How To: Stop The Hacker By Hardening WordPress

Every day we service 100’s of clients and the question is always asked:

How do you stop these hackers!!!”

Unfortunately, it’s perhaps the hardest to explain and understand for most. That being said, this post will be one of a series that talks to what end-users can do to help reduce their threat landscape. A great place to start, however, is to take some time to understand the symptoms of malware. As well, always remember that if you can’t figure it out, we can help with any CMS platform, whether it’s WordPress, Joomla, Drupal, or you made it yourself, we can help.

This post will augment our previous post, Ask Sucuri: “How to Stop The Hacker and ensure Your Site Is Locked!!”, but hopefully provide you more tangible take-away’s. It will also leverage guidance recently shared at a conference for WordPress enthusiats – WordCamp Orange County 2012.

The Presentation


Here is the presentation in its entirety. Very appropriately, it’s titled WordPress Security – Knowledge is Power, mainly because of the emphasis we put around empowering the end-user with as many tools as possible to make them more effective at protecting themselves.

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him a lifetime. – Chinese proverb

In Summary


If you don’t have the time to go through the 60+ slides its ok, just check out the highlights below. Before we begin though, let’s touch on a few much needed qualifiers:

The Qualifiers

Silver Bullet There is no such thing in the InfoSec domain. If there were then there would not be a need for the latest resurgence of companies offering their patent-pending artificial intelligence.

Web based malware has only become prevalent in the last 5 years making it a very young industry, its truly amazing the number of experts coming online with their decades of experience.

Cross-Site Contamination This is by far one of the leading problems right now contributing to most of the reinfections we see. It’s the concept of Soup Kitchen servers.

It’s like taking your road cruiser off road, you’re bound to hit a rock that is going to send you flying, bending your fork and possibly putting your cruiser out of commission.

Re-infections No one can guarantee you beyond a shadow of a doubt that you will not be reinfected, to do so would mean there is a crystal ball into what is coming and that I can assure you does not exist.

It’s like saying you will never be in a car accident. Really?

Make .HTACCESS Your Friend

This is perhaps the most underused file in the website configurations we see on a daily basis. It is also what most vendors will modify when they say they are hardening your environment. The good news here is that although this post will talk to WordPress specifically the directives are platform agnostic and can be leveraged in other CMS’s (i.e., Joomla, Drupal, etc..) that leverage a Apache HTTP Server.

If you’re wondering what it is, its a configuration file specific for web servers running Apache. Here is the good news, most of you running WordPress are running your site on a LAMP stack that means its using the Apache HTTP Server with PHP and MySQL. There are distributions for Windows Servers and these recommendations are not exactly something that can be applied in those environments.

Still wondering why its so important? No problem, let’s take a peek at some of the features it offers us:

  • Error Documents
  • Redirects
  • Password Protection
  • Deny Visitors by IP
  • Hot Link Prevention
  • Access Prevention
  • More…

It is important to note however that this file is extremely powerful and can easily blow up your site. So, be sure to use it carefully..:)

Recommendation If you’re not too sure what the various directives do you can always leverage their Directive Quick Reference.

5 Hardening Tips

As you might imagine there are many different hardening tips out there and many simply regurgitate what the last post said. Here I want to keep it focused on 5 key tips that we think can really make a difference to a majority of users.

1. Communicate Securely

As simple as a concept as this is it’s still something end-users struggle with. What is FTP? What is SSH?

Take a minute to familiarize yourself with the different communication mechanisms available to you:

  • File Transfer Protocol (FTP) – Transmits in the clear
  • File Transfer Protocol Secure (FTPs) – Supports Transport Layer Security / Secure Socket Layer cryptographic protocols – in short encrypts your communication
  • Secure FTP (SFTP) – Allows you to tunnel to the server via a SSH connection
  • Secure Shell (SSH) – Established a secure connection with the server allowing you to communicate securely
  • If in doubt, contact your host directly.

    Recommendation: For most users reading this you will have the option to enable FTP or SFTP. When presented with the option, enable SFTP. The ideal connection is a combination of SFTP and SSH. SFTP will allow you to transfer your files securely and SSH will allow you to work on the server securely. There is a fundamental difference there.

    2. Protect HTACCESS

    As mentioned before, this is a very critical file. Its the one most often modified when dealing with redirects and is often used to change file types to make them executable. On the flip side, its also the one you will be using to harden your environment.

    To protect it you apply a few simple rules:

    1. Set Low Permissions
    2. Deny Access

    Apply Low Permissions

    The basic guidance for permissions is simple, the lower the number the harder access becomes. Good rule of thumb is keep the number as low as possible where the performance or functionality is not impacted. For most users, setting it to 640 will do the trick.

    Add .HTACCESS Directives

    What’s important to note here is that this only works if the attack is external. This won’t protect you from internal attacks, by internal I mean the attack occurring from compromised server credentials or something similar.

    This is the .htaccess directive you can use:

    #PROTECT HTACCESS
    <Files HTACCESS>
    Order Deny,Allow
    Deny from All
    </Files>

    Note: This only protects the file from external access.

    3. Disable Plugin / Theme Editor

    When you look at the top reasons why a website gets compromised one of them, second only to out-of-date software, is compromised credentials. We often beat this horse to death and yes, its covered in the presentation. But this isn’t about the actual credential compromise, no, its about what happens when compromised.

    The idea now becomes, what can you do to help mitigate the impact if say someone figured out your password was P@ssw0rd. The focus has to be, how do you minimize the impact of the compromise.

    There are two specific constants that help you reduce the impact:

    define(‘DISALLOW_FILE_EDIT’,true);

    – or –

    define(‘DISALLOW_FILE_MODS’,true);

    Recommendation: If you use one, you don’t need the other, they are both almost one for one with exception to the “MODS” version which disables the users ability to update their themes or plugins. For obvious reasons we wouldn’t want you disabling the most user friendly update process, what kind of security professionals would be. I mean, let’s be serious, half the folks don’t update using the provided method, what’s to make us think that making it harder would make it more fruitful.

    Note: These constants get added to your wp-config.php file and more information can be found here: http://codex.wordpress.org/Editing_wp-config.php

    4. Lock Down Important Files via IP or Subdomain

    You often hear people talk about the importance of blocking access to specific files or directories by IP and often its followed up with the, “well if you have a dynamic IP you can’t really apply this.” We’re here to say that’s not entirely true; its why we put out the How To: Lock Down WordPress Admin Panel with a Dynamic IP post.

    There is a lot of value in locking down access and its highly recommended.

    Note that there does appear to be a few issues with using subdomains in the place of IP’s with a few hosts, still dissecting the problem.

    The two directives you will most likely use as you get started will be:

    <Files [File Name]>
    Order Deny,Allow
    Deny from All
    Allow from [IP] or [Domain]
    </Files>

    Note: Find more on the Files Directive here: http://httpd.apache.org/docs/2.0/mod/core.html#files

    – or –

    <FilesMatch [File Type]>
    Order Deny,Allow
    Deny from All
    Allow from [IP] or [Domain]
    </FilesMatch>

    Note: Find more on the FilesMatch Directive here: http://httpd.apache.org/docs/2.0/mod/core.html#filesmatch

    5. Harden WP-CONTENT

    This is one that isn’t always discussed and should. More often than not your Uploads directory is your weakest link, acting as the point of entry. It makes sense as its often the one directory that needs to be writable. So what can you do?

    Well, the best approach is to disable remote execution of any PHP files. Naturally we turn to .HTACCESS to help us. Using the following you are able to easily block the execution of any PHP files that reside within the WP-CONTENT directories.

    Please use at your own risk, depending on how your theme or plugins were developed it could break your site.

    <FilesMatch .php>
    Order Deny,Allow
    Deny from All
    </Files>

    Recommendation: If you happen to break something, don’t fret, simply disable the file and move it into your Uploads directory.


    We hope this was helpful. If you have any questions or concerns regarding any of the tips in this post please don’t hesitate to contact us at
    info@sucuri.net
    .

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.