Secure Your WordPress Site


EnigmaMachine3

Logging into your WordPress site is all fun and games… until you wind up on an unprotected wireless access point which is being sniffed by nefarious noses. Then you might have a problem. You see, on your home LAN you are protected (or should be) by your router. Hopefully you have a strong passphrase protecting you from the outside world. If not, well, you should apply one soon.

Once you step outside of your network you are trusting that any wireless access points beyond your control are secure. This is where SSL comes in handy. Normally, connecting to your website on port 80 (http://) is perfectly fine. An issue arises, though, when you want to log in to your site. Once you enter your username and password all that information is transmitted in clear text to your server or web hosting company. Any malicious user sitting on the same network can sniff that traffic and acquire your URL and subsequently your IP address, your username and your password. If that account has admin permissions on your WordPress server, you can practically say goodbye to it because now the aforementioned malicious user has everything they need to log in to your account and indiscriminately destroy all your hard work.

SSL encrypts all traffic to and from a website. Applying a SSL certificate to your site and logging in via HTTPS is all you need to feel warm and fuzzy that if there is someone out there watching your traffic they cannot see when you log in. Although normal traffic to your site may not need encryption, logging in certainly does.

 

startssl2

Begin by acquiring a free SSL certificate from StartSSL.com

StartSSL has guides for requesting a cert and applying it to your server as do other sites on the interwebs. I might write a guide in the future.

 

Apply your SSL cert to your Apache/HTTPd webserver

I am on CentOS, so your directory and file locations may differ on other Linux flavors.

Copy your private key file to:

/etc/pki/tls/private

Copy your SSL key, the CA root and CA chain to:

/etc/pki/tls/certs

Open your  /etc/httpd/conf.d/ssl.conf file and edit the following sections to enable SSL on your server.

ServerName yourdomain.com:443

 

qualysA

Enforce high encryption in Apache and ace the Qualys SSL Test

Disable SSLv2 and SSLv3. These protocols are now considered weak, vulnerable, pathetic.

SSLProtocol All -SSLv2 -SSLv3

Add the ‘SSLHonorCipherOrder On‘ directive:

SSLHonorCipherOrder On

Enable a strong cipher suite:

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:!MD5:!aNULL:!EDH

Set the path to your SSL certificate:

SSLCertificateFile /etc/pki/tls/certs/yourdomain.com-cert.txt

Set the path to your SSL private key file:

SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.com-prikey.txt

Set the path to the CA chain and root certs:

SSLCertificateChainFile /etc/pki/tls/certs/CA-chain.pem
SSLCACertificateFile /etc/pki/tls/certs/CA-bundle.crt

Restart the webserver:

service httpd restart

or

systemctl restart httpd

 

Enable SSL through your Linux server firewall

I edited my iptables file with the below 443 rule:

-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT

 

Force SSL on the admin wp-login page

You can force SSL via the wp-config.php file as well. Doing so will force any requests on port 80 to the admin login page to 443. Add the below line to the very top of your wp-config.php file. Make sure you applied a valid SSL cert before doing this.

define( 'FORCE_SSL_ADMIN', true );

 

Change your MySQL database root username

Another hardening step is to change your MySQL root username to something else. This will protect against brute force attacks where all standard usernames are tried, especially root.

UPDATE mysql.user SET user="newusername" WHERE user="root";

 

Disable wrong username/password messages on login page

When you enter a wrong username or password on the login page, the system informs you of this. Disabling this may not be a super security measure, but it is certainly part of the security by obscurity motto which can be part of an overall policy to protect your site.

Add this line to your wp-content/themes/themename/functions.php file for your selected theme:

add_filter('login_errors',create_function('$a', "return null;"));

 

Secure Apache

  1. Edit your /etc/httpd/conf/httpd.conf
  2. Disable directory browsing by deleting ‘Indexes‘ from the section ‘Options Indexes FollowSymLinks‘.
  3. Remove access to xmlrpc.php by adding the following to the ALIAS directive section:
    1. redirect 404 /xmlrpc.php
  4. Hide versioning of Apache by adding the following at the very end:
    1. ServerTokens ProductOnly
    2. ServerSignature Off
  5. Restart Apache
    1. systemclt restart httpd

Hide PHP versioning

Edit your PHP.ini file, located at /etc/PHP.ini, and modify the line for expose_php = on to off.

expose_php = off