M

S m a r t er Security Designed For You

10 STEPS TO HARDENING WORDPRESS

By: Phil Grimes, Security Analyst

2 3 3 0 B r i g g s R o a d , C o l u m b u s , O h i o 4 3 2 2 3 t e l e p h o n e : 6 1 4 . 3 5 1 . 1 2 3 7 f a x : 6 1 4 . 3 5 1 . 9 0 1 5 w w w. m i c r o s o l v e d . c o m

WordPress and Security

Since it's launch in January of 2006, WordPress has logged more than 18 million users of the popular blogging software. Gaining roughly 2.5 million of these in it's first 26 months, WordPress saw a spike in interest at the beginning of second quarter, 2008. As with any other popular software, framework, or technology, the fame makes WordPress a prime target for hackers in the wild. This paper is the result of hours of research installing, configuring, and hardening the WordPress application with security at the forefront. My hope is to help those with a default WordPress configuration deployed to harden their environment and prevent a breach or any disruption to their blog. Granted most blogs won't give an attacker access to any truly sensitive data; but in our continued efforts to fight the good fight, the MSI Team feels any breach prevented is a battle won in an endless war. Why risk having your blog disturbed by malice if it can be prevented? So you've installed Apache and WordPress on your computer and started running your own blog. But is it secure? The following are suggested changes to make in order to enable secure operation of the software in a hostile internet environment.

1. Install all updates for your Operating System. 2. Ensure you're using the most up to date version of Apache & WordPress. 3. Install Apache's mod_security and the packages necessary to run it. 4. Ensure Apache is running as it's own user. ps auwwfx | grep apache Should output something like this : www-data 2880 0.0 0.4 45168 5028 ? 15:18 0:00 \_/usr/ sbin/apache2 -k start 5. Configure mod_security (/etc/apache2/conf.d/security). <Directory /> Order Deny,Allow Deny from all
C o p y r i g h t , 2 0 1 0 , M i c r o S o l v e d , I n c . , C o l u m b u s , O H , a l l r i g h t s r e s e r v e d

Protecting our digital assets is an endless job. While this is by no means a complete solution to make your site hackproof, it's a good foundation for layered security.

Te n S t e p s t o H a r d e n i n g Wo r d p r e s s

Options None AllowOverride None </Directory> <Directory /web> Order Allow,Deny Allow from all </Directory> ServerSignature Off ServerTokens Prod TraceEnable Off 6. Disable PHP Globally (to be enabled on a per-site basis). Edit /etc/apache2/mods-enabled/php5.conf <IfModule mod_php5.c> #AddType application/x-httpd-php .php .phtml .php3 #AddType application/x-httpd-php-source .phps </IfModule> 7. Enable PHP for WordPress. Edit /etc/apache2/sites-enabled/000-default Comment out cgi & doc lines Add the following: <IfModule mod_php5.c> AddType application/x-httpd-php .php .phtml .php3 AddType application/x-httpd-php-source .phps </IfModule> 8. Change your login name. In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.
C o p y r i g h t , 2 0 1 0 , M i c r o S o l v e d , I n c . , C o l u m b u s , O H , a l l r i g h t s r e s e r v e d Te n S t e p s t o H a r d e n i n g Wo r d p r e s s

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select Attribute all posts and links to: and select your new username from the drop-down bar. This will transfer all the posts to your new user account. Press Confirm Deletion. 9. Protect your wp-admin directory. Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel. 10. Encrypt your login. Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily sniff out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

Protecting our digital assets is an endless job. While this is by no means a complete solution to make your site hackproof, it's a good foundation for layered security. The MSI Team always looks for innovative approaches to practical issues, such as this one. In addition to this research, we are always prepared to help secure your environment by conducting assessments of critical internet applications, vulnerability and risk assessments to help identify and measure your risk tolerance, and penetration testing to evaluate your network against the threat of a real malicious attack. We are also proud to offer a plethora of consulting services which can be custom tailored to fit the needs of any organization. Working your business, is your business. Securing your data, is ours. Give us a call today at 614-351-1237 ext. 206 and talk with our account representative, Constance Matthews, to learn more.

C o p y r i g h t , 2 0 1 0 , M i c r o S o l v e d , I n c . , C o l u m b u s , O H , a l l r i g h t s r e s e r v e d

Te n S t e p s t o H a r d e n i n g Wo r d p r e s s