Hardening guide for WordPress 2.9.2

Pre-installation notes The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH: groupadd sshaccount useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account: su sshaccount
4. Run the command bellow to generate SSH keys: ssh-keygen Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys: cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys: chmod 755 /home/sshaccount/.ssh chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account: exit
8. Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt: CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE m6gf42s; GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2"; FLUSH PRIVILEGES; quit Note 1: Replace “blgusr” with your own MySQL account to access the database. Note 2: Replace “password2” with complex password (at least 14 characters). Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from: http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www cd /www
13. Extract the wordpress-2.9.2.tar.gz file: tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file: rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content: <?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('DB_HOST', '127.0.0.1'); $table_prefix = 'm6gf42s_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('FS_METHOD', 'direct'); define('FS_CHMOD_DIR', 0777); define('FS_CHMOD_FILE', 0777); define('FTP_BASE', '/www/wordpress/'); define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/'); define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/'); define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub'); define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa'); define('FTP_USER', 'sshaccount'); define('FTP_HOST', '127.0.0.1:22'); ?> Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters). Note 4: Replace “m6gf42s” with your own WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file: cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php Add the following line: include('/www/config.php');Remove the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here');
18. Remove default content: rm -f /www/wordpress/license.txt rm -f /www/wordpress/readme.html rm -f /www/wordpress/wp-config-sample.php rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf Replace the value of the string, from: DocumentRoot "/www" To: DocumentRoot "/www/wordpress" Replace the value of the string, from: LimitRequestBody 10000 To: LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Blog Title
    • E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt: use m6gf42s; UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin'; UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd'; FLUSH PRIVILEGES; quit Note 1: Replace “m6gf42s” with your own WordPress database name. Note 1: Replace “johnd” with your own new WordPress admin. Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from: 'timeout' => apply_filters( 'http_request_timeout', 5), To: 'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content: <files wp-config.php> Order deny,allow deny from all </files> <Files wp-login.php> AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 </Files> RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address. Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic <LIMIT GET POST> order deny,allow deny from all Allow from 1.1.1.0 </LIMIT> <IfModule mod_security.c> SecFilterInheritance Off </IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders: mkdir -p /www/wordpress/wp-content/cache mkdir -p /www/wordpress/wp-content/uploads mkdir -p /www/wordpress/wp-content/upgrade
31. Change the file permissions: chown -R root:root /www/wordpress chown daemon:root /www/wordpress/wp-content/plugins chmod 644 /www/config.php chmod 644 /www/wordpress/wp-config.php chmod 644 /www/wordpress/.htaccess chmod 644 /www/wordpress/wp-admin/.htaccess chmod 644 /www/wordpress/wp-content/plugins/.htaccess chmod -R 777 /www/wordpress/wp-content/cache chmod -R 777 /www/wordpress/wp-content/uploads chmod -R 777 /www/wordpress/wp-content/upgrade
32. Download “Login Lockdown” plugin from: http://www.bad-neighborhood.com/login-lockdown.html
33. Download “WP-Secure Remove Wordpress Version” plugin from: http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download “WP Security Scan” plugin from: http://wordpress.org/extend/plugins/wp-security-scan/
35. Download “KB Robots.txt” plugin from: http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download “WordPress Database Backup” plugin from: http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download “WordPress Firewall” plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the “WordPress Database Backup” plugin: mkdir -p /www/wordpress/wp-content/backup-ed602
40. Set permissions for the “WordPress Database Backup” plugin: chmod 777 /www/wordpress/wp-content/backup-ed602
41. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php
42. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
43. From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify: wp-content/uploads
44. Click on “Save changes”.
45. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”. Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field: Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php
47. Click “Submit”.
48. From the upper pane, click on “Log Out”.
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file: define('FORCE_SSL_LOGIN', true);