Friday, June 18, 2010

Hardening guide for WordPress 3.0

Blog Has Moved

Link to the same post in the new blog: Hardening guide for WordPress 3.0

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase
1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
su sshaccount
4. Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account:
exit
8. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 3.0 from:
http://wordpress.org/download
11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
12. Move to /www
cd /www
13. Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip
14. Remove WordPress source file:
rm -f /www/wordpress-3.0.zip
15. Create using VI the file /www/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

18. Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
• Site Title
• Username - replace the default "admin"
• Password
• E-mail
23. Click on “Install WordPress” button, and close the web browser.
24. Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule>

Note: Replace 1.1.1.0 with the internal network IP address.
26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0

Note: Replace 1.1.1.0 with the internal network IP address.
27. Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
28. Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade

29. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
30. Download "Limit Login" plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
31. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
32. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
33. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
34. Download "WordPress Database Backup" plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
35. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
36. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /www/wordpress/wp-content/plugins
37. Create a folder for the "WordPress Database Backup" plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
38. Set permissions for the "WordPress Database Backup" plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
39. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
40. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> put a new value inside the "Tagline" field -> click on "Save changes".
41. From WordPress dashboard, click on "settings" -> click on "Media" -> "Store uploads in this folder" -> specify:
wp-content/uploads
42. Click on "Save changes".
43. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
44. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
45. Click "Submit".
46. From the upper pane, click on "Log Out".
47. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Labels: , , , , ,

1 Comments:

At July 9, 2010 at 8:45 PM , Anonymous Anonymous said...

This is spot on! I have been looking for a way to set up a WordPress install using SSH. This post is defiantly going to be my guide for every install.

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home