Friday, May 28, 2010

Hardening guide for WordPress 2.9.2

Blog Has Moved

Link to the same post in the new blog: Hardening guide for WordPress 2.9.2

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase
1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
su sshaccount
4. Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account:
exit
8. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from:
http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www
cd /www
13. Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

18. Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
• Blog Title
• E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt:
use m6gf42s;
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “m6gf42s” with your own WordPress database name.
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule>

Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0

Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
31. Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade

32. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
33. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
35. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download "WordPress Database Backup" plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the "WordPress Database Backup" plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
40. Set permissions for the "WordPress Database Backup" plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
41. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
42. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> click on "Save changes".
43. From WordPress dashboard, click on "settings" -> click on "Miscellaneous" -> "Store uploads in this folder" -> specify:
wp-content/uploads
44. Click on "Save changes".
45. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
47. Click "Submit".
48. From the upper pane, click on "Log Out".
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Labels: , , , , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home