WordPress/Hardening
Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.
Contents |
Secure Updates/Installations
performed on a Ubuntu 14.04LTS VM
Creating a new user
create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts
~$ sudo adduser wp-user
It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No
Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied passwd: Authentication token manipulation error passwd: password unchanged Try again? [y/N] n
Create ssh keys
~$ sudo su - wp-user ~$ ssh-keygen -t rsa -b 4096
when it prompts to ask where to save the key, use this:
/home/wp-user/wp_rsa
hit enter through the passphrase prompts
It should then confirm it has created the keys
Your identification has been saved in /home/wp-user/wp_rsa. Your public key has been saved in /home/wp-user/wp_rsa.pub
setting wp user file/folder permissions
~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa* ~$ sudo chmod 640 /home/wp-user/wp_rsa*
create .ssh folder and allow webserver to log in
~$ sudo mkdir /home/wp-user/.ssh ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/ ~$ sudo chmod 700 /home/wp-user/.ssh/
copy public key created earlier so the user can log in and setup permissions
~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys ~$ sudo chmod 644 /home/wp-user/.ssh/authorized_keys
restrict the ssh key to only be able to used from the local machine
~$ sudo vi /home/wp-user/.ssh/authorized_keys Add the following at the beginning of the file from="127.0.0.1" ssh-rsa...
installing needed wp packages
~$ sudo apt-get update && sudo apt-get -y install php5-dev libssh2-1-dev libssh2-php
add the following files to wp-config.php
~$ sudo vi /var/www/yoursite.com/wp-config.php
@ the end of the file add
/* settings for ftp access using ssh keys */
define('FTP_PUBKEY','/home/wp-user/wp_rsa.pub');
define('FTP_PRIKEY','/home/wp-user/wp_rsa');
define('FTP_USER','wp-user');
define('FTP_PASS','');
define('FTP_HOST','127.0.0.1:22');
setting up file/folder permissions
per this article, these are the only permissions that should be needed by wordpress and the web service.
| Path | Owner | Group | Permissions |
|---|---|---|---|
| / (parent) | wp-user | www-data | 644 |
| /wp-admin (directory) | wp-user | wp-user | 755 |
| /wp-admin/ | wp-user | wp-user | 644 |
| /wp-includes (directory) | wp-user | wp-user | 755 |
| /wp-includes/ | wp-user | wp-user | 644 |
| /wp-content (directory) | wp-user | www-data | 775 |
| /wp-content/ | wp-user | www-data | 664 |
| /wp-content/themes (directory) | wp-user | www-data | 775 |
| /wp-content/themes/ | wp-user | www-data | 664 |
| /wp-content/plugins (directory) | wp-user | wp-user | 755 |
| /wp-content/plugins/ | wp-user | wp-user | 644 |
| /wp-content/uploads (directory) | wp-user | www-data | 775 |
Command Reference
~$ pwd ~$ /var/www/mysite.com ~$ sudo chown wp-user:www-data ./* ~$ sudo chmod 644 ./* ~$ sudo chown wp-user:wp-user ./wp-admin/ ~$ sudo chmod 755 ./wp-admin/ ~$ cd ./wp-admin ~$ sudo chown wp-user:wp-user ./* ~$ 644 permissions already set, no need to change anything in the ./wp-admin/ directory ~$ cd .. ~$ sudo chown wp-user:wp-user ./wp-includes/ ~$ sudo chmod 755 ./wp-includes/ ~$ cd ./wp-includes ~$ sudo chown wp-user:wp-user ./* ~$ 644 permissions already set, no need to change anything in the ./wp-includes/ directroy ~$ cd .. ~$ wp-user:www:data already set for ./wp-content ~$ sudo chmod 755 ./wp-content/ ~$ cd ./wp-content ~$ sudo chown wp-user:www-data ./* ~$ sudo chmod 664 ./index.php ~$ sudo chmod 775 ./themes/ ~$ sudo chmod 755 ./plugins/ ~$ sudo chown wp-user:wp-user ~$ sudo chmod 775 ./uploads/ ~$ cd ./themes ~$ sudo chown wp-user:www-data ./* ~$ sudo chmod 664 ./index.php ~$ cd .. ~$ cd ./plugins ~$ sudo chown wp-user:wp-user ./* ~$ sudo chmod 644 ./index.php ~$ sudo chmod 644 ./hello.php
disable xmlrpc
not needed generally, however could affect some add-on functionality like in jetpack.
~$ sudo chmod 000 xmlrpc.php ~$ sudo chown root:root xmlrpc.php
wordpress connecting ips
If you have access to the site limited, like for a dev variant, these ip ranges may be helpful to you. This is not a complete list by any means, but these are the ip ranges I found my site was calling whenever i tried to do an update/upgrade.
add access to wordpress for wordpress.com 192.0.78.9 192.0.78.17 209.15.21.93 209.15.21.85 209.15.21.87 209.15.21.96 209.15.21.80 209.15.21.129
The following were found using Whois and encompass everything above. These ranges are leased to Automattic, founders of Wordpress
192.0.64.0/18 209.15.21.0/24
