wordpress hardening
TRANSCRIPT
WORDCAMP BOLOGNA 2012
WORDPRESS HARDENING (V3)
WordCamp Bologna 2012
About me
37 years oldBorn in Turin (Italy)Co-Founder mavida.comWordPress Lover
http://maurizio.mavida.comhttps://twitter.com/miziomonhttp://www.linkedin.com/in/mauriziopelizzone
WordCamp Bologna 2012
Why we need «hardening» ?
WordCamp Bologna 2012
Dangers
WordCamp Bologna 2012
1. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
WordCamp Bologna 2012
1. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
WordCamp Bologna 2012
1. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
WordCamp Bologna 2012
WordCamp Bologna 2012
WordCamp Bologna 2012
Some solutions
WordCamp Bologna 2012
Delete readme.html
Prevent user enumeration (?author=n)
RewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
WordCamp Bologna 2012
1. Block Access to login / admin2. Prepare custom login url3. Check key presence
Hide wp_(login|admin|registrazion)
WordCamp Bologna 2012
Full code here: https://gist.github.com/3003290
RewriteRule ^login /wp-login.php?key=12345g&redirect_to=… [L]
RewriteCond %{HTTP_REFERER} !^wp-admin…RewriteCond %{QUERY_STRING} !^key=12345RewriteRule ^app/wp-login\.php http://%{SERVER_NAME}/? [R,L]
WordCamp Bologna 2012
Options All -IndexesOrder Allow,DenyDeny from all
<Files ~ "\.(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$"> Allow from all</Files>
<Files permitted-filename.php> Allow from all</Files>
Deny php execution
WordCamp Bologna 2012
Shrink plugins number
1. Remove inactive plugin2. Remove useless plugin3. Remove dangerous plugin4. (Evaluate code integration)
WordCamp Bologna 2012
DISALLOW PLUGIN INSTALL / UPDATE
/** * edit your wp-config.php */
define('DISALLOW_FILE_EDIT', true); define('DISALLOW_FILE_MODS',true);
WordCamp Bologna 2012
WordCamp Bologna 2012
Use STRONG password
Insecure Password• giulia76• password• 123456• qwerty• matrix
Secure Password• D7u8hI928FJYusx• Z5BLl20T8by1524• TLv7p64P63V5Hr1• 6b83668I15qRP2I• Um2d4Ejd9T1ExPr
http://strongpasswordgenerator.com/
CHANGE DIRECTORY STRUCTURE
WordCamp Bologna 2012
Rename wp-content
/** * edit your wp-config.php */
define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . '/public' );define( 'WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/public ' );
WordCamp Bologna 2012
Change Upload Directory
WordCamp Bologna 2012
Move WordPress Core
/** * edit your wp-config.php */define( 'WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/wordpress-core/');define( 'WP_HOME', 'http://' . $_SERVER['SERVER_NAME']);
/** * edit your index.php */define('WP_USE_THEMES', true);require('./wordpress-core/wp-blog-header.php');
WordCamp Bologna 2012
Structure Example
WordCamp Bologna 2012
CUSTOM STRUCTURE EXAMPLE #1 WordCamp Bologna 2012
CUSTOM STRUCTURE EXAMPLE #2 WordCamp Bologna 2012
WordCamp Bologna 2012
Codex References
• http://codex.wordpress.org/Hardening_WordPress
• http://codex.wordpress.org/Administration_Over_SSL
• http://codex.wordpress.org/Editing_wp-config.php
BLACKHOLE
WordCamp Bologna 2012
BLACKHOLE
http://perishablepress.com/blackhole-bad-bots/
WordCamp Bologna 2012
RULES FOR BLACKHOLE
RewriteEngine On RewriteBase / RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L] RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]
WordCamp Bologna 2012
BLACKHOLE PLUGIN<?php/*Plugin Name: blackholePlugin URI: http://maurizio.mavida.com/Description: blackholeLicense: GPLVersion: 0.1Author: Maurizio PelizzoneAuthor URI: http://maurizio.mavida.com
*/
if (!is_admin()){include($_SERVER['DOCUMENT_ROOT'] . "/blackhole/blackhole.php"); }
WordCamp Bologna 2012
FILE MONITOR
WordCamp Bologna 2012
WordCamp Bologna 2012
AVOID FTP
WordCamp Bologna 2012
?
WordCamp Bologna 2012
