Archive for the ‘WordPress’ Category
Data and Web Security in Business
Not all businesses are aware of just how much of their data is potentially at risk within their own systems and even their website; there simply isn’t the education in place to identify the flaws in one’s system before it’s too late in most cases, which results in compromised data, stolen data, loss of trust from customers and potentially a loss of funds or profits for the business in question; usually because of issues that could have easily been avoided.
First of all you need to secure the internal workings of your business; which means users and data storage. One of the biggest threats to your computer and data security systems is actually the people that you give access to those systems; the human element is less predictable so be sure to take the necessary precautions that will prevent or limit damages should an employee choose to act maliciously. Start by ensuring logins are required and are unique to each user, this allows you to control exactly what each person has access to, and means that it is easier to trace who is responsible if damage is caused. You should also be very careful about providing permissions to these users; consider what they absolutely must have access to, and why, and consider whether or not they really need access to everything they can access. Limitations are the first step towards protection.
Once you have this much protected you can start to think about how to avoid unauthorised access; password protecting everything is a good start, and encrypting sensitive information can be a fantastic way to avoid giving away data that is particularly valuable to your company. These are generally very easy systems to implement, and most security organisations you may choose to work with will help you to set up systems for encryption, data recovery, remote destruction (allowing you to delete data on a stolen device), as well as other aspects of data protections that can be very important to your business. These are important if your business handles a great deal of sensitive information, and of course if that is the case and security is of particularly importance you will want to get a security firm to help you protect it, however in a lot of cases your own IT department can set up the encryption, passwords, firewalls and defences needed to protect basic levels of data against reasonably tough attacks.
Of course your online systems can require something a little different in order to keep them safe, and this is true of your website as well as any online content management, project management or other systems you might be using in the day to day running of your business. Again it is important that everything is password protected to keep things safe and secure as far as your users and their access levels are concerned, but you should also ensure that the development of the websites and tools are done with a certain level of security in mind. There are some rules to this, but in general it isn’t too difficult if you can already develop a website.
No WordPress. If you want a secure website to handle lots of valuable data then WordPress isn’t for you, no matter how easy you think it makes your life. The problem with WordPress is that literally anyone can get it, and they all get the same version. Within a short time the vulnerabilities of that version will have been discovered and likely shared among hackers and other such people, meaning that you can either update or remain vulnerable – your only hope is that WordPress and you update often enough to stay one step ahead of the hackers. This is an issue that exists with a variety of similar platforms and would be difficult to keep yourself secure using these platforms – the best option is to use a secure platform and your own web development team or company.
The variations in the programming that come from using your own team help to create diversity online, which means that it is much harder for hackers and malicious users to find the ways into your system; thus keeping you protected for longer. Of course even with your own website you are likely to be working with systems like Magento for database integration and content management, which will need to be updated every so often but are considerably more secure than systems like WordPress, and you will have to keep certificates up to date, particularly your SSL certificates.
Kate Critchlow is a freelance writer with a passionate interest for technology covering everything from web development to IT security services.
Hardening guide for WordPress 3.0 for hosted web sites
Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.
- Request from your hosting provider access through SSH.
- Login to the hosted server using SSH.
- Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
- DB_NAME
- DB_USER
- DB_PASSWORD
- Create using VI the file ~/config.php with the following content:
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.< ?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
?>
Note 2: Replace “blgusr” with the MySQL account to access the database.
Note 3: Replace “password2” with the MySQL account password.
Note 4: Replace “m6gf42s” with the WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Edit using VI, the file ~/html/wp-config.php
Add the following line:
include('/path/config.php');
Note: Replace /path/ with the full path to the config.php file.Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here'); - Remove default content:
rm -f ~/html/license.txt
rm -f ~/html/readme.html
rm -f ~/html/wp-config-sample.php
rm -f ~/html/wp-content/plugins/hello.php - Create using VI the file ~/html/.htaccess with the following content:
< files wp-config.php>
Order deny,allow
deny from all
< /files>
< Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
< /Files> - Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic - Create the following folders:
mkdir -p ~/html/wp-content/cache
mkdir -p ~/html/wp-content/uploads
mkdir -p ~/html/wp-content/upgrade
- Change the file permissions:
chmod -R 777 ~/html/wp-content/cache
chmod -R 777 ~/html/wp-content/uploads
chmod -R 777 ~/html/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/ - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php - From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php - Click “Submit”.
- From the upper pane, click on “Log Out”.
- Delete the file /wp-admin/install.php
- In-case the server was configured with SSL certificate, add the following line to the config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for WordPress 3.0
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
- Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
Note 1: Replace “blgusr” with your own MySQL account to access the database.
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 3.0 from:
http://wordpress.org/download - Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
- Move to /www
cd /www
- Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip
- Remove WordPress source file:
rm -f /www/wordpress-3.0.zip
- Create using VI the file /www/config.php with the following content:
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
< ?php‘ tag or after a closing ‘?> ‘ tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
- Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
- Specify the following information:
- Site Title
- Username – replace the default “admin“
- Password
- Click on “Install WordPress” button, and close the web browser.
- Create using VI the file /www/wordpress/.htaccess with the following content:
Note 1: Replace 1.1.1.0 with the internal network IP address.< files wp-config.php>
Order deny,allow
deny from all
< /files>
< Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
< /Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
< LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
< /LIMIT>
< IfModule mod_security.c>
SecFilterInheritance Off
< /IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/ - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- Delete the file /wp-admin/install.php
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for WordPress 2.9.2
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount - Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 2.9.2 from:
http://wordpress.org/download - Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
- Move to /www
cd /www
- Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
- Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
- Create using VI the file /www/config.php with the following content:
<?php
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
- Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
- Specify the following information:
- Blog Title
- Click on “Install WordPress” button, and close the web browser.
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use m6gf42s;
Note 1: Replace “m6gf42s” with your own WordPress database name.
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters). - Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
- Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Note 1: Replace 1.1.1.0 with the internal network IP address.
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);