3 июня 2021 г.

Hardening Wordpress

 Hardening Recommendations

Caution: The following recommendations are for server administrators with knowledge of how these files work. If you do not feel comfortable with these suggestions, we recommend using a website firewall that includes virtual hardening instead.

4.1 - Basic .htaccess Configurations

The .htaccess file is what most vendors will modify when they say they are hardening your environment.

This critical configuration file is specific for web servers running on Apache. If you’re running your WordPress instance on a LAMP stack using Apache, then we recommend hardening your site by updating your .htaccess file with the following rules.

Note

Some of the rules below are dependant on the version of Apache you are running. In those cases, we have included instructions for both versions 2.2 and 2.4 of Apache Server.

/.HTACCESS

Rule Explanation

  1. # BEGIN WordPress
  2. # Rewrite rule
  3. <IfModule mod_rewrite.c>
  4. RewriteEngine On
  5. RewriteBase /
  6. RewriteRule ^index\.php$ - [L]
  7. RewriteCond %{REQUEST_FILENAME} !-f
  8. RewriteCond %{REQUEST_FILENAME} !-d
  9. RewriteRule . /index.php [L]
  10. </IfModule>
  11. # END WordPress

Rewrite Rule:

This rule is generated by WordPress if it has write access to your server, most notably to fix issues with pretty permalinks.

If it isn’t at the top of your file, place at the top of your .htaccess file. Any other rules should go after the # BEGIN WordPress and # END WordPress statements.

  1. # Block IPs for login Apache 2.2
  2. <files /wp-login.php>
  3. order deny, allow
  4. allow from MYIP
  5. allow from MYIP2
  6. deny from all
  7. </files>
  8. # Block IPS for login Apache 2.4
  9. <Files "wp-login.php">
  10. Require all denied
  11. </Files>

Restrict Logins to IP Range

This rule restricts access to wp-login.php to an IP, protecting you from unauthorized login attempts in other locations. Even if you do not have a static IP, you can still restrict logins to your ISP common range.

Use this same entry on other authenticated URLs that you’d like to restrict, including /wp-admin. If you are using a dynamic IP, you can refer to our instructions: How to lock down WordPress Admin Panel with a dynamic IP

  1. # Protect wp-config Apache 2.2
  2. <files wp-config.php>
  3. order allow,deny
  4. deny from all
  5. </files>
  6. #Protect wp-config Apache 2.4
  7. <Files "wp-config.php">
  8. Require all denied
  9. Require ip 1.1.1.1
  10. </Files>

Protect wp-config.php

This rule restricts visitors from accessing your wp-config.php file, which contains sensitive information about the database, including name, host, username and password. This file is also used to define advanced settings, security keys and developer options.

  1. # Prevent directory browsing
  2. Options All -Indexes

Prevent Directory Browsing

This rule prevents attackers from viewing the folder contents of your website, restricting the information they have to exploit your website.

  1. # Prevent image hotlinking
  2. RewriteEngine on
  3. RewriteCond %{HTTP_REFERER} !^$
  4. RewriteCond %{HTTP_REFERER} \
  5. !^http://(www\.)example.com/.*$ [NC]
  6. RewriteRule \.(gif|jpg|jpeg|bmp|png)$ - [NC,F,L]

Prevent Image Hotlinking

This rule prevents other websites from using images hosted on your website. While hotlinking won’t get your site hacked, it can result in a damaging exploitation of your server resources. Change example.com to your website.

  1. # Protect htaccess Apache 2.2
  2. <files ~ "^.*\.([Hh][Tt][Aa])">
  3. order allow, deny
  4. deny from all
  5. satisfy all
  6. </files>
  7. # Protect htaccess Apache 2.4
  8. <FilesMatch "^.*\.([Hh][Tt][Aa])">
  9. Require all denied
  10. </FilesMatch>

Protect .htaccess

This rule prevents attackers from accessing any files that start with “hta” - this ensures that .htaccess files are protected in all of the directories of your server.

  1. # Block Includes
  2. <IfModule mod_rewrite.c>
  3. RewriteEngine On
  4. RewriteBase /
  5. RewriteRule ^wp-admin/includes/ - [F,L]
  6. RewriteRule !^wp-includes/ - [S=3]
  7. RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  8. RewriteRule ^wp-includes/js/tinymce/langs/.+\.php \
  9. - [F,L]
  10. RewriteRule ^wp-includes/theme-compat/ - [F,L]
  11. </IfModule>

Block Includes

This rule blocks hackers from inserting malicious files into any of the four primary folders used for includes:

  • /wp-admin/includes/
  • /wp-includes
  • /wp-includes/js/tinymce/langs/
  • /wp-includes/theme-compat/

/WP-INCLUDES/.HTACCESS
/WP-CONTENT/UPLOADS/.HTACCESS


Rule Explanation


  1. # Backdoor Protection Apache 2.2
  2. <Files *.php>
  3. deny from all
  4. </Files>
  5. # Backdoor Protection Apache 2.4
  6. <FilesMatch ".+\.php$">
  7. Require all denied
  8. </FilesMatch>

Prevent PHP Backdoors

This rule prevents hackers from placing PHP backdoors in the /wp-includes/ and /wp-content/uploads/ folders, two popular locations for malicious file uploads.

4.2 - Application Configurations

WP-Config

The wp-config.php file is a very important configuration file containing sensitive information about your WordPress site, including database connections.

If the wp-config.php file does not exist in the root folder, WordPress will automatically look for this file in the folder above the root directory. Moving this file out of the root folder prevents wp-config.php from being accessible from the Internet.

Salts & Keys

The wp-config file includes a section dedicated to authentication salts and keys. These salts and keys improve the security of cookies and passwords that are in transit between your browser and the web server.

You can set up your keys by including or editing these lines after the other define statements in your wp-config.php file:

define('AUTH_KEY', 'include salt here');
define('SECURE_AUTH_KEY', 'include salt here');
define('LOGGED_IN_KEY', 'include salt here');
define('NONCE_KEY', 'include salt here');

You can easily generate your salts by navigating to the wordpress.org salt generator or using the reset salts + keys option in our WordPress Plugin.

Important

  • If you suspect that the secret keys have been compromised, regenerate them as soon as possible. All users will need to re-authenticate.

Disable File Editing

By default, file changes can be made through Appearance > Editor from the WordPress dashboard.

You can increase your WordPress security by disabling file editing from the dashboard. This prevents an attacker from changing your files through the backend or wp-admin. You will still be able to make changes via SFTP/SSH.

To disable file editing from the dashboard, include the following two lines of code at the end of your wp-config.php file:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);


http://httpd.apache.org/docs/2.2/howto/htaccess.html

Комментариев нет:

Отправить комментарий