Vulnerability Management

Securing WordPress: Hardening Basics

WordPress has become one of the leading blog platforms, and many small to medium sized businesses even utilize it as their content management system.

WordPress is available as a one-click install with most hosting providers making deployment simple. However this popularity and ease of use has come at a price, as the public moves to WordPress as their platform of choice, hackers have also been attracted to the platform en masse.


WordPress Jenga: Layers of Risk

At an abstract level the entire WordPress vulnerability stack can be thought of like a game of Jenga. At the base you have the server hardware which is usually managed and secured in a data center, which vulnerabilities, such as malicious employees, hardware failures and firmware issues.

Built on top of that you have the operating system of the server be it Windows or Linux, each having their own vulnerabilities.

Next you have the application layer with the web server software, PHP and MySQL with you guessed it, more vulnerabilities.

Then at the pinnacle we have WordPress with a long history of vulnerabilities. To make things ever more complex you have client side vulnerabilities with browsers, cross scripting attacks and of course the end user themselves.

When one of these components is breached, everything above comes crashing down.

The good news is you usually won’t have to deal with the hardware, operating system and software ( web server, PHP, MySQL), if you are using a decent hosting provider these items should be patched and secured, but it wouldn’t hurt to ask and verify.

Faults In Defaults

Once you have installed your WordPress installation make sure you remove all default blog posts and links, many bots scan sites looking for these indicators of a fresh Word Press install.

You will want to change the default “admin” username to something unique as well as select a strong password.

It only takes a few hours to crack a six character password, especially if it consists of words that appear in the dictionary. It is best to make sure your password is at least 12 characters long and consists of letters, numbers and special characters such as “#&*#!%”.

I highly recommend using a password management application such as Keepass which helps generate secure passwords, as well as stores them securely for you in one encrypted file.

Back Up & Update

The most important thing a user can do to ensure that their WordPress installation is safe is to ensure that WordPress is up to date.

As security hole are discovered the WordPress team is quick to deploy fixes, so make sure you keep your install up to date. Some hosting providers provide automatic updates as a free service to help their customers keep their installation secure, but even then don’t rely on it.

There is also a plugin called “Hotfix” that you can automatically  install patches, however keep in mind not all fixes will be available and you should still keep an eye on the latest versions of WordPress available.

If by some chance your blog is hacked, you will want to make sure you have a fresh backup, so back up your blog content and installation often. Usually if your WordPress instance is exploited, it is nearly impossible to clean up and the usual course of action is to wipe it clean and start from a fresh install, you can make this process less painful if your content, database and files are backed up regularly.

.htaccess Denied! 

httpauthOne quick trick to help mitigate the risk of swarms of  bots that scan the web for vulnerable targets is to add a second level of authentication to the “wp-admin” directory.

A popular way to do this is to add basic HTTP Authentication to the mix, usually by the addition of a .htacces file in the “wp-admin” directory.

Many hosting providers will have an easy way to set this up in the control panel, as simple as adding password protection to directories.

Additionally you can utilize the .htaccess file to limit access to the wp-admin directory by IP address for an added layer of protection.

Note that this approach is used to keep out most automated scanners that spider the web for WordPress sites with known vulnerabilities as well as plugins, but is not an adequate defense for the determined hacker and not replacement for setting a good password.

Cloud Based Security Services

There are a number of cloud based security solutions, the biggest one being CloudFlare which essentially functions as a shield in front of your website, blocking bad agents from hitting your website, minimal protection against SQL injection attacks and great DDOS mitigation. These services also speed up general site performance as CDNs (Content Deliver Networks) by caching images and other files on servers distributed around the world so your site doesn’t have to load them for every request. CloudFlare offers a free service that provides decent protection, Akamai provides a similar service more geared towards the enterprise.

Plugins a Blessing and Curse

Plugins have been consistently one key source of many a WordPress compromise, due to many developers not following security best practices, the WordPress framework not providing security restrictions to these developers and WordPress admins not updating plugins when security updates are made available.

It is a best practice to go in and delete all plugins that you know you will not be using, as many automated WordPress installs will include a number of plugins in the “wp-content/plugins” directory. While you are at it, you should also delete any themes you are not going to be using as well in “wp-content/themes” they are yet another source of vulnerabilities.

There are some plugins that will help you with securing your WordPress instance, however again don’t rely on them solely and always make sure that any plugin you install that you keep it up to date. One well known plugin is WP Security providing some basic security measures to protect your WordPress instance.

A more advanced tool is Blockscript, which comes as a stand alone service that also has a WordPress plugin, however will require a bit more work to get installed correctly.

BlockScript detects and blocks unwanted traffic including requests from all types of proxy servers and anonymity networks, hosting networks, undesirable robots and spiders, and even entire countries.

BlockScript also allows you to write the blocked traffic to a log file for analysis fun later. Below is data pulled from a website I have running BlockScript and the traffic it blocks based on type.

Blocking anonymous proxies

 Related News:

Previous post

Game of Pwns: Syrian Electronic Army and Information Warfare

Next post

NSA and FBI Access to Verizon Phone Records

Ken Westin

Ken Westin

Your Pundit of Paranoia