Hardening guide for WordPress 3.0

Pre-installation notes The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.

2. Create a new account for uploading files using SSH: groupadd sshaccount useradd -g sshaccount -d /home/sshaccount -m sshaccount

3. Run the commands bellow to switch to the SSH account: su sshaccount

4. Run the command bellow to generate SSH keys: ssh-keygen Note: Leave deafult values for the ssh-keygen.

5. Copy the SSH keys: cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys

6. Change permissions for the SSH keys: chmod 755 /home/sshaccount/.ssh chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account: exit

8. Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account.

9. Run the following commands from the MySQL prompt: CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE m6gf42s; GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2"; FLUSH PRIVILEGES; quit Note 1: Replace “blgusr” with your own MySQL account to access the database. Note 2: Replace “password2” with complex password (at least 14 characters). Note 3: Replace “m6gf42s” with your own WordPress database name.

10. Download WordPress 3.0 from: http://wordpress.org/download

11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www

12. Move to /www cd /www

13. Extract the wordpress-3.0.zip file: unzip wordpress-3.0.zip

14. Remove WordPress source file: rm -f /www/wordpress-3.0.zip

15. Create using VI the file /www/config.php with the following content: <?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('DB_HOST', '127.0.0.1'); $table_prefix = 'm6gf42s_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); define('FS_METHOD', 'direct'); define('FS_CHMOD_DIR', 0777); define('FS_CHMOD_FILE', 0777); define('FTP_BASE', '/www/wordpress/'); define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/'); define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/'); define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub'); define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa'); define('FTP_USER', 'sshaccount'); define('FTP_HOST', '127.0.0.1:22'); ?> Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters). Note 4: Replace “m6gf42s” with your own WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/

16. Copy the wp-config.php file: cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php

17. Edit using VI, the file /www/wordpress/wp-config.php Add the following line: include('/www/config.php');

    Remove the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');

18. Remove default content: rm -f /www/wordpress/license.txt rm -f /www/wordpress/readme.html rm -f /www/wordpress/wp-config-sample.php rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf Replace the value of the string, from: DocumentRoot "/www"To: DocumentRoot "/www/wordpress"

    Replace the value of the string, from: LimitRequestBody 10000To: LimitRequestBody 200000

20. Restart the Apache service.

21. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-admin/install.php

22. Specify the following information:

    • Site Title
    • Username - replace the default “admin”
    • Password
    • E-mail

23. Click on “Install WordPress” button, and close the web browser.

24. Create using VI the file /www/wordpress/.htaccess with the following content: <files wp-config.php> Order deny,allow deny from all </files> <Files wp-login.php> AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 </Files> RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address. Note 2: Replace Server_FQDN with the server FQDN (DNS name).

25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic <LIMIT GET POST> order deny,allow deny from all Allow from 1.1.1.0 </LIMIT> <IfModule mod_security.c> SecFilterInheritance Off </IfModule> Note: Replace 1.1.1.0 with the internal network IP address.

26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 Note: Replace 1.1.1.0 with the internal network IP address.

27. Create the following folders: mkdir -p /www/wordpress/wp-content/cache mkdir -p /www/wordpress/wp-content/uploads mkdir -p /www/wordpress/wp-content/upgrade

28. Change the file permissions: chown -R root:root /www/wordpress chown daemon:root /www/wordpress/wp-content/plugins chmod 644 /www/config.php chmod 644 /www/wordpress/wp-config.php chmod 644 /www/wordpress/.htaccess chmod 644 /www/wordpress/wp-admin/.htaccess chmod 644 /www/wordpress/wp-content/plugins/.htaccess chmod -R 777 /www/wordpress/wp-content/cache chmod -R 777 /www/wordpress/wp-content/uploads chmod -R 777 /www/wordpress/wp-content/upgrade

29. Download “Login Lockdown” plugin from: http://www.bad-neighborhood.com/login-lockdown.html

30. Download “Limit Login” plugin from: http://wordpress.org/extend/plugins/limit-login-attempts/

31. Download “WP-Secure Remove Wordpress Version” plugin from: http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/

32. Download “WP Security Scan” plugin from: http://wordpress.org/extend/plugins/wp-security-scan/

33. Download “KB Robots.txt” plugin from: http://wordpress.org/extend/plugins/kb-robotstxt/

34. Download “WordPress Database Backup” plugin from: http://austinmatzko.com/wordpress-plugins/wp-db-backup/

35. Download “WordPress Firewall” plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo

36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins

37. Create a folder for the “WordPress Database Backup” plugin: mkdir -p /www/wordpress/wp-content/backup-ed602

38. Set permissions for the “WordPress Database Backup” plugin: chmod 777 /www/wordpress/wp-content/backup-ed602

39. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php

40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.

41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify: wp-content/uploads

42. Click on “Save changes”.

43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”. Note: Install and activate all the above downloaded plugins.

44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field: Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php

45. Click “Submit”.

46. From the upper pane, click on “Log Out”.

47. Delete the file /wp-admin/install.php

48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file: define('FORCE_SSL_LOGIN', true);