Hardening guide for WordPress 3.0 for hosted web sites
Blog Has Moved
Link to the same post in the new blog: Hardening guide for WordPress 3.0 for hosted web sites
Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.
1. Request from your hosting provider access through SSH.
2. Login to the hosted server using SSH.
3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
• DB_NAME
• DB_USER
• DB_PASSWORD
4. Create using VI the file ~/config.php with the following content:
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
?
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with the MySQL account to access the database.
Note 3: Replace “password2” with the MySQL account password.
Note 4: Replace “m6gf42s” with the WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
5. Edit using VI, the file ~/html/wp-config.php
• Add the following line:
include('/path/config.php');
Note: Replace /path/ with the full path to the config.php file.
• Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
6. Remove default content:
rm -f ~/html/license.txt
rm -f ~/html/readme.html
rm -f ~/html/wp-config-sample.php
rm -f ~/html/wp-content/plugins/hello.php
7. Create using VI the file ~/html/.htaccess with the following content:
Order deny,allow
deny from all
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
9. Create the following folders:
mkdir -p ~/html/wp-content/cache
mkdir -p ~/html/wp-content/uploads
mkdir -p ~/html/wp-content/upgrade
10. Change the file permissions:
chmod -R 777 ~/html/wp-content/cache
chmod -R 777 ~/html/wp-content/uploads
chmod -R 777 ~/html/wp-content/upgrade
11. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
12. Download "Limit Login" plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
13. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
14. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
15. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
16. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
17. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /html/wp-content/plugins
18. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
19. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> put a new value inside the "Tagline" field -> click on "Save changes".
20. Click on "Save changes".
21. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
22. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
23. Click "Submit".
24. From the upper pane, click on "Log Out".
25. In-case the server was configured with SSL certificate, add the following line to the config.php file:
define('FORCE_SSL_LOGIN', true);
posted by Eyal Estrin @ 11:29 AM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home