web analytics

Hardening guide for WordPress 3.0 for hosted web sites

Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

  1. Request from your hosting provider access through SSH.
  2. Login to the hosted server using SSH.
  3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
    • DB_NAME
    • DB_USER
    • DB_PASSWORD
  4. Create using VI the file ~/config.php with the following content:
    <?php
    define('DB_NAME', 'm6gf42s');
    define('DB_USER', 'blgusr');
    define('DB_PASSWORD', 'password2');
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');
    ?>
    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with the MySQL account to access the database.
    Note 3: Replace “password2” with the MySQL account password.
    Note 4: Replace “m6gf42s” with the WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
  5. Edit using VI, the file ~/html/wp-config.php
    Add the following line:
    include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
    define('DB_USER', 'usernamehere');
    define('DB_PASSWORD', 'yourpasswordhere');
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');

  6. Remove default content:
    rm -f ~/html/license.txt
    rm -f ~/html/readme.html
    rm -f ~/html/wp-config-sample.php
    rm -f ~/html/wp-content/plugins/hello.php
  7. Create using VI the file ~/html/.htaccess with the following content:
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
    <Files wp-login.php>
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    </Files>
  8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
  9. Create the following folders:
    mkdir -p ~/html/wp-content/cache
    mkdir -p ~/html/wp-content/uploads
    mkdir -p ~/html/wp-content/upgrade
  10. Change the file permissions:
    chmod -R 777 ~/html/wp-content/cache
    chmod -R 777 ~/html/wp-content/uploads
    chmod -R 777 ~/html/wp-content/upgrade
  11. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
  12. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
  13. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
  14. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
  15. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
  16. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
  17. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
  18. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
  19. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
  20. Click on “Save changes”.
  21. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
  22. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins
    Disallow: /wp-content/cache
    Disallow: /wp-content/themes
    Disallow: /wp-login.php
    Disallow: /wp-register.php
  23. Click “Submit”.
  24. From the upper pane, click on “Log Out”.
  25. Delete the file /wp-admin/install.php
  26. In-case the server was configured with SSL certificate, add the following line to the config.php file:
    define('FORCE_SSL_LOGIN', true);

2 Responses to “Hardening guide for WordPress 3.0 for hosted web sites”

  • Daniel says:

    Me again

    “Login Lockdown” plugin seems to have the same settings as “Limit Login” plugin. So why have both?

    Kb-robots.txt plugin does not create the actual robots.txt in WordPress 3.1 so I replaced with PC-robots.txt

  • Hi Eyal,

    Nice post with solid information.

    To reduce the number of plugins you can just use Login Lockdown, which has the option to specify the number of login attempts and the time period for those attempts.

    No need for the Limit Logins plugin.

    Cheers,

    Tambra

Leave a Reply