Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Wordpress Security & Hardening Steps
1. HARDENING A
WORDPRESS SITE
Jeff McNear
Plasterdog Web Design
847/849-7060
jeff@plasterdog.com
FOR MORE WORDPRESS INFO:
http://jeffmcnear.com
2. WHILE A HACKING INCIDENT
DOES SEEM APOCALYPTIC, IT IS
SURVIVABLE, AND EVEN
AVOIDABLE IF:
You anticipate the destruction with
backups
You have some sort of early alert
system
You make your site more difficult to
compromise than provided for by a
default install
3. RESOURCES:
CODEX: http://codex.wordpress.org/Hardening_WordPress
CODE POET: “LOCKING DOWN WORDPRESS”
http://build.codepoet.com/2012/07/10/locking-down-wordpress/
- Rachel Baker | Brad Williams | John Ford
DIGGING INTO WORDPRESS: http://digwp.com/book/
- Chris Coyier & Jeff Starr
THE TAO OF WORDPRESS: http://wp-tao.com/
- Jeff Starr
.htaccess made easy: http://htaccessbook.com/
- Jeff Starr
4. TYPICAL PATHS OF INFECTION:
The overwhelmingly vast majority of all
attacks are automated
Entry Via Login to the Site or Database
Entry Via vulnerable files or folders
TYPICAL POINTS OF ENTRY
Insecure server configuration
Poor password security practices
Outdated code
(WordPress core, Plugins & Themes,
PHP version)
5. TYPICAL TYPES OF INFECTION:
Roughly 85% of website attacks are
Cross-Site Scripting (aka XSS)*
Purpose is to inject links into the site
itself
May be simply spam links intended to
fool search engines
Can be malicious code that is used to
embed coding into the visitor’s machine
Intent is to steal information like
passwords
*Cross-site scripting (XSS) is a security exploit in
which the attacker inserts malicious coding into a
link that appears to be from a trustworthy source.
The more malicious infections are
designed to breed and spread from
machine to machine
6. WHAT ARE THE RISKS OF
INFECTION?
Unwelcome links inserted into your
header or footer
(very common: WordPress Pharma hack
… only visible in search results!)
Your site can become a cause for
infection of those who visit it
Visitors will be automatically re-directed
to another website
Search engines will detect insertions and
will first publish warnings, and eventually
de-list the site
Individual ISPs will also detect insertions
and will deny access to the site
7. FIRST LEVEL SECURITY:
SIMPLE THINGS THAT ANY SITE
OWNER CAN DO:
Many hardening techniques do not
require any special tools, knowledge or
expertise … just some common sense
8. KEEP A CLEAN MACHINE
Eventually we are all going to visit a
virused website – have a regular
scanning & anti-virus routine
Remember that you too are vulnerable
to inserted code that will monitor &
record your keystrokes
9. TRANSFER FILES IN THE MOST
SECURE MANNER AVAILABLE
Ideally we should all be using SFTP
rather than regular old FTP
Some would even say that having an
SSL for any website is a good idea
At very least when uploading files use a
secure connection
10. KEEP YOUR CODE CURRENT
A significant portion of core update
work has to do with security issues
The WordPress project has made it
dead easy to keep your code current
There is no excuse!
ALSO:
Inactive Themes and Plugins can be
vulnerable to infection … if you aren’t
using them, there is no reason to keep
them!
11. AVOID ALLOWING ACCESS WHEN
NOT NECESSARY
Shut down open registration
If you’re not using comments and
pingbacks deactivate them
Eliminate inactive users
Be selective about permission levels
Do not allow shared logins
Never use “admin” as a login name –
most “brute-force” attacks on Wordpress
will focus on the “admin” login name
If you display author information DO NOT
show the login name!
Use complex and secure passwords!
