WordPress or WP as I call it went viral long ago, with 54% or all CMS systems using WP\u00c2\u00a0it’s obvious it’s not a fad. \u00c2\u00a0But with that many people using the code, you also have lots of people now vulnerable to a whole slew of attacks. \u00c2\u00a0Because WordPress is so easy to use, many people create quick blogs without putting very much time into thinking about security.<\/p>\n
This is true not only of the people setting up the WP sites but also the people creating plugins and themes. \u00c2\u00a0As I look through WP plugins I see more than 50% of the code had no security accounted for. \u00c2\u00a0 I hope to point out several of those security issues as well as better prepare you for deploying your own WP site.<\/p>\n
First off before you can even think about setting up a secure WP Site, you have to have a secure webserver. Believe it or not it really doesn’t matter all that much if you use Apache or IIS7.0. \u00c2\u00a0I hate to say it, but don’t\u00c2\u00a0congratulate\u00c2\u00a0Microsoft on this\u00c2\u00a0accomplishment. \u00c2\u00a0It’s really the PHP dev team who made PHP a solid product on IIS. \u00c2\u00a0For this article though we will be focusing on Apache + PHP.<\/p>\n
If you are going to be running multiple WP instances controlled by different people then you really want to look into using something like suExec or suPHP. \u00c2\u00a0These modules allow you to run the php script as the user who owns the file. \u00c2\u00a0This is a big security feature as typically any script that is run is run as the webserver. \u00c2\u00a0This means any script could in theory hurt any other script that is running since their is no seperation (aside from processes). \u00c2\u00a0Also in order to make it accessible by Apache and your customers the script would have to have more relaxed file permissions.<\/p>\n
suExec<\/a> and suPHP<\/a> fix this by running your script as the person who owns the script. \u00c2\u00a0Think of this as a little sandbox to separate your various WordPress Instances. \u00c2\u00a0When a user ftp\/sftp into your server to upload files to your server, those files will run as the user who uploads them. \u00c2\u00a0It also makes it perfectly acceptable to tell your ssh & sftp server to lock the users into their home directories to prevent them from playing dangerous on your server.<\/p>\n Note though, this doesn’t really work for you if you are using WordPress Multiuser<\/a>. \u00c2\u00a0This is because WordPress Multi-User all runs as a single WP instance (everything as one user). \u00c2\u00a0When deciding if you want to run WP Multiuser or multiple instances of WP you should think about the logical separation of who it’s for. \u00c2\u00a0If you need multiple sites for the same company, then use WP Multiuser. \u00c2\u00a0If you are looking to go more of a shared hosting route then you should really use multiple instances of WP as this is safer for your customers.<\/p>\n The php.ini holds a lot of power in PHP. \u00c2\u00a0It also hold the most power when it comes to security. \u00c2\u00a0This is the place where you should make the big changes. \u00c2\u00a0 Such as….<\/p>\n .htaccess is an amazing little feature of apache that allows you to control several apache runtime configurations. \u00c2\u00a0This is a great way to restrict access to certain folders in your site. \u00c2\u00a0For example you can lock your wp-admin directory to only be accessed by specific ip address with something like the following.<\/p>\n You can also use the .htaccess to disable register_globals if you dont have control over the php.ini file by placing\u00c2\u00a0php_flag register_globals off<\/em>\u00c2\u00a0 in your .htaccess file<\/p>\n Many people have asked me what the file permissions are supposed to be for WP. \u00c2\u00a0Before I give my recommendation I want to explain some things you need to consider. \u00c2\u00a0Unless you are using suExec or suPHP \u00c2\u00a0your WP is running as the webserver user. \u00c2\u00a0This means that if you have a script that uploads files for edits files (like WP) then the webserver needs to have access to write to your files. \u00c2\u00a0Now most of the items in WP that get modified exists under the wp-content<\/strong>\u00c2\u00a0directory. \u00c2\u00a0So in my opinion I would make all the files owned by either root or the user who manages the WP files. \u00c2\u00a0Then set the wordpress permissions with the following command.<\/p>\n chmod -R 655 wordpress<\/strong><\/p>\n After this we must modify the wp-content<\/strong>\u00c2\u00a0subdirectory permissions. (Note: If you are using suExec or suPHP the previous permissions are enough, skip the rest.)<\/p>\n If you have root access set the group permissions of the files to the webserver group.<\/p>\n If you don’t have the ability to set the permissions to the webserver group then do the following with extreme caution.<\/p>\n I must point out that setting any directory in your web path to 777 is a security risk. \u00c2\u00a0At those permissions any files within are a free for all. \u00c2\u00a0If you don’t find giving your ftp password everytime you make a change you could also leave those permissions at 777 and just put in your ftp username and password each time you need to upload plugins for themes.<\/p>\n By far one of the most successful web security tools no matter what application you are running is mod_security<\/a>. \u00c2\u00a0I can’t stress how amazing this Apache module is (I believe it has an IOIS version also) \u00c2\u00a0This module basically works as a firewall for your webserver. \u00c2\u00a0It actually inspects every request that comes into your server and searches for potential attacks in the request. \u00c2\u00a0It has a very high detection rate (sometimes to high). \u00c2\u00a0I can say for sure that this tool has saved some of the larger web sites I’ve run.<\/p>\n It has several version including an opensource community edition. \u00c2\u00a0USE THIS!<\/p>\n Always stay up to date on your system patches. \u00c2\u00a0This is critical, don’t let your WP get compromised from your operating system or it’s applications (IE. apache, mysql, ssh etc)<\/p>\n Also make sure to keep your WordPress install current. \u00c2\u00a0When you see the update notice, follow it and run the update.<\/p>\n The one thing I’ve seen was looked over by every site I’ve been called into repair, is they didn’t do proper backups. \u00c2\u00a0This can and will save you SO much money. \u00c2\u00a0It will also help you get your site back online faster. \u00c2\u00a0Make sure that you backup both your database and your actual files.<\/p>\n Once you have a secure server setup, then you need to really take the time to lock down Wp from the inside. \u00c2\u00a0The following are the tips I follow.<\/p>\n Security in WP can also be increased by certain plugins. \u00c2\u00a0Here is a great list of plugins to help.<\/p>\n The biggest problem with the Security of WP is not the core code, but the plugins and themes. \u00c2\u00a0As a plugin or theme author you should know about these api functions by heart https:\/\/codex.wordpress.org\/Data_Validation<\/a>\u00c2\u00a0\u00c2\u00a0These functions are the data validation functions. \u00c2\u00a0They are how you test to make sure that the data coming from the user is safe to use. \u00c2\u00a0Lack of input validation is responsible for most security bugs like cross site scripting (XSS) or SQL Injections.<\/p>\n Below are my personal coding tips for making secure plugins and themes.<\/p>\n This serves many purposes, first it makes sure that you will never receive those pesky notices in your php log about PHP Notice: Undefined index: name in<\/strong>. It also makes sure you didn’t make a typo in variable name. Finally notice the use of the esc_html<\/strong>\u00c2\u00a0function. \u00c2\u00a0This is one of those input validation functions discussed above. \u00c2\u00a0It makes sure that what ever they send doesn’t contain malicious code the could cause a XSS attack.<\/li>\n In this example only javascript, css and images are allowed. This will prevent people from directly calling any php scripts.<\/li>\n<\/ul>\n If you have a security recommendation. Place it in the comments below. If you are confused about one of the recommendations, let me know and I’ll break it down more for you.<\/p>\n See Also<\/p>\n http:\/\/aymanh.com\/checklist-for-securing-php-configuration<\/a><\/p>\nphp.ini<\/h2>\n
\n
.htaccess<\/h2>\n
order deny,allow\r\ndeny from all\r\nallow from xxx.xx.xx.xxx<\/pre>\n
File Permissions<\/h2>\n
chgrp -R apache wp-content\r\nchmod -R 775 wp-content<\/pre>\n
chmod -R 777 wp-content<\/pre>\n
mod_security<\/h2>\n
Patching<\/h2>\n
Backups<\/h2>\n
WordPress Changes<\/h2>\n
\n
WordPress Security Plugins (That Work with current!)<\/h2>\n
\n
Coding Tips for Plugins & Themes<\/h1>\n
\n
function printWelcom($name = false){\r\n\r\n if(isset($name) && !empty($name)){\r\n print \"Hello \".esc_html($name).\" welcome back!\";\r\n }\r\n}<\/pre>\nOrder Allow,Deny\r\nDeny from all\r\n<Files ~ \"\\.(css|jpe?g|png|gif|js)$\">\r\n Allow from all\r\n<\/Files><\/pre>\n