0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: Sebastián Vargas
August 18, 2018

Hardening WordPress Like a Boss

By: Sebastián Vargas
August 18, 2018
By: Sebastián Vargas
August 18, 2018
There is a need to begin to better protect WordPress platforms. With the huge amount of IOC, where the WordPress platforms are attacked, which I have seen closely, I created this guide for free use. If you want to collaborate with me in any endeavor, you can contact me at sebastian.vargas@protonmail.com.If you do not believe me about the amount of vulnerable websites, you can research for educational purposes with the following Google dork:Rule# 1: Do not buy websites from anyone. If you have a low budget, then use WordPress.com and cut the risks. Hardening WordPress Method: The proposed structure consists of the following main points, which should be emphasized in their correct deployment, to guarantee a lower exposure to technological risks.
  • Access Control: There may be risks of data loss due to access of accounts with weak configuration.
  • Directories: Risk of cybercrime through the insertion of webshell and control centers for the distribution of malware with phishing banking consequences.
  • Components: Risk of service availability through DDOS attacks or exploit use.
  • Searches: Reputation risk through bad configuration, with the consequence of data filtration, access to private folders, and administration routes.
  • Backup: Risk of data loss
  • Absence of Security: The sum of all the mentioned risks.
  • Main Safety Recommendations:
    • Keep the WordPress version updated, always with the latest stable version.
    • Keep the plugins updated.
    • Do not use the admin account.
    • Have only one user with administrator privileges.
    • Do not use weak keys.
    • Use the minimum privilege with users.
    • Do not use pirate templates.
    • Do not use unnecessary plugins.
Change Database PrefixDo not use wp_Replace with something random. vs31uaq3_Recommended Permitswp-config.phpDesirable: 400uploads folderDesirable: 755htaccess filesDesirable: 400Recommended Security PluginsCache Plugins
 
Disable Page Code Editingdefine('DISALLOW_FILE_EDIT', true);Protects Browsing of Open DirectoriesOptions -IndexesProtects Direct Call of .php Files<Files * .php>deny from all</ Files>Protect File UploadOrder Allow, DenyDeny from all<FilesMatch "^ [^.] + . (? I: jpe? G | png | gif) $">Allow from allRemove the WordPress Version From the Headerremove_action ('wp_head', 'wp_generator');Robots.txt rules
User-agent: *Allow: /Disallow: /wp-admin/Disallow: /wp-includes/Disallow: /wp-content/Disallow: /search/*/feedDisallow: /search/*/*Disallow: /readme.htmlDisallow: /license.txtDisallow: /*?*Disallow: /*?Disallow: /*.php$Disallow: /*.js$Disallow: /*.inc$Disallow: /*.css$Disallow: /*.gz$Disallow: /*.wmv$Disallow: /*.cgi$Disallow: /*.xhtml$Allow: /wp-content/uploads/Allow: /*?page=*User-agent: Mediapartners-GoogleAllow: /User-agent: Adsbot-GoogleAllow: /User-agent: Googlebot-ImageAllow: /User-agent: Googlebot-MobileAllow: /User-agent: ia_archiver*Disallow: /User-agent: duggmirrorDisallow: /Sitemap: http://domain.com/sitemap.xml
BadBot Protection
RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]RewriteRule .* - [F,L]SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]SetEnvIfNoCase user-Agent ^Yandex [NC,OR]SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]SetEnvIfNoCase user-Agent ^HTTrack [NC]Order Allow,DenyAllow from allDeny from env=bad_bot
Badrequest
RewriteCond %{REQUEST_METHOD} (HEAD|GET|POST|OPTIONS) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|whatweb|acunetix|uniscan|scan|java|winhttp|clshttp|netsparker|wappalyzer|loader) [NC,OR]RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00)
Block Timthumb Wordpress
RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC]RewriteRule . - [S=1]
Block readme.html
<files readme.html>order allow,denydeny from all</files>
Block xml-rpc
<Files xmlrpc.php>order deny,allowdeny from all</Files>
Audit Wordpress Security
  1. https://securityheaders.com/
  2. https://www.wpdoctor.es
  3. https://wpscans.com/
Add CDN
https://www.cloudflare.com
 A+ in securityheaders.io
header('X-Frame-Options: SAMEORIGIN');header( 'X-Content-Type-Options: nosniff' );header( 'X-XSS-Protection: 1;mode=block' );header("Strict-Transport-Security: max-age=31536000; includeSubDomains");header("X-Content-Security-Policy: default-src 'self';script-src https://apis.google.com https://platform.twitter.com; child-src https://plusone.google.com https://facebook.com https://platform.twitter.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+header("Referrer-Policy: no-referrer-when-downgrade");header("Feature-Policy: vibrate 'self'");
 
Leaving wordpress safe is not so complex; do it today and avoid becoming a malware control center.

Do you like to write about your infosec knowledge, skills, opinions, or exploits?

Blog Icon

Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry