mazenovi 's dev blog

Securing Wordpress
butcher a colander!

28 January 2015

Who hosted WordPress Blogs and never has been p0wned?

Liar!

Since WordPress 3.7 minor updates are automatically pushed … great!

But what about Major updates, plugins and themes updates? Here are the few lines I use to add to the theme’s functions.php file (rather than in wp-config.php as suggested here, cause it did’nt work)

// enable automatic plugins update
add_filter( 'auto_update_plugin', '__return_true' );
// enable automatic themes update
add_filter( 'auto_update_theme', '__return_true' );
// enable automatic translations update
add_filter( 'auto_update_translation', '__return_true' );
// enable automatic minor core update
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
// enable automatic major core update
add_filter( 'allow_major_auto_core_updates', '__return_true' );
//add_filter( 'automatic_updates_is_vcs_checkout', '__return_false', 1 );

To avoid problems you to have clean themes and do regular backup

N.B : It will not work with child themes

To secure a little bit more in wp-config.php I check

// admin access is https only as metioned
define('FORCE_SSL_ADMIN', true);
// php files are not editable online
define('DISALLOW_FILE_EDIT', true);

Finally I add in .htaccess file, outside # BEGIN WordPress and  # END WordPress, the following lines

# Protect wp-content directory -- php modules should not be directly accessed                                                                    
RewriteCond %{REQUEST_FILENAME} wp-content/.+\.(php|txt|pl)$ [NC]
# Cookies for Comments uses a PHP formatted CSS file
RewriteCond %{REQUEST_FILENAME} !cookies-for-comments/css\.php$ [NC]
RewriteRule .* - [F,NS,L]
 
# Protect wp-includes directory - don't allow access to php files
RewriteCond %{REQUEST_FILENAME} wp-includes/.+\.php$ [NC]
# Allow the multi-site uploaded files handling
RewriteCond %{REQUEST_FILENAME} !wp-includes/ms-files\.php$ [NC]
# js/tinymce has some php modules, following rule allows them
RewriteCond %{REQUEST_FILENAME} !wp-includes/js/tinymce/.+ [NC]
RewriteRule .* - [F,NS,L]

still in .htaccess, avoid driect access to wp-config.php as suggested here

<files wp-config.php>
order allow,deny
deny from all
</files>

It’s better to

  • remove all useless plugins
  • d'ont user any plugin that execute PHP code or require access to configuration files
  • do frequent backup

Here are the few suggestions I applied, you should read the entire document here

3 ways to explore

 

blog comments powered by Disqus

Published

28 January 2015

Tags