Skip to main content
Security & Cloud 24/7

Hardening guide for WordPress 3.0 for hosted web sites

·568 words·3 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

  1. Request from your hosting provider access through SSH.

  2. Login to the hosted server using SSH.

  3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:

    • DB_NAME
    • DB_USER
    • DB_PASSWORD

  4. Create using VI the file ~/config.php with the following content: <?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); ?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag. Note 2: Replace “blgusr” with the MySQL account to access the database. Note 3: Replace “password2” with the MySQL account password. Note 4: Replace “m6gf42s” with the WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/

  5. Edit using VI, the file ~/html/wp-config.php Add the following line: include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.

    Remove the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');

  6. Remove default content: rm -f ~/html/license.txt rm -f ~/html/readme.html rm -f ~/html/wp-config-sample.php rm -f ~/html/wp-content/plugins/hello.php

  7. Create using VI the file ~/html/.htaccess with the following content: <files wp-config.php> Order deny,allow deny from all </files> <Files wp-login.php> AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic </Files>

  8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic

  9. Create the following folders: mkdir -p ~/html/wp-content/cache mkdir -p ~/html/wp-content/uploads mkdir -p ~/html/wp-content/upgrade

  10. Change the file permissions: chmod -R 777 ~/html/wp-content/cache chmod -R 777 ~/html/wp-content/uploads chmod -R 777 ~/html/wp-content/upgrade

  11. Download “Login Lockdown” plugin from: http://www.bad-neighborhood.com/login-lockdown.html

  12. Download “Limit Login” plugin from: http://wordpress.org/extend/plugins/limit-login-attempts/

  13. Download “WP-Secure Remove Wordpress Version” plugin from: http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/

  14. Download “WP Security Scan” plugin from: http://wordpress.org/extend/plugins/wp-security-scan/

  15. Download “KB Robots.txt” plugin from: http://wordpress.org/extend/plugins/kb-robotstxt/

  16. Download “WordPress Firewall” plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo

  17. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins

  18. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php

  19. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.

  20. Click on “Save changes”.

  21. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”. Note: Install and activate all the above downloaded plugins.

  22. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field: Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php

  23. Click “Submit”.

  24. From the upper pane, click on “Log Out”.

  25. Delete the file /wp-admin/install.php

  26. In-case the server was configured with SSL certificate, add the following line to the config.php file: define('FORCE_SSL_LOGIN', true);