WordPress/Hardening

From r00tedvw.com wiki
Jump to: navigation, search

Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.

Contents

Secure Updates/Installations

performed on a Ubuntu 14.04LTS VM

Creating a new user

create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts

~$ sudo adduser wp-user

It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No

Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
passwd: Authentication token manipulation error
passwd: password unchanged
Try again? [y/N] n

Create ssh keys

~$ sudo su - wp-user
~$ ssh-keygen -t rsa -b 4096

when it prompts to ask where to save the key, use this:

 /home/wp-user/wp_rsa

hit enter through the passphrase prompts
It should then confirm it has created the keys

Your identification has been saved in /home/wp-user/wp_rsa.
Your public key has been saved in /home/wp-user/wp_rsa.pub

setting wp user file/folder permissions

~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa*
~$ sudo chmod 640 /home/wp-user/wp_rsa*

create .ssh folder and allow webserver to log in

~$ sudo mkdir /home/wp-user/.ssh
~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/
~$ sudo chmod 700 /home/wp-user/.ssh/

copy public key created earlier so the user can log in and setup permissions

~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys
~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys
~$ sudo chmod 644 /home/wp-user/.ssh/authorized_keys

restrict the ssh key to only be able to used from the local machine

~$ sudo vi /home/wp-user/.ssh/authorized_keys
Add the following at the beginning of the file
from="127.0.0.1" ssh-rsa...

installing needed wp packages

~$ sudo apt-get update && sudo apt-get -y install php5-dev libssh2-1-dev libssh2-php

add the following files to wp-config.php

~$ sudo vi /var/www/yoursite.com/wp-config.php
@ the end of the file add
/* settings for ftp access using ssh keys */
 define('FTP_PUBKEY','/home/wp-user/wp_rsa.pub');
 define('FTP_PRIKEY','/home/wp-user/wp_rsa');
 define('FTP_USER','wp-user');
 define('FTP_PASS','');
 define('FTP_HOST','127.0.0.1:22');

setting up file/folder permissions

per this article, these are the only permissions that should be needed by wordpress and the web service.

Path Owner Group Permissions
/ (parent) wp-user www-data 644
/wp-admin (directory) wp-user wp-user 755
/wp-admin/ wp-user wp-user 644
/wp-includes (directory) wp-user wp-user 755
/wp-includes/ wp-user wp-user 644
/wp-content (directory) wp-user www-data 775
/wp-content/ wp-user www-data 664
/wp-content/themes (directory) wp-user www-data 775
/wp-content/themes/ wp-user www-data 664
/wp-content/plugins (directory) wp-user wp-user 755
/wp-content/plugins/ wp-user wp-user 644
/wp-content/uploads (directory) wp-user www-data 775

Command Reference

~$ pwd
 ~$ /var/www/mysite.com
 ~$ sudo chown wp-user:www-data ./*
 ~$ sudo chmod 644 ./*
 ~$ sudo chown wp-user:wp-user ./wp-admin/
 ~$ sudo chmod 755 ./wp-admin/
 ~$ cd ./wp-admin
 ~$ sudo chown wp-user:wp-user ./*
 ~$ 644 permissions already set, no need to change anything in the ./wp-admin/ directory
 ~$ cd ..
 ~$ sudo chown wp-user:wp-user ./wp-includes/
 ~$ sudo chmod 755 ./wp-includes/
 ~$ cd ./wp-includes
 ~$ sudo chown wp-user:wp-user ./*
 ~$ 644 permissions already set, no need to change anything in the ./wp-includes/ directroy
 ~$ cd ..
 ~$ wp-user:www:data already set for ./wp-content
 ~$ sudo chmod 755 ./wp-content/
 ~$ cd ./wp-content
 ~$ sudo chown wp-user:www-data ./*
 ~$ sudo chmod 664 ./index.php
 ~$ sudo chmod 775 ./themes/
 ~$ sudo chmod 755 ./plugins/
 ~$ sudo chown wp-user:wp-user
 ~$ sudo chmod 775 ./uploads/
 ~$ cd ./themes
 ~$ sudo chown wp-user:www-data ./*
 ~$ sudo chmod 664 ./index.php
 ~$ cd ..
 ~$ cd ./plugins
 ~$ sudo chown wp-user:wp-user ./*
 ~$ sudo chmod 644 ./index.php
 ~$ sudo chmod 644 ./hello.php

disable xmlrpc

not needed generally, however could affect some add-on functionality like in jetpack.

~$ sudo chmod 000 xmlrpc.php
~$ sudo chown root:root xmlrpc.php

wordpress connecting ips

If you have access to the site limited, like for a dev variant, these ip ranges may be helpful to you. This is not a complete list by any means, but these are the ip ranges I found my site was calling whenever i tried to do an update/upgrade.

add access to wordpress for wordpress.com
192.0.78.9
192.0.78.17
209.15.21.93
209.15.21.85
209.15.21.87
209.15.21.96
209.15.21.80
209.15.21.129

The following were found using Whois and encompass everything above. These ranges are leased to Automattic, founders of Wordpress

192.0.64.0/18
209.15.21.0/24
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox