-
Notifications
You must be signed in to change notification settings - Fork 2
Securing your WordPress site
After you've installed a new WordPress site, you'll want to look into securing your new site. In this guide, we'd like to guide you through the necessary steps of securing this site.
First and foremost, you should implement every single measure listed in the official information at http://codex.wordpress.org/Hardening_WordPress. The information listed below will extend these measures to make sure your WordPress site is secured even more.
Add the following snippet to your .htaccess to ensure your .htaccess can't be accessed by anyone but the server itself.
<Files .htaccess>
order allow,deny
deny from all
</Files>
Since version 3.5 of WordPress, we no longer have the option to disable the XML-RPC protocol from within the backend. Since the XML-RPC protocol is often used as a means to hack WordPress sites (you could use it to test a number of username & password combinations per request to xmlrpc.php, making this into an easy means for brute-forcing attacks), it's best to disable this by default, unless you or your client are using applications that require this functionality.
Applications that require XML-RPC to be active:
Windows Live Writer
WordPress mobile app (for iOS, Android, ...)
How to block XML-RPC:
Add this to your .htaccess to block requests to XML-RPC:
RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
_Added note: _ I choose to use this tweak over (for example) the Disable XML-RPC plugin, as WPscan was still able to see XML-RPC as active with this plugin active during a penetration test. This was resolved by adding the rewriterule above to my .htaccess.
By default, author pages are enabled in WordPress. Sadly though, this functionality can be abused to do user enumeration. This results in anyone with malicious intent to acquire the usernames.
How this works:
If you add "?author=1" after your domain in the address bar, this will result in a redirect that return an address like "domain/author/username".
Example:
http://yourdomain.com/?author=1 will redirect towards http://yourdomain.com/author/administrator.
This example show what the output would be if the username linked to user 1 would be administrator.
How to block this:
We can prevent this by stopping user enumeration. You can accomplish this by adding following rewrite rule to your .htaccess file:
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]
By default there are no PHP files within /wp-content/uploads. To avoid malicious code in the upload directory we filter all content with php-like extensions.
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F]
When hackers succeed in gaining access, they'll often upload malicious scripts to the wp-content/uploads folder. They will then perform a request to this file (either a GET or a POST request) to perform further abuse (for example via spamming scripts) or to gain access again once a prior hack has been cleared (for example when used as a backdoor).
We can prevent the execution of these PHP-files by adding a separate .htaccess file in the wp-content/uploads folder. This .htaccess should contain following rules:
<Files *.php>
deny from all
</Files>