage
http://w3techs.com/technologies/overview/content_management/all
What are the dangers?
- Social Engineering- Human Mistakes- Brute Force Attacks- WordPress Vulnerabilities- Web Server Vulnerabilities- Network Vulnerabilities- FTP- File Permissions- And other beautiful things…
Solutions
Backup!Modern Task Runner for PHP
Use strong passwords
Insecure examples
adminmysite123mysitenamemyname4321password
Secure examples
-yCpHuHJ68fRtB805i"kaN4Y]99Z)[/ylaJN&3388wu1530Cx;73kRz\N1/K>9'51]9~495°1'N434g&h51I78x3?M
Stay updated!
Update WordPress CoreUpdate ThemesUpdate Plugins
Remove Version Reference
Deny access / delete readme.html
Deny access / delete readme.html
# .htaccess<files readme.html>Order allow,denyDeny from all</files>
Remove WordPress Version
// ** functions.phpfunction wp_remove_version() { return '';}add_filter('the_generator', 'wp_remove_version');
Secure your login
Secure your login- .htaccess Authentication- Limit attempts- Restrict to certain IPs- Hide- Capcha- Two Factor Authentication- HTTPS
.htaccess Authentication(example with http://www.htaccesstools.com/)
.htaccess Authentication(example with http://www.htaccesstools.com/)
Limit attempts
Restrict to certain IPs
# .htaccessorder deny,allowdeny from allallow from 1.2.3.4
Restrict to certain IPs
Hide your login# BEGIN Hidden loginRewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L]RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-adminRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.phpRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-areaRewriteCond %{QUERY_STRING} !^action=logoutRewriteCond %{QUERY_STRING} !^action=lostpasswordRewriteCond %{REQUEST_METHOD} !POSTRewriteRule ^wp-login\.php http://%{SERVER_NAME}/secured-area? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=trueRewriteRule . http://%{SERVER_NAME}/? [L]# END Hidden login
Hide your login
Captcha on login
Two-Factor Authentication
Is there anything more?
Admin user
Admin user- Don’t use «admin» as username- Or change «admin» role
Change WordPress Structure
Change WordPress Structure
From this..
Change WordPress Structure
..to this
Change WordPress Structure# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine OnRewriteBase /RewriteRule ^index\.php$ - [L]
# RedirectRewriteRule ^wp-admin$ wp-admin/ [R,L]RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f [OR]RewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^ - [L]RewriteRule ^(.*\.php)$ /$1 [L]RewriteRule . /index.php [L]
</IfModule># END WordPress
Change WordPress Structure
// ** index.phpdefine( 'WP_USE_THEMES', true );require( __DIR__ . '/application/wp-blog-header.php‘ );
// ** wp-config.phpdefine('WP_CONTENT_DIR', dirname(__FILE__) . '/public' );define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' );define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' );define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
Htaccess Tips and Tricks
Disable Directory Browsing
# .htaccessOptions All -Indexes
Protect your .htaccess
# .htaccess<files .htaccess>Order allow,denyDeny from all</files>
Protect your configuration
# .htaccess<files wp-config.php>Order allow,denyDeny from all</files>
Deny access to xmlrpc.php
# .htaccess<files xmlrpc.php>Order allow,denyDeny from all</files>
Prevent WordPress users listing
http://www.yourbeautifulsite.org/?author=1http://www.yourbeautifulsite.org/?author=2http://www.yourbeautifulsite.org/?author=3http://www.yourbeautifulsite.org/?author=4[…]
# .htaccessRewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
Deny php execution from upload directory
# /path/to/upload-folder/.htaccess<Files ~ "\.(xls|doc|rtf|pdf|zip|mp3|flv|swf|png|gif|jpg|ico|js|css|kmz|ttf|woff|woff2)$">Allow from all</Files>
Rewrite assets permalinks
# .htaccessRewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L]RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L]RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
WP-config Tricks
WP-config Tricks
- Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/)
- Override File Permissions- Change WP Db Prefix
Disable Plugins install/updates
// ** wp-config.phpdefine( DISALLOW_FILE_EDIT', true );define( DISALLOW_FILE_MODS', true );
Check installed Themes/Plugins
- Remove inactive themes/plugins- Remove useless themes/plugins- Evaluate code integration
Blackhole
Blackhole(http://perishablepress.com/blackhole-bad-bots/)
# END Blackholde
<ifModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|register|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L]</ifModule>
# END Blackhole
Tools
Tools
Sucury Security Plugin
Help us to check our WordPress Project Vulnerabilities
Monitoring time series database for monitoring your application
https://influxdb.com/
Web Server Infrastructure
Codex References
http://codex.wordpress.org/Hardening_WordPresshttp://codex.wordpress.org/Administration_Over_SSLhttp://codex.wordpress.org/Editing_wp-config.php
Questions?
NO
Thanks
Mattia Piovano@shadow_droid
https://joind.in/15557