Security is a huge deal. Sometimes your at the mercy of the open source solution or content management system that you choose. There are occasions that even after ensuring your CMS and the subsidiary plugins are consistently up to date, you still fall mercy to a zero day exploit that circumvents the security of your site and allows an attacker to upload a file or modify your backend database.
That’s not good! Especially if you are diligent to the best of your abilities.
We’ve decided to put together a quick security guide specifically to help people ensure their WordPress implementation is as secure as possible.
Web Hosting environment
This is obviously a big one. Your hosting environment may or may not be able to provide layers of security as requests to your website are processed and served. There are elements that most web hosting companies should be able to provide such as regular backups and systems in place to restore such backups.
Mod Security
Mod security acts as an IDS layer (intrusion detection) between the web service serving content for your website and the outside world. It processes requests such as query strings, http POST content and other similar requests and submissions and checks said requests against pre-defined rules. The rules themselves look like a bunch of regular expressions that, if matched, will refuse to process the request.
So for example if the following query string is passed to WordPress’ index.php file :
GET http://yoursite.com/index.php?../../etc/passwd
Mod security will look at this as a malicious attempt to try and read the password file on a linux / unix system. Mod security will then interrupt the request by generating an error message, not allowing apache or PHP to process the request. In this example, the request would fail anyways, but there are thousands and thousands of rules that mod security will check against to protect you against many of the most commonly used attack vectors.
Password protect wp-login
This is an easy one that anyone with minimal experience should be able to implement. Adding a second layer of protection to WordPress’ logged in area is something that you can easily do in most shared hosting environments.
What this will do, at least if you are using apache as a web service, will take any requests for wp-login.php (the file that processes all login requests) and put a second http authentication password protection in front of it :
# Protect wp-login
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user mysecretuser
Use strong passwords
This is an easy one. For all administrative and “power user” accounts, which includes FTP/SFTP/SSH accounts that access the site, please be sure to use 12-15 character passwords that are strong. There is many ways you can randomly generate passwords safely, I prefer using an open source command line utility called PWGen.
# pwgen -cny 15 10
Ii9ahVigh>ae1yi aed7xo=gh8Dahng ohvohB[eethoo6O Eik9Ile6somohr" Oogah}f0eeg1eev
Axah5noodiz{ei2 haiboo+F3iehe7n HieM&iethee2gag Gabohj2shoo
File permissions
This is another straightforward, yet potentially tedious, exercise. Most out-of-the-box WordPress implementations, for example, have the wp-content/uploads folder as DirectoryIndex enabled, meaning you can actually browse the folder in your web browser. Whats the downside of this? Depends. Do you want someone poking around all of your uploaded files/media (whether its published or not)?
You could write a script that runs at regular intervals that "fixes" the permissions. The advantage of a regularly scheduled script is that even if permissions are mistakenly set to world writable, the script will correct it at the scheduled interval. The other advantage here is that malicious users who upload their own scripts and files may be (at least) hindered in their progress if the scheduled permissions correction script runs and alters things in a way that makes the files / folders no longer writable.
#!/bin/sh
sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
The snippet above simply sets permissions for files and folders separately. You may need to adjust the scope of this script to accommodate in order to ensure media/file uploads still works within wordpress, including plugin and core updates via the CMS.
Regular Security Audits
There are many scanning tools in place that can at least run surface scans against your website for trivial penetration and vulnerability testing. One of the best WordPress security tools to come out recently is a tool aptly called WPScan.
This tool has an up-datable database that it uses to scan your wordpress site against all of the known or publicly available vulnerabilities that exist. It can enumerate against thousands of plugins in order to detect if you are running a vulnerable version of a theme or plugin. This tool is a great starting point "benchmark" in order to give your entire site an external once-over to see if any red flags or problems exist. Just be sure to let your web host know before hand if you plan on running this against your site!
[+] WordPress version 4.0.1 identified from rss generator
[+] WordPress theme in use: testsite
[+] Name: buzzpr
| Location: http://www.testsite.ca/wp-content/themes/buzzpr/
| Style URL: http://www.testsite.ca/wp-content/themes/buzzpr/style.css
| Description:
[+] Enumerating plugins from passive detection ...
| 3 plugins found:
[+] Name: contact-form-7
| Location: http://www.testsite.ca/wp-content/plugins/contact-form-7/
[!] Directory listing is enabled: http://www.testsite.ca/wp-content/plugins/contact-form-7/
[+] We could not determine a version so all vulnerabilities are printed out
[!] Title: Contact Form 7 <= 3.7.1 - Security Bypass Vulnerability Reference: https://wpvulndb.com/vulnerabilities/7020 Reference: http://www.securityfocus.com/bid/66381/ Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2265 [i] Fixed in: 3.7.2
Security Notifications from WordPress itself
Finally, as far as security goes, what better source for vulnerability notifications than from the WordPress security team themselves? If you get a notification as soon as something is discovered, you can take mitigating actions immediately and reduce the risk of you running a vulnerable WordPress installation while these flaws are floating around in the wild.
There is a wordpress security category straight off the site, but there are also CVS and US-CERT alert notification feeds that you could subscribe to which is always a good general best practice :
WordPress Security Archive
WordPress Vulnerability Database
US CERT Security Notification Feeds
CVE Details
These suggestions are just a starting point and should never be followed as a be all and end all approach to security. Awareness is the first step, followed by prudence and methodical best practices. Remember no one is ever 100% secure!