WordPress/Hardening

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
Line 84: Line 84:
 
  |}
 
  |}
  
===disable xmlrpc===
+
==disable xmlrpc==
 
not needed generally, however could affect some add-on functionality like in jetpack.
 
not needed generally, however could affect some add-on functionality like in jetpack.
 
  ~$ sudo chmod 000 xmlrpc.php
 
  ~$ sudo chmod 000 xmlrpc.php
 
  ~$ sudo chown root:root xmlrpc.php
 
  ~$ sudo chown root:root xmlrpc.php

Revision as of 22:23, 13 October 2014

Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.

Contents

 [hide

Secure Updates/Installations

performed on a Ubuntu 14.04LTS VM

Creating a new user

create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts

~$ sudo adduser wp-user

It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No

Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
passwd: Authentication token manipulation error
passwd: password unchanged
Try again? [y/N] n

Create ssh keys

~$ sudo su - wp-user
~$ ssh-keygen -t rsa -b 4096

when it prompts to ask where to save the key, use this:

 /home/wp-user/wp_rsa

hit enter through the passphrase prompts
It should then confirm it has created the keys

Your identification has been saved in /home/wp-user/wp_rsa.
Your public key has been saved in /home/wp-user/wp_rsa.pub

setting wp user file/folder permissions

~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa*
~$ sudo chmod 640 /home/wp-user/wp_rsa*

create .ssh folder and allow webserver to log in

~$ sudo mkdir /home/wp-user/.ssh
~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/
~$ sudo chmod 700 /home/wp-user/.ssh/

copy public key created earlier so the user can log in and setup permissions

~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys
~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys
~$ sudo chmod 644 /home/wp-user/.ssh/authorized_keys

restrict the ssh key to only be able to used from the local machine

~$ sudo vi /home/wp-user/.ssh/authorized_keys
Add the following at the beginning of the file
from="127.0.0.1" ssh-rsa...

installing needed wp packages

~$ sudo apt-get update && sudo apt-get -y install php5-dev libssh2-1-dev libssh2-php

add the following files to wp-config.php

~$ sudo vi /var/www/yoursite.com/wp-config.php
@ the end of the file add
define('FTP_PUBKEY','/home/wp-user/wp_rsa.pub');
define('FTP_PRIKEY','/home/wp-user/wp_rsa');
define('FTP_USER','wp-user');
define('FTP_PASS',);
define('FTP_HOST','127.0.0.1:22');

setting up file/folder permissions

per this article, these are the only permissions that should be needed by wordpress and the web service.

Path Owner Group  [Collapse Permissions
/ (parent) wp-user www-data 644
/wp-admin (directory) wp-user wp-user 755
/wp-admin/ wp-user wp-user 644
/wp-includes (directory) wp-user wp-user 755
/wp-includes/ wp-user wp-user 644
/wp-content (directory) wp-user www-data 775
/wp-content/ wp-user www-data 664
/wp-content/themes (directory) wp-user www-data 775
/wp-content/themes/ wp-user www-data 664
/wp-content/plugins (directory) wp-user wp-user 755
/wp-content/plugins/ wp-user wp-user 644
/wp-content/uploads (directory) wp-user www-data 775

disable xmlrpc

not needed generally, however could affect some add-on functionality like in jetpack.

~$ sudo chmod 000 xmlrpc.php
~$ sudo chown root:root xmlrpc.php
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki