Apply basic security to your WordPress site

As you probably know, Linux Mint website was compromised. From what has been said, the attacker found a WordPress vulnerability just “pocking around” and scored. It is sad but these things happen. So, let’s talk a bit about WordPress and how to apply some basic security to it; hopefully it will reduce the risks of your site becoming the next victim . Join me, contribute and share your tips if you feel this is a helpful topic.

Let me start by pointing out that I’m by no mean an expert; I also love kittens! :)

If you’re hosting your own site you sure want to take good care of it, but when was the last time you thought about ensuring your visitors are not sent in harm’s way when visiting your site? Drive-by downloads with cross-site scripting and the commonly exploited SQL vulnerabilities are well known out there, to the tune of 300,000 WordPress sites hacked a day as mentioned by Forbes a couple years ago. Although WordPress isn’t perfect, it’s security problems are usually self inflicted; lousy permissions, poorly coded plugins, outdated installations that never get to see an update in its life-time, you name it. So, if you haven’t already, you’ll promise yourself that today you’ll be thinking not about how dynamic and cool your WordPress site looks but how safe you are trying to make it for your readers instead.

Folders Permissions

Let me take this off my chest; I really need to: Please STOP chmod’ing 777 folders now. It doesn’t matter if you’re a developer. For once, you shouldn’t be developing in your production box and even if you are, there is absolutely no feasible reason for you to let the entire world to read, write and execute anything in one of your public folders. – I’m relieved now, thanks!

644 files permissions and 755 folder permissions is almost always all you need.

No shell for WWW-DATA user

Did you notice how the the hacker was able to get a www-data shell when Linux Mint website got hacked? I was really sadden to read about it… anyway, make sure no shell is ever available for the www-data user:

grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Webserver and PHP process user

Do you run sites in your own VPS or Dedi box? AWESOME! – (I’m a BuyVM VPS customer myself).  You’re in control! But you need to start isolating those websites and stop being lazy.

Again, did you notice how the hacker compromised Linux Mint main site (WordPress) and then also got a full forum database dump? The chances for this to happen would have been greatly reduced if those sites would’ve been running under separate processes!

If you’re hosting your own sites (at least few of them) in a single server, please make sure to look at suexec, an Apache Web server feature that allows users to run CGI and SSI applications as a different user  (normally, all web server processes run as the default web server user) and isolate your sites on a per user base.

For Nginx, PHP could simply be executed through FastCGI, which must be running under a CGI script user account in itself.

This is how I do it in Nginx + PHP-FPM (keep in mind I’m lazy too):

# Add a new user (user1) to run domain.com website
sudo useradd -d /var/www/domain.com -s /bin/false user1
# create the site directory
cd /var/www
sudo mkdir -p domain.com
# assign owner permissions to the domain.com folder
sudo chown -R user1 domain.com
sudo chgrp -R www-data domain.com
# and if you already have 'domain.com' folder created:
cd /var/www/domain.com
sudo find . -type d -exec chmod 750 {} \;
sudo find . -type f -exec chmod 640 {} \;
cd /var/www
sudo chmod g+s domain.com
sudo chmod o-wrx /var/www/domain.com -R

Make sure Nginx is running under the www-data user:

grep user /etc/nginx/nginx.conf
user www-data;

In PHP-FPM it is rather easy to create pools to isolate processes. Create a new pool under /etc/php5/fpm/pool.d/ and configure it accordingly.

# pool file: /etc/php5/fpm/pool.d/domain.com.conf (you need to create a pool for each site)
# PHP process user (default is www-data)
user = www-data user1
...
php_value[open_basedir] = /var/www/domain.com:/tmp
...
#the rest of the configuration goes here

Webserver security

There is an array of things here to discuss and honestly, opinions are like butts – we all have one. I honestly believe that there is a misconception when it comes to using Web Application Firewalls and server firewalls. Case in point, read online about setting up a webserver in your new cool VPS; you’ll find a million guides mentioning how important it is to deploy a server firewall and to open services ports only – usually 22 (default SSH port), port 80 and 443 for your webserver communications… and this is “fine”! But Web Application Firewall for your webserver is a topic that many times is not even mentioned. When was the last time a website was compromised using ports other than default 80 or 443, which are the default webserver ports in which the web services run? Basically, if you go through the trouble of hardening a server and limiting services port to end up leaving the webserver completely open to take care of its own, you’re doing it wrong! Let’s see… what is it needed to conduct, for example, an SQL probing and injection attack?… ermm… Surprise Surprise!… a web browser with internet connection to the target site! Make no mistake, while a server firewall is really important and it helps to mitigate some attacks, you should seriously consider a Web Application Firewall whether it is mod_security, Naxsi or a third party cloud service.

  • Encryption

Do your visitors a HUGE favor and start using all those terrific tools open-source software puts at your disposition! What’s preventing you from encrypting your WordPress site communications? Just do it! Start using secure cookies and limiting them to reduce the risks of session hijacking. How about CSP (Content Security Policy) to prevent cross-site scripting (XSS), clickjacking and other code injection attacks? These are all things that take literally minutes to implement and your visitors will be a lot safer when visiting your site.

WordPress Security Plugins

There is a vast collection of plugins available for WordPress. While assuming that a plugin will take care of your WordPress site security is “short-sighted” at its best, it will definitely make a difference for those limited to share hosting services or to users that do not have the skills required to get on a Terminal and harden a site. Please take a look at All In One WP Security & Firewall and use it, specially useful if you’re running an Apache Webserver.

Ok, I’ll leave it there for now. I think I’ve rant quite a bit already. Do you think that sharing few installation tips starting all the way from the webserver stack in a VPS up to deploying and securing a WordPress install will help you? If so, please leave your comment below.

Related Post

Yad 3.9.1-0 package in Linux Lite breaks few thing... If you have installed some of the extra apps I've made available for Linux Lite in my repo, you'll notice that after updating Linux Lite home-brew ver...
Linux Mint on Macbook White 4,1 (late 2007) Touchp... If you installed Linux Mint 17.2 Rafaela in a Macbook White 4,1 or booted it up from a live DVD or USB stick, you will immediately notice that the...
Shrink VMWare Fusion Linux Guest Virtual Disk Right! VMWare Fusion on Mac OSX allows you to shrink virtual disks easily for Windows virtual machines right from the graphical interface - Virtual Ma...

Leave a Reply