WordPress/Hardening
Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.
Contents |
Secure Updates/Installations
performed on a Ubuntu 14.04LTS VM
Creating a new user
create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts
~$ sudo adduser wp-user
It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No
Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied passwd: Authentication token manipulation error passwd: password unchanged Try again? [y/N] n
Create ssh keys
~$ sudo su - wp-user ~$ ssh-keygen -t rsa -b 4096
when it prompts to ask where to save the key, use this:
/home/wp-user/wp_rsa
hit enter through the passphrase prompts
It should then confirm it has created the keys
Your identification has been saved in /home/wp-user/wp_rsa. Your public key has been saved in /home/wp-user/wp_rsa.pub
setting wp user file/folder permissions
~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa* ~$ sudo chmod 640 /home/wp-user/wp_rsa*
create .ssh folder and allow webserver to log in
~$ sudo mkdir /home/wp-user/.ssh ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/ ~$ sudo chmod 700 /home/wp-user/.ssh/
copy public key created earlier so the user can log in and setup permissions
~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys ~$ sudo chmod 644 /home/wp-user/.ssh/authorized_keys
restrict the ssh key to only be able to used from the local machine
~$ sudo vi /home/wp-user/.ssh/authorized_keys Add the following at the beginning of the file from="127.0.0.1" ssh-rsa...
installing needed wp packages
~$ sudo apt-get update && sudo apt-get -y install php5-dev libssh2-1-dev libssh2-php
add the following files to wp-config.php
~$ sudo vi /var/www/yoursite.com/wp-config.php @ the end of the file add define('FTP_PUBKEY','/home/wp-user/wp_rsa.pub'); define('FTP_PRIKEY','/home/wp-user/wp_rsa'); define('FTP_USER','wp-user'); define('FTP_PASS',); define('FTP_HOST','127.0.0.1:22');
setting up file/folder permissions
per this article, these are the only permissions that should be needed by wordpress and the web service.
Path | Owner | Group | Permissions |
---|---|---|---|
/ (parent) | wp-user | www-data | 644 |
/wp-admin (directory) | wp-user | wp-user | 755 |
/wp-admin/ | wp-user | wp-user | 644 |
/wp-includes (directory) | wp-user | wp-user | 755 |
/wp-includes/ | wp-user | wp-user | 644 |
/wp-content (directory) | wp-user | www-data | 775 |
/wp-content/ | wp-user | www-data | 664 |
/wp-content/themes (directory) | wp-user | www-data | 775 |
/wp-content/themes/ | wp-user | www-data | 664 |
/wp-content/plugins (directory) | wp-user | wp-user | 755 |
/wp-content/plugins/ | wp-user | wp-user | 644 |
/wp-content/uploads (directory) | wp-user | www-data | 775 |
disable xmlrpc
not needed generally, however could affect some add-on functionality like in jetpack.
~$ sudo chmod 000 xmlrpc.php ~$ sudo chown root:root xmlrpc.php
wordpress connecting ips
If you have access to the site limited, like for a dev variant, these ip ranges may be helpful to you. This is not a complete list by any means, but these are the ip ranges I found my site was calling whenever i tried to do an update/upgrade.
add access to wordpress for wordpress.com 192.0.78.9 192.0.78.17 209.15.21.93 209.15.21.85 209.15.21.87 209.15.21.96 209.15.21.80 209.15.21.129