Blog

Friday, July 11, 2014

WordPress Hardening Guide

WordPress is a great blog platform but like anything popular, it’s often targeted by hackers hence hardening your WordPress deployment is mandatory. Getting your WordPress site hacked can be very stressful and a potentially expensive problem.  It’s akin to getting your *insert something important here* stolen.  This is especially true if your WordPress site is critical to your online presence as downtime can destroy the traffic you’ve garnered not to mention it can hurt your website’s reputation.

NOTE: This WordPress hardening Guide is an intermediate to expert task.

This guide assumes you or your web host have already secured the server computer itself.  If this has not yet been done or you aren’t sure, then you should do it first or ask your web host to do it for you as your WordPress could still be hacked if your server is insecure. Search Google for guides like “hardening linux” and “securing /tmp”. Also check out SELinux, CSF and LFD. wordpress.org also publish an extensive WordPress hardening guide.

Step 1: Changing the WordPress Database Table Names

This one can be difficult to do but it is the absolute most critical.  By default, WordPress prefixes all its database tables “wp_”.  Changing the table prefix to a random string makes it difficult if not impossible for a hacker to execute remote SQL injection attacks.

Go to the random.org to generate a random database table prefix. If you haven’t installed WordPress yet, then during installation you can change the table prefix to the random string you generated previously.  Make sure you add an underscore ( _ )  after the string so your tables are easier to read.

If you have already installed Wordpress, then you will need to edit wp-config.php and enter the new database prefix.  Then export the entire database and using a text editor, replace the prefix of every table to the random string you generated above. Again, make sure you add an underscore ( _ )  after the string so your tables are easier to read.

Table names are stored in the CREATE TABLE `NAMEHERE` or CREATE TABLE IF NOT EXISTS `NAMEHERE` lines. After you do the edits to the exported database, you will need to drop the WordPress database on your web host and import your edited database.

Step 2: Update Your WordPress, Plugins and Themes

Keeping your WordPress, Plugins and Themes up to date is the single most critical thing you can do.  Exploits are discovered daily and if you leave your WordPress running an older version, you risk getting hacked. To update WordPress, login to the Dashboard and on the right hand side look for "Updates".

Step 3: Secure Your Plugins

Since plugins add new functionality, they can also add functionality you don’t want such as backdoors.  Before installing ANY plugin, do the following:

  1. Search the exploit databases such as Secunia and Exploit-DB to see if there's any security advisories for the plugin.  If there are, make sure they aren't for the current version.
  2. Check if the plugin is compatible with the current version of WordPress.
  3. Check how many support requests have been solved in the past few months. If it’s a low number (less than 50%), then look in the support forum to see what questions people were asking.  Plugins with poor or no support tend to not get updated often so avoid them if you can.
  4. Only if 1, 2 and 3 are OK then can the plugin be installed.

Here's a few plugins that should be avoided as they increase the attack surface of WordPress or are just generally malicious:

Additionally, if you have any plugins that are disabled and you don't intend to use them then delete them.

Step 4: Choosing a complex password

It is critical that you choose a complex and hard to guess password.  Choosing an easy to guess password makes as much sense as leaving your front door unlocked in a neighbourhood with lots of crime. If you must insist on using an easy to remember password then add a few symbols to it.  For example replace the letter S with a dollar ($) symbol, the letter O with a zero (0), the letter I with an exclamation point (!).  You should have at least 2 symbols and 1 number in your password and it should be at least 12 characters long (to increase entropy and make it even harder to guess or brute force).  If you still aren’t able to remember your password, then get a password manager application like KeePass or Any Password. Try and avoid browser based or browser integrated password managers as browser highjacking is common.  When using a password manager, use the random password feature with symbols.  The password will be impossible for you to remember, but it will also be very very difficult for hackers to guess.

Step 5: Folder and File Permissions

Using your FTP program or the command line (if you have access to it), chmod the permissions of all folders and files.  This is critical for security and while it is a long and boring process, you need to do it.

All directories should be 750 or if they require write access, then 755. All files should be 644. Exception: wp-config.php should be 600 to prevent other users on the server from reading it. File and group ownership (UID and GID) should be ideally set to what the webserver itself requires (eg. apache.apache).

Most FTP applications allow you to change the permissions of a folder and file simply by right click the object and selecting CHMOD, Attributes, Permissions or something similar.  Read the help file that came with your FTP application for more information.  If you’re using the command line, then use the following command:  chmod ### <folder or file name>

So for example let’s say you were chmod’ing the wp-admin directory which is located in /home/yoursite/wordpress/public_html, the commands would look like:

cd /home/yoursite/wordpress/public_html
chmod 750 wp-admin

Everytime you install a new plugin or theme; you will need to set the folder and file permissions for those new folders and files accordingly.

Step 6: Securing wp-config.php

Move wp-config.php outside of the web directory (eg. one directory up).  WordPress knows to look for the file in other directories if it can't find it in the web directory.

For extra security, add the following to wp-config.php:

define('DISALLOW_FILE_EDIT',true);

Choose new authentication keys and replace the old keys in wp-config.php with the new ones you generated.

Step 7: Securing Themes

Put the following in your theme’s function.php file:

add_filter('login_errors', create_function('$a', "return null;"));
remove_action('wp_head', 'wp_generator');

Search your theme's header file for the following and delete it:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

If you have any themes that are not being used or are disabled, then delete them.

