1.HARDENING A WORDPRESS SITE Jeff McNear Plasterdog Web Design847/849-7060 jeff@plasterdog.com FOR MORE WORDPRESS INFO: http://jeffmcnear.com

2. WHILE A HACKING INCIDENT DOES SEEM APOCALYPTIC, IT IS SURVIVABLE, AND EVEN AVOIDABLE IF: You anticipate the destruction with backups You have some sort of early alert system You make your site more difficult to compromise than provided for by a default install 3. RESOURCES: CODEX: http://codex.wordpress.org/Hardening_WordPress CODE POET: LOCKING DOWN WORDPRESS http://build.codepoet.com/2012/07/10/locking-down-wordpress/ - Rachel Baker | Brad Williams | John Ford DIGGING INTO WORDPRESS: http://digwp.com/book/ - Chris Coyier & Jeff StarrTHE TAO OF WORDPRESS: http://wp-tao.com/ - Jeff Starr .htaccess made easy: http://htaccessbook.com/ - Jeff Starr 4. TYPICAL PATHS OF INFECTION: The overwhelmingly vast majority of all attacks are automated Entry Via Login to the Site or Database Entry Via vulnerable files or foldersTYPICAL POINTS OF ENTRY Insecure server configuration Poor password security practices Outdated code (WordPress core, Plugins & Themes, PHP version) 5. TYPICAL TYPES OF INFECTION: Roughly 85% of website attacks are Cross-Site Scripting (aka XSS)* Purpose is to inject links into the site itself May be simply spam links intended to fool search engines Can be malicious code that is used to embed coding into the visitors machine Intent is to steal information like passwords *Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source.The more malicious infections are designed to breed and spread from machine to machine 6. WHAT ARE THE RISKS OF INFECTION? Unwelcome links inserted into your header or footer (very common: WordPress Pharma hack only visible in search results!) Your site can become a cause for infection of those who visit it Visitors will be automatically re-directed to another website Search engines will detect insertions and will first publish warnings, and eventually de-list the site Individual ISPs will also detect insertions and will deny access to the site 7. FIRST LEVEL SECURITY: SIMPLE THINGS THAT ANY SITE OWNER CAN DO: Many hardening techniques do not require any special tools, knowledge or expertise just some common sense 8. KEEP A CLEAN MACHINE Eventually we are all going to visit a virused website have a regular scanning & anti-virus routineRemember that you too are vulnerable to inserted code that will monitor & record your keystrokes 9. TRANSFER FILES IN THE MOST SECURE MANNER AVAILABLE Ideally we should all be using SFTP rather than regular old FTPSome would even say that having an SSL for any website is a good ideaAt very least when uploading files use a secure connection 10. KEEP YOUR CODE CURRENT A significant portion of core update work has to do with security issuesThe WordPress project has made it dead easy to keep your code currentThere is no excuse! ALSO: Inactive Themes and Plugins can be vulnerable to infection if you arent using them, there is no reason to keep them! 11. AVOID ALLOWING ACCESS WHEN NOT NECESSARY Shut down open registration If youre not using comments and pingbacks deactivate them Eliminate inactive users Be selective about permission levelsDo not allow shared logins Never use admin as a login name most brute-force attacks on Wordpress will focus on the admin login name If you display author information DO NOT show the login name! Use complex and secure passwords! 12. PREPARE FOR THE WORST: Backup: Database The active theme .htaccess file wp-config.php robots.txt index.php Record the list of active plugins Register your site with WebMaster tools: GOOGLE: http://www.google.com/webmasters/tools BING: http://www.bing.com/toolbox SITE SCANNING TOOLS: http://sitecheck.sucuri.net/scanner/ https://www.stopbadware.org/clearinghouse/ search http://www.unmaskparasites.com/ 13. THE REASONS WEBMASTER TOOL CONNECTION IS IMPERITIVE: You cannot communicate directly with Google or Bing without establishing the connection Diagnostic tools are made available Automatic alerts can be requestedYou can appeal for review and redemption 14. SECOND LEVEL SECURITY: Configuring the site correctly at the point of original install There are small adjustments that can: Make it more difficult for an attacker to edit your files Obscure the structure of your WordPress deployment Lock down access to crucial files and directories 15. CHANGE THE DATABASE PREFIX 16. ELIMINATE A COUPLE OF FILES: (root)/readme.html ISSUE: relates information about the version of WordPress at point of install(root)/wp-admin/install.php ISSUE: if for some reason the connection between WordPress and the database are broken, then this file will activate and display the installation setup page 17. DISABLE THE FILE EDITOR As long as this is still enabled, anyone with admin access to your site will be able to modify files at willADD TO THE wp-config.php file://DISABLES FILE EDITING define('DISALLOW_FILE_EDIT', true); 18. DENY INFORMATION TO POTENTIAL ATTACKERS: IN THE ACTIVE THEMES functions.php FILE: //REMOVES VERSION INFO remove_action('wp_head', 'wp_generator');//OBSCURES LOGIN FAILURE MESSAGE add_filter('login_errors',create_function('$a', "ret urn null;")); 19. GIVE WORDPRESS A SEPARATE DIRECTORY: IF ALL OF THE CORE FILES ARE IN AN UN-EXPECTED PLACE THEY ARE LESS LIKELY TO BE FOUND: Copy (NOT MOVE!) the index.php and .htaccess files from the directory into the root of your site In your root directory's index.php Change the line that says: require('./wp-blog-header.php'); to require('./newdirectoryname/ wp-blog-header.php'); Go to the General panel. In the box for Site address (URL): change the address to the root directory's URL 20. MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO THE WP-CONFIG FILEThese security keys help encrypt the data that is stored in the cookies, which is data that helps WordPress identify your computer as one that is logged into your WordPress website as a certain user. If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies. 21. MAKE SURE FOLDER & FILE PERMISSIONS ARE SET CORRECTLY TYPICALLY THEY ARE GIVEN THE PROPER SETTINGS UPON DEPLOYMENT, BUT IT DOESNT HURT TO CHECK FILE PERMISSION = 644 FOLDER PERMISSION = 755 22. THIRD LEVEL SECURITY: TIGHTENING DOWN SERVER SETTINGS VIA .htaccess FILES The ability to include .htaccess files in specific directories gives you more control of your sites configuration, optimization, and security. -Jeff StarrWhile hosting in an environment optimized for WordPress is ideal it is not always available. 23. BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE AN .htaccess FILE ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT WITH THIS CODE ONLY:# BEGIN WordPress RewriteEngine On RewriteBase /site-folder-name/ RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /SITE-DIRECTORY-NAME/index.php [L] # END WordPress 24. NEXT: INCLUDE THE FOLLOWING (outside the WP generated code) #PROTECT HTACCESS FILE order allow,deny deny from all # SECURE WP-CONFIG.PHP Order Deny,Allow Deny from all # BLOCK THE INCLUDE-ONLY FILES. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] 25. AN ADDITIONAL RULE WORTH ADDING: # CANONICAL FAVICONS - A COMMON POINT OF ATTACK RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC] RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC] RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L] 26. SPECIFIC .HTACCESS TO PROTECT WP-CONTENT protects php files | allows access to images, CSS, java-script and XML files, but denies for any other type # PREVENT ACCESS TO WP-CONTENT Order deny,allow Deny from all Allow from all AND FOR EXTRA CREDIT KILL PHP EXECUTION IN THESE 2 LOCATIONS /wp-content/uploads/.htaccess /wp-includes/.htaccess deny from all 27. SOME ADDITIONAL .htaccess RULES:LOCATION: UPLOADS DIRECTORY# secure uploads directory Order Allow,Deny Deny from all Order Deny,Allow Allow from all => issue: blocks ability to access pdf related URLs by link 28. LOCATION: WP-ADMIN DIRECTORY# SECURE WP-ADMIN FILES Order Deny,Allow Deny from all Allow from 123.456.789 issue: restricting by IP address is not practical in many cases 29. LOCATION: ROOT DIRECTORY #Denies hotlinking of images RewriteEngine on # ultimate hotlink protection RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org) [NC] RewriteRule .