You are on page 1of 10

Wordpress Security

Tim Elliott Hardening_WordPress

Wordpress Vulnerabilities

• It’s Open Source • Link Injection • TimThumb • Social Engineering

The Easy Stuff
• Stay updated! • Don’t use ‘admin’ user • Don’t display usernames in post meta • Change database table prefix from ‘wp_’ • Use strong passwords

The Easy Stuff
• Verify file permissions (files=644 / dir.=755) • Use secret keys in wp-config.php • Remove Wordpress version number from
theme header

• Run backups often (like everyday) • Secure wp-includes & wp-config.php

# Protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files> # Protect .htaccess <Files .htaccess> Order Allow,Deny Deny from all </Files>


# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /directory_goes_here/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /directory_goes_here/index.php [L] </IfModule> # END WordPress # Block the include-only files RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # Disable directory browsing Options All -Indexes

Helpful Plugins
• WP Security Scan • BulletProof Security • TimThumb Vulnerability Scanner • WordPress File Monitor • Login Lock • ManageWP Worker

The Harder Stuff
• Lock down wp-admin to specific IP’s
# Lockdown wp-admin • Add to .htaccess in wp-admin root: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic order deny,allow deny from all Allow from YOUR_IP_HERE

• Force SSL on login (requires certificate)

Add to wp-config.php: define('FORCE_SSL_ADMIN', true);

• Move wp-content directory

@timelliott 612.804.0090