Jump to content

Wordpress 101 - Initial Security Guide


Recommended Posts

This is not meant to be an all-encompasing guide to security WP, this is just to get you started


Why is it WordPress has a bad name when it comes to security?

 Primarily because the attack surface (files available to exploit) is MASSIVE.  Take a look at your installation, see all the 100s of php files and folders? Well every single one of them could be another spot to exploit.  To start, remove all files that say README, or INSTALL.txt etc.  Next of the very most core steps to secure your new WP install, lock down the /wp-admin (also renaming it would be better in addition) by IP Address.  Even if you allow your home ISP cablemodem /24 like, your blocking millions of ips, and only allowing 255 to actaully get at your login page.  
Change username to not equal – admin
There is many scripts out there to enumerate wordpress usernames from from linux command link (google: git wpscan3)
If this script cant get AT your login page, its going to have a hell of a time enumerating usernames, and dictionary attack is out of the question.  
Set proper permissions on ALL files and folders.  I cannot speak for WP indefinately, however, all the scripts, css/html on my website are  chmod 644, all the folders (directories) are chmod 755   .  I have had no problems with those. The only time a file on your webserver should be chmod 777 (read write execute for the world), is temp files, and specific files that need to be modified on the fly, like cache, temp, etc.  Take a look (with filezilla for instance) at your files right click them / properties look at the chmod values for various files. if you see 777, you need to take a step back and re-examine if this file/dir needs rwx world permissions (very very few files need this).  
My last suggestion other then the very basic obvious thing (UPDATE daily, and MINIMIZE themes and plugins, if you arent actively using a theme or plugin, it is another attack vector surface to exploit.  Disable anything not being used. WP will tell you if its needed.  
Last suggestion(s):
Setup a custom 404 (error not found) page .. take a look at mine https://tranceattic.com if you goto ANY page off my domain that doesnt exist, or try to hack it (ie: https://tranceattic.com/youareowned) .. Youll see my custom 404 page, custom picture and your IP, and user agent, time date and what you tried to view/modify.  This gets logged into a mysql DB and after 3, it trips an alarm and blocks your ip for an hour)
Verify your robots.txt file is allowing OR disallowing the proper directories.  For instance I would nearly garuntee you do NOT want /wp-admin/* to be crawled by any search engines .. Add:
Disallow: /wp-admin/*
Disallow: /wp-admin?*
You get the idea.
Hopefully this helps if you want more suggestions or want your site checked out, id be happy to give you a quick rundown of how it looks from hacker perspective.
DJ Substabce
#9x / efnet  :: @tranceattic twitter

Link to comment
Share on other sites

A couple of comments on this...

Don't disable things you aren't using, remove them. If they are disabled the files are still on disk and vulnerabilities still potentially exposed.

Rather than setting temp directories at 777, make them owned by the web server user and keep them at 755. This prevents them from being written to by other users, for example the mysql user.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...