Step 8: Recommended Security Enhancing Plugins

The following plugins will enhance security and should be installed and configured:

For more information on securing and hardening WordPress please consult the extensive and comprehensive WordPress hardening guide over at wordpress.org.

Wordpress hardening guide

Monday, September 30, 2013

Installing Perl and the VMXNET3 driver retrospectively on a minimalist vSphere CentOS 6 virtual machine

When installing a minimal CentOS 6.4 VM on vSphere 5.1 or later, Perl is not automatically installed. This means you can't install VMware tools and thus the VMXNET3 driver to enable networking. You could change the initial setup of your VM (eg. add the Perl packages during the install of CentOS or install an E1000 adapter in addition to the VMXNet3 adapter) but you might be in the situation that requires a nice clean install. The steps below allow you to retrospectively install Perl and VMware tools.

Assumptions

  1. The VM was created with a single VMXNET3 adapter
  2. An x64 instance of CentOS 6.4 was installed using the "Minimal" default installation of CentOS
  3. The CentOS 6.4 ISO is still connected to the VM
  4. You can login as root via the Virtual Machine Console in the vSphere Client
  5. You have a DHCP server on your network

Step 1: Mount the CentOS 6.4 ISO

Ensure the ISO is connected to the VM. Then at the root prompt type:

mount /dev/cdrom /mnt
cd /mnt/Packages

Step 2: Install the necessary Perl packages

Now type using tab command completion (line is wrapped for readability):

yum --disablerepo=* localinstall 
    perl-5.10.1-129.el6.x86_64.rpm 
    perl-libs-5.10.1-129.el6.x86_64.rpm 
    perl-version-0.77-129.el6.x86_64.rpm 
    perl-Module-Pluggable-3.90-129.el6.x86_64.rpm 
    perl-Pod-Simple-3.13-129.el6.x86_64.rpm 
    perl-Pod-Escapes-1.04-129.el6.x86_64.rpm

6 packages should be installed.

Step 3: Unmount the ISO

Now type at the command prompt:

cd
umount /mnt

Step 4: Install VMware Tools

In the Virtual Machine Console go to the VM menu and choose Guest -> Install/Upgrade VMware Tools. Then at the command prompt:

mount /dev/cdrom /mnt
cd /tmp
tar xvzf /mnt/VMwareTools-9.0.5-1137270.tar.gz
cd vmware-tools-distrib
./vmware-install.pl
cd
umount /mnt

Follow the prompts to install VMware Tools. The defaults usually suffice. Remember this only installs VMware tools for the currently running kernel. If you do a yum update you will need to reinstall VMware Tools. Additionally note that the exact VMwareTools tgz will depend on the version of the ESXi hypervisor you are running so you might have to adjust the file name to suite.

Step 5: Check the VMXNET3 driver is loaded

At the command prompt:

lsmod | grep vmxnet

You should see the following similar output - this means the driver is loaded and is unused.

vmxnet3        42862   0

Step 6: Edit the network settings

Now edit the network settings:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Change your network settings as you see fit but minimally change the following line in ifcfg-eth0 in order to get a DHCP lease:

ONBOOT=yes

Step 7: Restart the network and get a lease

At the command prompt type:

service network restart

The network will restart and you should have an IP address assigned via DHCP. Type:

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:87:51:A9
          inet addr:10.0.0.163  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe87:51a9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:338 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:40438 (39.4 KiB)  TX bytes:7155 (6.9 KiB)

That's it! All done.

Addendum from Tristan at Aptira:

A simpler way as the VMXNET3 driver is included with CentOS minimal for all 6.x versions.

  1. Install OS
  2. vi ifcfg-eth0 and set ONBOOT=yes
  3. Reboot and the network should come up.
  4. yum -y wget
  5. Grab the latest VMware repo from here http://packages.vmware.com/tools/esx/latest/repos/index.html. For example wget http://packages.vmware.com/tools/esx/latest/repos/vmware-tools-repo-RHEL6-9.10.1-1.el6.x86_64.rpm
  6. rpm -ivh vmware-tools-repo-RHEL6-9.4.5-1.el6.x86_64.rpm
  7. yum install -y vmware-tools-esx-nox
  8. Profit!

 

 

Saturday, June 01, 2013

Setting up DHCP on an Enslaved VLAN Bridge on CentOS Linux

I had to setup a single interface on a server, with dual DHCP IP addresses that were obtained on the native untagged interface along with a tagged interface enslaved to VLAN bridge in order to rollout Enomaly SpotCloud. Thus the primary interface obtains its IP address via DHCP along with the bridged interface on a VLAN. To set this up :

1. cd /etc/sysconfig/network-scripts

2. vi ifcfg-eth0 so it looks like (change your MAC address accordingly):

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
HWADDR=f4:ce:46:82:55:f4 

3. Then create your VLAN interface configuration. So vi ifcfg-eth0.1051:

DEVICE=eth0.1051
BOOTPROTO=dhcp
VLAN=yes
BRIDGE=virbr0
ONBOOT=yes

4. Then create your bridge interface configuration: So vi ifcfg-virbr0:

DEVICE=virbr0
TYPE=Bridge
ONBOOT=yes
DELAY=0
BOOTPROTO=dhcp

Note that TYPE must be Bridge with a capital B - otherwise it won't work. And there you have it - when the box boots it gets a DHCP lease on eth0 and on virbr0 which is on VLAN 1051.


Recent Posts



Tags


Archive

    Sign up for Product Updates and Discounts
    Captcha Image
    ×