Matt Fiddles

Life's so vast, there's just so much to do...

User Tools

Site Tools


Sidebar

Using the Force, Yoda effortlessly frees the X-Wing from the bog.

Luke Skywalker: "I don't believe it."

Yoda: "That is why you fail."



Where will you go today?

"I find your lack of faith disturbing."

- Darth Vader
computers:websites:wordpress:security

Wordpress Security

Just some things about security. Not comprehensive…

See also http://codex.wordpress.org/Hardening_WordPress

Password Hashes

WP only hashes its passwords as salted md5 hashes. These are weak.

There are plugins like WpCrypt that can change it. But the issue is that they do not add a salt. And without a salt, it's just not good enough.

This was a piece of code I found, but you need to add a salt function:

// do NOT use. Just for info
if(!function_exists('wp_hash_password')):
   function wp_hash_password($password){
     return hash('sha256', $password);
   }
endif;
 
if(!function_exists('wp_check_password')):
    function wp_check_password($password, $hash, $user_id = '') {
        // You might want to apply the check_password filter here 
        return wp_hash_password($password) == $hash;
    }
endif;

http://stackoverflow.com/questions/23949502/wordpress-sha-256-login

Login Limit

Use a login limiter to limit the total number of logins

Review Plugins

Review your plugins installed. If you don't need it, get rid of it.

Block Direct Acccess to Plugin Files

Most plugins allow themselves to be directly accessed, even when they have no need to. And worse, when they aren't built for it. Use this in your .htaccess to block direct access to all except the ones you allow. Anything that isn't js or jpeg or css will not be allowed to be GETed or, even better, POSTed.

# block	access to plugins and theme files

# Little complex, but selects themes, plugins, and anything ending in .php for blocking
RewriteCond %{REQUEST_URI}  ^(/?|/+)wp-content/+(plugins|themes)/+.*  [NC,OR]
RewriteCond %{REQUEST_URI}  ^(/?|/+)wp-content/+.*\.php$  [NC]

# The same as above, just simpler, but could be circumvented
#RewriteCond %{REQUEST_URI}  ^/?wp-content/(plugins|themes)/.*  [NC,OR]
#RewriteCond %{REQUEST_URI}  ^/?wp-content/.*\.php$  [NC]

# Allow these file types
RewriteCond %{REQUEST_URI}  !.*\.(js|css|woff|jpe?g|gif|png|bmp|svg|swf|ttf|eot|otf)$ [NC]

# Allow these files to be directly accessed. Even if they are php or whatever.
#RewriteCond %{REQUEST_URI}  !^.*/wp-content/plugins/needs-direct-access/needs-direct-access\.php$  [NC]

# Allow access to db-error.php. if you are using it
#RewriteCond %{REQUEST_URI}  !^.*/wp-content/db-error\.php$  [NC]

# Decide how you will block it. Note how we block regardless 
# of whether the file actually exists or not
RewriteRule ^(.*)$ - [F]
#RewriteRule ^(.*)$ - [R=404,L]
#RewriteRule ^(.*)$ - [R=410,L]

Password Protect wp-admin

Make break things. May can random popup for users, even when not accessing the login or wp-admin pages.

First make your htpasswd file, and if you can, put it outside the website directory. Just to be safe.

Make a .htaccess file in you wp-admin folder:

# If you dont like these or have others, comment them out
# (or if you have problems)
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
# without this, random users will get login prompts while reading the home page
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

# put htpasswd outside of website dir if possible
AuthUserFile /path/to/htpasswd
AuthGroupFile /dev/null
AuthName "Go away stupid bots"
AuthType Basic
require valid-user
# these two are optional
# may be needed in some cases
#allow from 127.0.0.1
#allow from <server ip>
Satisfy Any

You can also put this in your root .htaccess to block wp-login.php.

# If you dont like these or have others, comment them out
# (or if you have problems)
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/path/to/htpasswd"
order deny,allow
deny from all
require valid-user
Satisfy Any
</FilesMatch> 

For more info see here

Spam Ham

This can help relieve comment and login spam, but can break things…

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-contents/(.*)$     
RewriteCond %{HTTP_REFERER} !^http://www.YourSiteName.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* [F,L]
</IfModule>

You can then test it out by using the SimulateUserAgent here and

  • Entering the site
    • http://www.Your Website Name.com/wp-login.php
    • http://www.Your Website Name.com/Blog-Post-URL/wp-comments-post.php
  • Selecting POST
  • Hiting “Send Request”
  • Fill out the CAPTCHA.

Or you could always just telnet…

Either way you should get a 403 error. If you got a 200, then it's not working.

Why WordPress Authentication Unique Keys and Salts Are Important …or how to forge authentication cookies in WordPress * http://codeseekah.com/2012/04/09/why-wordpress-authentication-unique-keys-and-salts-are-important/

References:

http://www.gauraw.com/secure-your-wordpress-website-block-spammers/

computers/websites/wordpress/security.txt · Last modified: Apr 5, 2015 (3 years ago) by Matt Bagley