(gif|jpe?g?|png)$ - [F,NC,L] => issue: this disables the theme screenshot display so I dont use it 30. LOCATION: ROOT DIRECTORY# MAKES EXPLICIT LOCATION OF ROBOTS.TXT RewriteBase / RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC] RewriteCond %{REQUEST_URI} robots.txt [NC] RewriteRule .* http://example.com/robots.txt [R=301,L] => issue: seems like overkill # MAKES EXPLICIT LOCATION OF SITEMAP RedirectMatch 301 /sitemap.xml$ http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$ http://example.com/sitemap.xml.gz => seems like overkill 31. WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE, IT WILL PREVENT FILES YOU WANT SECURED FROM BEING INDEXED User-agent: * Disallow: /cgi-bin/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: /tag/ Disallow: /trackback/ Disallow: */trackback/ Disallow: /index.php # separate directive for the main script file of WP Disallow: /*.php$ Disallow: /*.js$ Disallow: /*.inc$ Disallow: /*.css$ Allow: /wp-content/uploads/ Sitemap: http://SITEURL/sitemap_index.xml * *(SEO by Yoast generates a relilable sitemap) 32. PLUGINS OF NOTE: SITE SCANNERS wp security scan http://wordpress.org/plugins/wp-security-scan Sucuri Security - SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner WordPress File Monitor Plus http://wordpress.org/plugins/wordpress-file-monitor-plus Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. wordpress exploit scanner http://wordpress.org/plugins/exploit-scanner This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. secure wordpress http://wordpress.org/plugins/secure-wordpress 33. PLUGINS OF NOTE: MORE SCANNERS Wordfence http://wordpress.org/plugins/wordfence/ Better WP Security http://wordpress.org/plugins/better-wp-security/ BulletProof Security http://wordpress.org/plugins/bulletproof-security/ 34. PLUGINS OF NOTE: BACKUP vaultpress http://wordpress.org/plugins/vaultpress/ (subscription) backup buddy http://ithemes.com/purchase/backupbuddy/ (paid) WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid) backwpup http://wordpress.org/plugins/backwpup/ backup to dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/ WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/ WP-DBManager http://wordpress.org/plugins/wp-dbmanager/ BackUpWordPress http://wordpress.org/plugins/backupwordpress/ 35. PLUGINS OF NOTE: LOGIN LIMITATION limit login attempts http://wordpress.org/plugins/limit-login-attempts/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ Stealth Login Page http://wordpress.org/plugins/stealth-login-page/PLUGINS OF NOTE: CHANGE LOGIN LOCATION lockdown wp-admin http://wordpress.org/plugins/lockdown-wp-admin/ Simple Login Lockdown http://wordpress.org/plugins/simple-login-lockdown/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ 36. PLUGINS OF NOTE: MIXED BAG theme authenticity checker http://wordpress.org/plugins/tac/ Theme-Check http://wordpress.org/plugins/theme-check/ Theme Test Drive http://wordpress.org/plugins/theme-test-drive/ block bad queries http://wordpress.org/plugins/block-bad-queries/ **jeff starr plugin antivirus http://wordpress.org/plugins/antivirus/ 37. NOTHING IS 100% HACK-PROOF, BUT YOU CAN MAKE IT MORE DIFFICULT Keep your code current and work in a clean environment Restrict access to WordPress admin Block access to crucial files Backup crucial files on a regular basis Have a strategy to re-build if the easy solutions elude you