12. PREPARE FOR THE WORST:
Backup:
Database
The active theme
.htaccess file
wp-config.php
robots.txt
index.php
Record the list of active plugins
Register your site with WebMaster tools:
GOOGLE:
http://www.google.com/webmasters/tools
BING:
http://www.bing.com/toolbox
SITE SCANNING TOOLS:
http://sitecheck.sucuri.net/scanner/
https://www.stopbadware.org/clearinghouse/
search
http://www.unmaskparasites.com/
13. THE REASONS WEBMASTER
TOOL CONNECTION IS
IMPERITIVE:
You cannot communicate directly with
Google or Bing without establishing the
connection
Diagnostic tools are made available
Automatic alerts can be requested
You can appeal for review and
redemption
14. SECOND LEVEL SECURITY:
Configuring the site correctly at
the point of original install
There are small adjustments that can:
• Make it more difficult for an attacker
to edit your files
• Obscure the structure of your
WordPress deployment
• Lock down access to crucial files and
directories
16. ELIMINATE A COUPLE OF FILES:
(root)/readme.html
ISSUE: relates information about the
version of WordPress at point of install
(root)/wp-admin/install.php
ISSUE: if for some reason the connection
between WordPress and the database
are broken, then this file will activate and
display the installation setup page
17. DISABLE THE FILE EDITOR
As long as this is still enabled, anyone
with admin access to your site will be
able to modify files at will
ADD TO THE wp-config.php file:
//DISABLES FILE EDITING
define('DISALLOW_FILE_EDIT', true);
18. DENY INFORMATION TO POTENTIAL
ATTACKERS:
IN THE ACTIVE THEME’S
functions.php FILE:
//REMOVES VERSION INFO
remove_action('wp_head', 'wp_generator');
//OBSCURES LOGIN FAILURE MESSAGE
add_filter('login_errors',create_function('$a', "ret
urn null;"));
19. GIVE WORDPRESS A
SEPARATE DIRECTORY:
IF ALL OF THE CORE FILES ARE IN
AN UN-EXPECTED PLACE THEY
ARE LESS LIKELY TO BE FOUND:
• Copy (NOT MOVE!) the index.php
and .htaccess files from the
directory into the root of your site
• In your root directory's index.php
Change the line that says:
require('./wp-blog-header.php');
to
require('./newdirectoryname/
wp-blog-header.php');
• Go to the General panel. In the box
for Site address (URL): change the
address to the root directory's URL
20. MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO
THE WP-CONFIG FILE
These security keys help encrypt the data that is stored in the cookies, which is data
that helps WordPress identify your computer as one that is logged into your
WordPress website as a certain user.
If your WordPress cookies are ever obtained by someone with bad intentions, the
encrypted cookie will make it much more difficult if not impossible for this individual to
compromise your website using your cookies.
21. MAKE SURE FOLDER & FILE
PERMISSIONS ARE SET
CORRECTLY
TYPICALLY THEY ARE GIVEN THE
PROPER SETTINGS UPON
DEPLOYMENT, BUT IT DOESN’T
HURT TO CHECK
FILE PERMISSION = 644
FOLDER PERMISSION = 755
22. THIRD LEVEL SECURITY:
TIGHTENING DOWN SERVER
SETTINGS VIA .htaccess FILES
“The ability to include .htaccess files
in specific directories gives you more
control of your site’s
configuration, optimization, and
security.”
-Jeff Starr
While hosting in an environment
optimized for WordPress is ideal …
it is not always available….
23. BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE
AN .htaccess FILE
ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT
WITH THIS CODE ONLY:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /”site-folder-name”/
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L]
</IfModule>
# END WordPress
24. NEXT: INCLUDE THE FOLLOWING (outside the WP generated code)
#PROTECT HTACCESS FILE
<files .htaccess>
order allow,deny
deny from all
</files>
# SECURE WP-CONFIG.PHP
<Files wp-config.php>
Order Deny,Allow
Deny from all
</Files>
# BLOCK THE INCLUDE-ONLY FILES.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
25. AN ADDITIONAL RULE WORTH ADDING:
# CANONICAL FAVICONS - A COMMON POINT OF ATTACK
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC]
RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC]
RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L]
</IfModule>
26. SPECIFIC .HTACCESS TO PROTECT WP-CONTENT
protects php files | allows access to images, CSS, java-script and XML
files, but denies for any other type
# PREVENT ACCESS TO WP-CONTENT
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS
/wp-content/uploads/.htaccess
/wp-includes/.htaccess
<Files *.php>
deny from all
</Files>
27. SOME ADDITIONAL .htaccess RULES:
LOCATION: UPLOADS DIRECTORY
# secure uploads directory
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$">
Order Deny,Allow
Allow from all
</FilesMatch>
=> issue: blocks ability to access pdf related URLs by link
28. LOCATION: WP-ADMIN DIRECTORY
# SECURE WP-ADMIN FILES
<FilesMatch "*.*">
Order Deny,Allow
Deny from all
Allow from 123.456.789 <= the allowed address
</FilesMatch>
=> issue: restricting by IP address is not practical in many cases
29. LOCATION: ROOT DIRECTORY
#Denies “hotlinking” of images
<IfModule mod_rewrite.c>
RewriteEngine on
# ultimate hotlink protection
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$
[NC]
RewriteCond %{HTTP_REFERER}
!^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org)
[NC]
RewriteRule .(gif|jpe?g?|png)$
- [F,NC,L]
</ifModule>
=> issue: this disables the theme screenshot display so I don’t use it
30. LOCATION: ROOT DIRECTORY
# MAKES EXPLICIT LOCATION OF ROBOTS.TXT
<IfModule mod_rewrite.c>
RewriteBase /
RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC]
RewriteCond %{REQUEST_URI} robots.txt [NC]
RewriteRule .* http://example.com/robots.txt [R=301,L]
</IfModule>
=> issue: seems like overkill
# MAKES EXPLICIT LOCATION OF SITEMAP
<IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$
http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$
http://example.com/sitemap.xml.gz</IfModule>
=> seems like overkill
31. WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE,
IT WILL PREVENT FILES YOU WANT SECURED FROM BEING
INDEXED
User-agent: *
Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: /tag/
Disallow: /trackback/
Disallow: */trackback/
Disallow: /index.php # separate directive for the main script file of WP
Disallow: /*.php$
Disallow: /*.js$
Disallow: /*.inc$
Disallow: /*.css$
Allow: /wp-content/uploads/
Sitemap: http://SITEURL/sitemap_index.xml *
*(SEO by Yoast generates a relilable sitemap)
32. PLUGINS OF NOTE: SITE SCANNERS
wp security scan
http://wordpress.org/plugins/wp-security-scan
Sucuri Security - SiteCheck Malware Scanner
http://wordpress.org/plugins/sucuri-scanner
WordPress File Monitor Plus
http://wordpress.org/plugins/wordpress-file-monitor-plus
Monitors your WordPress installation for added/deleted/changed files.
When a change is detected an email alert can be sent to a specified
address.
wordpress exploit scanner
http://wordpress.org/plugins/exploit-scanner
This plugin searches the files on your website, and the posts and
comments tables of your database for anything suspicious.
secure wordpress
http://wordpress.org/plugins/secure-wordpress
33. PLUGINS OF NOTE: MORE SCANNERS
Wordfence
http://wordpress.org/plugins/wordfence/
Better WP Security
http://wordpress.org/plugins/better-wp-security/
BulletProof Security
http://wordpress.org/plugins/bulletproof-security/
34. PLUGINS OF NOTE: BACKUP
vaultpress http://wordpress.org/plugins/vaultpress/ (subscription)
backup buddy http://ithemes.com/purchase/backupbuddy/ (paid)
WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid)
backwpup http://wordpress.org/plugins/backwpup/
backup to dropbox
http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/
WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/
WP-DBManager http://wordpress.org/plugins/wp-dbmanager/
BackUpWordPress http://wordpress.org/plugins/backupwordpress/
36. PLUGINS OF NOTE: MIXED BAG
theme authenticity checker http://wordpress.org/plugins/tac/
Theme-Check http://wordpress.org/plugins/theme-check/
Theme Test Drive http://wordpress.org/plugins/theme-test-drive/
block bad queries http://wordpress.org/plugins/block-bad-queries/
**jeff starr plugin
antivirus http://wordpress.org/plugins/antivirus/
37. NOTHING IS 100% HACK-PROOF,
BUT YOU CAN MAKE IT MORE
DIFFICULT
Keep your code current and work in a
clean environment
Restrict access to WordPress admin
Block access to crucial files
Backup crucial files on a regular basis
Have a strategy to re-build if the easy
solutions elude you