Harden WordPress

Overview
If your WordPress site's been hacked, see this wiki. The process of hardening WordPress is not hard or complex, it just requires that you be somewhat versed in being a webmaster/mistress and be able to understand what your exposures are, and how to minimize your risks for running WordPress on your own website. Generally the risks are hackers entering your blog from one of two sources: login cracking, or inserting code in a WordPress bug, usually in a theme or plugin. The latter, code insertion, could come from UNINSTALLED WordPress themes or plugins. WordPress is written in a programming language called PHP, which runs on your server and creates HTML pages for your users to see on their computers. WordPress itself is free, and the source code for WordPress is readily available: this is both good and bad, since hackers can study the open source and look for vulnerabilities. The older the code, the more vulnerable, therefore the need to keep WordPress up-to-date. One of the greatest parts of WordPress is the ability to pick themes, however, you’ll generally only use one theme, any unused theme can be targeted by hackers to invade your website, this is how many DreamHost customers were invaded by a file in an unused theme called ‘timthumb’ which was not updated (since you only update the general themes not necessarily each component). So, you’ll need some basic tools for understanding your own website, updating files, and checking on your website, then we’ll have a checklist of things to have installed on your web to make WordPress much more secure than before.

Tools
You’ll need two major tools, and FTP (with support for SFTP) tool to upload and download files to and from your website and a terminal tool which allows you to ‘login’ to your website and check it out. This ‘login’ is different from logging into your WordPress site, as a WordPress user. Familiarize yourself with creating an SSH session to your actual website and look around. If you don’t have an FTP tool, search for Filezilla, download it and install it. If you’re a Mac user, you already have a terminal application, go to the application folder, and open the utility folder, you can now launch the application ‘terminal’.

Working with Panel on your DreamHost Account
DreamHost allows account holders to create as many free users as you want. By enabling Enhanced Security on these users, we create space for an application that cannot, by default, be accesses by anyone else on the shared host. If you have 5 domains and you have one user for all 5 domains, then any breach in one domain will cascade to you other domains. The way to keep these separate if to create 1 user for each application for each website. So if I want to create "www.mygreatnovel.com" and I want BOTH a WordPress site and phpbb bulletin board, I would create three users: This segments the applications, and a breach in phpbb will not affect the WordPress install, assuming that all three users have Enhanced Security enabled.
 * user: mygreatnovelroot	web directory: mygreatnovel.com
 * user: mygreatnovelwp		web directory: mygreatnovel.com/blog
 * user: mygreatnovelbb		web directory: mygreatnovel.com/bb

Login to panel at panel.dreamhost.com and go to the ‘manage users’ tab, and if you haven’t done so already add a new user:

You’ll see this screen:



So create a unique username, and MOST importantly pick a strong password. Make sure Enhanced security is enabled, and add the user.

When you add a user, it will take 10 minutes for this user to become active. One of the security challenges with these user accounts, is using FTP. FTP is an old file transfer protocol, which sends passwords in the clear. Most FTP programs support SFTP which is a secure upgrade. To force administrators on your website to use SFTP, you should turn off vanilla ftp. Back to manage users, edit the user:



Notice the checkbox, ‘Disallow FTP’, this will force all the FTP users to use SFTP.

If you want to create different users for your mygreat novel, you’ll go to the tab ‘manage my domains’. Using the example before, have the domain, mygreatnovel linked to the user mygreatnovel root, then create two subdomains blog.mygreatenovel.com and bb.mygreatnovel.com and have them point to different users.

We’ve covered panel issues of multiple users, enhanced security and disallowing FTP, next you need to familiarize yourself with WordPress on your website

Tour of Your Wordpress Website on Dreamhost
Understanding how your website is constructed with files and directories on dreamhost is a critical factor in your success in creating a robust hardened website. Assuming, you’ve already installed WordPress through the panel. Log into your dreamhost user using a terminal application, like Mac OSX terminal. After you bring up your terminal application, type ‘ssh user@website.com’, where user is the user you created in panel, and website.com is your website. You'll be asked for a password.

After you login type the unix ‘ls’ command and you’ll see at least two directories:

1.	website.com – this is where users go when they type 'www.website.com', by default commands look for a file called index.something where something is .html for html .php for a php file, .pl for perl. If you have WordPress installed in the root of the website, you will see a file called index.php for WordPress. 2.	logs – this is where dreamhost keeps it’s log files. Any command attempted on your website will be logged. If a system error occurs it will be logged.

Log Directories
Let’s start by looking at the logs subdirectory. On unix the way to change directories is with the cd command, so type ‘cd logs’ and change directory to the logs subdirectory. Now look around by typing ‘ls’. You’ll see from one to a number of websites depending on how many websites this user is associated with. Now look in each website directory by changing directories, type ‘cd mygreatnovel.com’ or whatever your website is called, then get a list of files by typing ‘ls’. You should see a directory called ‘http’, so type ‘cd http’ and get a list of files by typing ‘ls’. You should see something like this:



What you’ll have is a list of access logs and error logs. Access.log and error.log are always TODAY from about midnight. Access.log.0 and error.log.0 are YESTERDAY for a 24 hour period. Dreamhost keeps about a week of log files. Let’s look at an access log, type ‘more access.log’. The more command gives you one screen’s worth of entries. What you’ll see is: To quit the more command type either q or c
 * IP address of the person who is accessing your website
 * Two dashes (- -)
 * An elaborate time and date entry
 * The command issued starting with GET, POST, or HEAD. For WordPress, you’ll see that someone typing "mygreatnovel.com" can cause 10-50 entries for that command in the access log.  You’ll see working parts of WordPress get loaded in a set of commands.  To play with this, use the tail command with a browser.  Google 'find my ip address' and look at a website that lists your own ip address (write it down).  Now go to your website and look at it.  From the terminal type ‘tail -40 access.log’ and you can see yourself looking at your own website.
 * After command comes http status: 200 is normal, 403 is denied
 * Next comes the size of the transfer
 * Then who referred the user here
 * Finally the user’s agent, either a bot or a browser

Now, let’s look at an error log. It may not have anything in it, but type ‘more error.log’ and take a look. You’ll see the elaborate date and time followed by some error. The error log is sometimes you first indication of bad behavior. Dreamhost has a set of security constraints that if users violate show up in the error log. Often times, my first indication of a bad user is in the error log.

Most logs are thousands of lines long, so to summarise the log requests, see an example here.

Now let’s look at WordPress. To start we can issue a series of changing directories up one level (the command is ‘cd ..’ where .. means back up to the directory above) or we can return to the home directory (the user root directory) by typing ‘cd $home’.

Website and Wordpress Root Directories
From the user root directory, type ‘ls’ and you’ll see two files again, the website directory and the log directory; let’s look at the website directory. Use the change directory command to drop down a directory, type ‘cd mygreatnovel.com’ or whatever the website name is.

Now, some files in this directory are ‘hidden’ and most are ‘displayable’ to see all the files in the directory type ‘ls –a’. Files that begin with a period ‘.’ Are hidden, you should see a file called .htaccess. This file controls who has access to your website and what they can see and do on your site. Next we are going to look at a full list of files, type ‘ls –al’. Here is an example:

The first column is types and permissions (drwxrwxr-x gobblygook) then the user, the actual dreamhost account owner, then size date time and name. Directories have ‘d’ at the front, you’ll find a pile of WordPress files in each directory that begins with ‘wp-‘. So here we see a number of PHP programs in the website root like wp-login, wp-rss, wp-register, etc. These programs can call other PHP programs, wp-includes is full of other ‘helper’ programs. Let’s look in wp-content, type ‘cd wp-content’ and then ‘ls –l’. You’ll see three important directories, ‘plugins’ where each plugin is kept, ‘themes’, where each theme is kept and ‘uploads’ where media files are uploaded. Look around, type ‘cd directoryname’, ‘ls –l’ and ‘cd ..’ to return to this level.

Now you have a feeling for how things are actually stored on your website and the structure of your website.

Hardening Wordpress itself
Start by logging in. If you don’t have the link on your webpage (which you probably should not), type /mygreatnovel.com/wp-login and you’ll initiate the login sequence. Log in to your admin user.

Use a Strong Password
Utilities exist that will allow hackers to load a password file and check your password agains 1000's of existing passwords. Using a dictionary word, or common first name is not secure. Replacing and 'E' with a '3' or a 'O' with a '0' is also known to the hacker community. You want a special character, at least 1 upppercase letter and no dictionary words, it would take an automated program days to crack a 15 character password. A strong password combined with pluglins like 'limit login attempts' will keep most trouble at bay.

Adding a Named Admin user and Deleting the user named 'admin'
If your admin user is named ‘admin’, please create a new user with some other name, presumably your own and give it admin priviledges. After you have confirmed that this account works, log in as this account and return to the left hand users tab and delete the account ‘admin’. A few times a month, a password cracking troll will come by and take 1500 attempts at your username and password, the user ‘admin’ is the most common attacked so get rid of it. Speaking of that, make sure you use a ‘strong’ password in WordPress. Easy passwords are usable and you might find yourself cleaning up a mess created by a simple password and the hackers ability to find it. Because WordPress transmits it’s passwords in the clear, you should create a second account as an author and use that one for the bulk of your submissions, this would leave the admin account only for when you had admin work to do.

Removing old themes
Now go to the left hand tab that says 'Appearance' and click on the sub-bullet ‘themes’. You should have a current theme. Write down which theme you're using in a safe place in case you need to totally rebuild your website. Under the heading on this page ‘available themes’ you should also see your theme. See any other themes? DELETE THEM! Each of the many php files in each theme is a gun being held to your head, any one of these files could be the next php program to be tampered with, EVEN IF YOUR NOT USING IT!!!

Removing unused plugins
After cleaning up themes, let’s clean up plugins. Go to the ‘Plugins’ tab and click on 'Installed Plugins'. Are there plugins that are not active? Do you not use them? DELETE THEM! Again, more php code lying around that can be exploited even if you're not using the plugin.

Installing Secure Plugins
There are four generic security issues to solve with plugins: let's look at each issue
 * Comment and trackback spam
 * Slowing down password crackers
 * Reliably backing up your database
 * Being notified of file changes on your website

Comment and Trackback Spam
One of the quickest ways to destroy your credibility as a WordPress blog is to have ton's of spam in the comment areas. The easy way to solve this is with the Akismet plugin. It costs money for a commercial website. Install and enable it. You'll need to get a key to enable the plugin.

Slowing down password crackers
About 10% to 25% of the trolls playing with WordPress are tampering with wp-login in some form or another. Your looking to install something that hinders password cracking, the automated attack on wp-login with 1500 attempts in 30 seconds. Limit Login Attempts and Login Lockdown are two plugins which limit the number of automated attempts to login to your site. Login lockdown hasn't been updated for a while, and Limit Login Attempts will give you more tools to do the same function, however Limit Login Attempts seems to use more memory. You should have some form of password cracker protection, so experiment with both.

Backing up your database
You should be the master of your database backup, not dreamhost, they keep a few days of backup, but you might have been hacked last month so all you have is a compromised backup. Wp-backup plugin will email you a database backup every week or however often you want one. If you get hacked, having a non-compromised backup to recover to is easier than having to rebuild the broken database.

File Change Notification
When a hack occurs, usually a php program is modified, then a series of files are changed. What you'd like is a plugin which would email you when files change. Wordpress has a plugin called file monitor plus. It will record ANY change to ANY file on your website root.

Deleting Compromised Plugins
Any time you put a plugin or a theme in your WordPress, spend a few minutes and do a little research. Secunia puts out WordPress advisories (see secunia for more info) just search your plugin or theme and see if it is in danger. Also assess if the plugin is being actively updated. When you go to the plugin site are forum questions being answered? The problems with ‘timthumb’ were found 8 months before many dreamhost customers were compromised. Customers where attacked for over a month, and are probably being attacked today with the same hole in timthumb. Even plugins that you think you know, like the ones just recommended should be re-confirmed. Once every few months, check your plugins and your theme for ones that are no longer supported, and find new ones that are supported, and delete the old ones!

Securing your Site from general badness
The internet is a superhighway with some bad exit ramps. You will have trolls probing your site for WordPress weaknesses. You can gain knowledge of tools and techniques for dealing with trolls

Editing .htaccess File
Your .htaccess file at the base of your website root can solve lots of problems, it is the filter between what users can do and see and your website. Inserting a few commands will go a long way toward making the hacker have to do either way more work or be unsuccessful altogether.

Best Wordpress Overall Addition
Perishable Press has created a set of .htaccess commands specifically for wordpress users that filter out many trollers with bad behavior. Perishable Press blacklist This is perishable Press's 2013 5th Generation blacklist, check their site for better editions. This will catch many common trolls who are stealing bandwidth and trying to find exploits.

Index Browsing
By default your website allows users to see an index of files that you have on your site, type http:/mygreatnovel.com/? and see if you get a list. If you do, your making it really easy on a troll. Let’s turn that off. With FTP upload the file .htaccess to your local computer and edit it (you may have to set a checkbox that says ‘see hidden files’).

You may find it already has commands (WordPress pretty urls places commands into .htaccess). Add to the end of the file:



So the # is a comment, the command is ‘Options All –Indexes’. Your trolls are now blind (they can't find a file list) and have to stumble around looking for things in the dark.

Eliminating access to critical files
This file should NEVER be accessed from the web, wp-config.php is where your database password is stored.



Eliminating HTTP insertions
This comes from wpsnipp and it eliminates the ability to inject and =http into a command on your website:



Banning individual users
To eliminate a specific IP address from using your website you could add the following code to ban say ip address 1.2.3.4:



Generally this process is probably a fools errand in that most bad ip addresses are being controlled by someone else, there is an almost infinite supply of these addresses that trolls use at will. So stopping one is like a finger in a dike with a 10 foot breach. The best approach is to protect against the kind of exploit with clever command sequences like above from wpsnipp. That way the intention is foiled.

Permission Check on Directories
When you look at a full ‘ls’ command (i.e. ‘ls –al’) and see permissions there are 10 characters to start at the beinning of the line. ‘d’ or ‘-‘ followed by 9 characters. ‘d’ is for directory and ‘-‘ means regular file. The next nine characters are actually 3 sets of 3. The first three are rwx – for the person who ones the file so r – read, w- is write and x is execute (a program), the next three are the group again rwx and finally, the world rwx. The ‘w’ at the end is CRITICAL. It should never be set on ANY directory in WordPress. This means a troll can add a program and run it. BLAH! This should not happen but understand if you’ve been hacked you may need to fix your directory permissions. Google the ‘chmod’ command. To check whether any of your files in your user root directory (or below) have permission for anyone to add files to your website, using ssh, login to your user ant type 'find. -type d -perm -o=w', if no output is returned then you are OK, you have no directories which can be written by anyone. If you see a directory listed, you need to change it's permissions. You should also check to see if you've been hacked. For more information about file permissions see the dreamhost wiki File Permissions

Looking at log files
Sporatically, it’s a useful thing to look at your log files. This gives you a real understanding of how your website is operating and who is doing weird things to it.

The Error log often has good things to say about bad things happening. This should be checked maybe every day, or at least once a week.

Tracking Down IP Addresses
So you found someone at 80.165.154.119 who tried to login 340 times. Who is this person? Back to a terminal session, you can use the nslookup command to see what it’s dns name is, type ‘nslookup 80.165.154.119’. See here:



What we find is there is no domain name associated with this address. That’s not in itself unusual. Many internet connection do not have DNS entries for every ip address. Let’s go to the next level and look at whois, type ‘whois 80.165.154.119’ Here’s what we find:



so we know it’s from Denmark. Do we know anything else? No. If your banning individual IP addresses, MAKE SURE you trace them like this. Google and MSN wander into places on your website that may look strange. Don’t ban google unless you don’t want to be seen by others! Facebook referrals currently have no DNS name when you use nslookup, you need to look at whois to find out it's facebook!

Combining User Lookup with Log Lookup
If you suspect something weird with a specific ip address, you can change directories to the log directory and search for a specific IP address. So starting from the user’s home directory (type ‘cd $home’), go to the log directory type ‘cd ./logs/mygreatnovel.com/http/’ then type “grep ‘1.2.3.4’ access.log” this will give you all occurances of ip address 1.2.3.4 using today’s log.

Eliminating Old Website Cruft
Did you test install an old payment system? Add bulletin board or an old photo gallery that's no longer in user? Each open sourced package grows in risk over time. If it's not being used delete it, or add and .htaccess that allows only you to see the files.

Conclusion
Dreamhost is a secure place for cruft free WordPress websites that are up to date and hardened against common forms of attack.