Hardening WordPress

1827

That the CMS WordPress is a common choice in blog platforms everybody knows, but what we see is that this use most of the time is implemented with no security countermeasures (according to the OWASP Top Ten 2013 – The Ten Most Critical Web Application Security Risks, the category Security Misconfiguration is in the fifth position), even when the website was already compromised before. To avoid some of the threats and increase the security level we inform below some of the best practices in hardening of CMS WordPress:

  • Update your WordPress Core.
  • Use strong passwords: with letters, numbers and special characters, and longer than 12 characters. Is important to avoid to use common informations about yourself like your birthday or something related and also words found in a conventional dictionary even if it is in another language.
  • Avoid to use out of date and/or unknown (with no recommendation) plugins and themes, or that was obtained through piracy (commonly used to spread web malwares). Also search if it has a vulnerability well known and if you found any of your plugins or themes in this list and don’t have pack/update after the date shown, deactivate it as soon as possible. Also is possible to configure automatized update on the configuration file of WordPress, more details access here.
  • Keep daily or weekly (or the period of your choice) backup routines (automatically) that store the files in other server (remote), try to use sftp or SSH to proceed the transfer of this – wordpress backup.
  • Put your website behind of a WAF (Web Application Firewall), that will analyse all the HTTP requests (often GET and POST) and blockade the bad ones (that matched in a malicious network signature). A well known open source WAF is the Apache ModSecurity.
  • Put script verification/detection mechanisms in all the comments text boxes and subscribe newsletter or contact form to avoid SPAM incidents by the website. Google reCaptcha.
  • Adds blank index.php within of the directories, because is common to host the website in shared server which isn’t possible personalize the web service configuration and the directory listing option is often enabled. Normally creates this file in the directories “wp-includes”, “wp-content”, “wp-content/plugins”, “wp-content/themes” and “wp-content/uploads”.
  • Put digital certificate in all the pages of your website (HTTPS, prefer TLS order than SSL v3.0 (CVE-2014-3566)) both publicly accessible and restricted. More details here.
  • Avoid to use more than one website within an account (commonly in Plesk or cPanel systems), because if only one was compromised the invasion will spread to the others and this security incident will have a huge impact in all your business.
About Icaro Torres
Icaro Icaro Torres is a technologist of network computer and postgraduate in information security, that works with vulnerability analysis and security research in the iBLISS company. Before worked about 2,7 years with website hosting as technical support and audit/security of the systems hosted in the Datacenters of the company. He is contributing in the OWASP with translation projects and in the chapter in his city. He continuously studies about web application security, pentest and malware analysis.
In this article