How to Secure WordPress Installation – Hardening Best Practices on Linux
How to Secure WordPress Installation – Hardening Best Practices on Linux. Learn how to secure WordPress with these WordPress hardening tips for sites hosted on Linux servers. This tutorial uses Ubuntu 21.04.
Table of Contents
The days of WordPress as just a blogging tool are long gone. It has since evolved into a full blown CMS and a full blown enterprise website. It’s popularity is largely due to the fact that it’s free and easy to use and a massive ecosystem. Not only it provides support to all skill levels, but also the means to extend the CMS with custom functionality by way of plugins.
While WordPress is secure out of the box any modifications, plugins, themes and custom code increases the CMS’s attack surface. To this end, the WordPress Performance Team has proposed a new tool that will check plugin/custom code against best practice guidelines.
But even with such a tool in hand, if you’re running WordPress on a Linux machine (dedicated or virtual), it’s good practice to harden your WordPress installation. This is to protect your information and to avoid crippling fines and to maintain visitor trust. Let’s get started with how to secure WordPress installation- hardening Best Practices on Linux.
How to Secure WordPress Installation - Hardening Best Practices on Linux.
Disable XML-RPC
XML-RPC was created to facilitate connection to your WordPress blog, typically via mobile phone. Useful back in the day when internet connections were slow, it has since become more of a nuisance used by threat actors for brute force attacks. Follow these steps to block access to XML-RPC:
Step 1: Open .htaccess in your website’s root directory:
sudo nano /var/www/html/.htaccess
Note: Replace ‘html’ with your site’s directory name
Step 2: Add the following code to the top of your .htaccess file:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
If you’ve done a bit of research already, you’ll have seen many websites suggesting adding the following line of code to a plugin file, or optionally to functions.php in your /wp-content/themes directory:
add_filter('xmlrpc_enabled', '__return_false');
However, as security consultant Scott Brown notes, this method is ineffective since it only blocks “authenticated XML-RPC methods, not all XML-RPC methods”.
Disable the file editor
With WordPress it is easy to edit your theme’s files from within the admin dashboard. You can see it in action at Appearance > Theme file editor. While convenient for quick changes or when you don’t have access to a terminal, it’s also a major security risk since it allows anyone with the necessary privileges to make changes to theme files and gain access to all your information.
Step 1: Open wp-config.php file in your site’s root directory:
sudo nano /var/www/html/wp-config.php
Step 2: Add the following code to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true );
Disable file and plugin management
We can take the previous step a bit further by disabling file and plugin management in the WordPress dashboard. This is useful when, for example, a threat actor has somehow gained admin access to your WordPress dashboard, since it prevents the modification of theme files or malicious plugins from being uploaded. At the same time, it also prevents users from uploading themes and plugins which could either harm the site or introduce vulnerabilities.
DISALLOW_FILE_MODS constant is set to true in wp-config.php, theme installation and updates, plugin installation and updates, as well as the file editor functions are removed from the dashboard. Note: When theme, plugin, and file functions are removed from the dashboard, you’ll have to use the WordPress CLI as a substitute to accomplish these tasks. Learn more about the WP CLI at wp-cli.org.
Step 1: Open wp-config.php file in your site’s root directory:
sudo nano /var/www/html/wp-config.php
Step 2: Add the following code to your wp-config.php file:
define('DISALLOW_FILE_MODS', true );
Prevent user enumeration
User enumeration refers to a process by which threat actors can determine valid WordPress users. With a valid username, attackers can attempt to brute force their way into your WordPress site.
You can easily test user enumeration on your site: add /?author=1 to your website address. For example https://yourdomain.com/?author=1
If users can be enumerated on your site, you’ll see the username corresponding with the user ID, along with all posts by that user. With the use of a script, the user ID can be incremented automatically to get a list of all users on the WordPress site.
Step 1: To prevent user enumeration, open the .htaccess file in your site’s root directory:
sudo nano /var/www/html/.htaccess
Step 2: Add the following code to .htaccess
# Prevent user enumeration
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule (.*) $1? [L,R=301]
Disable expose_php
Reducing the amount of sensitive information freely available about the software powering a WordPress site can help reduce the potential for an attack.
Type the following in a terminal window:
curl –head https://www.yourdomain.com
Here’s the output of a server with expose_php enabled:
HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:09:39 GMT
Server: Apache/2.4.46 (Ubuntu)
X-Powered-By: PHP/7.4.16
Link: ; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
sudo nano /etc/php/7.4/apache2/php.ini
expose_php (around line 379 on my system) and set it to off:
expose_php = Off
Then, restart Apache:
sudo systemctl restart apache2
Now when we run the curl command again, we get:
HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:17:11 GMT
Server: Apache/2.4.46 (Ubuntu)
Link: ; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
Disable the Apache server signature
When you look at the output of the curl command above, you’ll notice that it still reveals the Apache2 version, as well as our server’s operating system. Just like the PHP version number, that’s information we’d like to hide from attackers. We can achieve this by making a small change to the Apache2 security configuration file.
Step 1: Open the security.conf file:
sudo nano /etc/apache2/conf-enabled/security.conf
ServerTokens to Prod
ServerTokens Prod
Step 3: Find and change ServerSignature to Off
ServerSignature Off
Step 4: Save and close the file, then restart Apache2:
sudo systemctl restart apache2
Now when we run our curl command, we get the following output:
curl --head https://www.yourdomain.com
HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:31:29 GMT
Server: Apache
Link: ; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
Remove WordPress version information
Above we’ve hidden information about our PHP version, Apache2 version, and our operating system. But what about our WordPress version? Removing WordPress version information can help protect against version targeted attacks. A possible use case is being unable to perform a WordPress upgrade due to potential compatibility issues. Or, you just haven’t gotten round to it yet.
We can find the WordPress version of a site by opening the site and then viewing the source of the site (CTRL+U). Press CTRL+F and search for ‘WordPress’. Alternatively, download your site’s feed file by appending /feed to your site’s URL, e.g. https://www.yourdomain.com/feed. Open the downloaded file in a text editor, where you’ll see this line:
https://wordpress.org/?v=6.0.1
functions.php. functions.php in your theme directory:
sudo nano /var/www/esque/wp-content/themes//functions.php
Step 2: Add the following code:
/** Remove WP Version Info **/
function remove_wp_version() {
return '';
}
add_filter('the_generator', 'remove_version_info');
Now when you check your site’s source or feed file, you’ll see that the WordPress version number has been removed.
WP Cloud SSO plugin for WordPress
Take the security of your WordPress site to the next level with our WPCloud SSO plugin.
- Secure your WordPress logins with WP Cloud SSO. It is a WordPress SSO Single Sign On.
- Login to WordPress (WP) using Azure AD, Azure B2C, Okta, ADFS, Keycloak, OneLogin, Salesforce, Google Apps (G Suite), Shibboleth, Ping, Auth0 and other IdPs.
- SAML SP (Service Provider) that establishes a trust between our WordPress SSO plugin and IDP to securely authenticate and enable SSO.
- WordPress Single Sign On.
- Protect Your Website with auto redirect to IdP.
- Apply it in WordPress multiple Environments Support and Migration (Dev, Staging, Prod).
Thank you for reading How to Secure WordPress Installation – Hardening Best Practices on Linux. Time to conclude.
How to Secure WordPress with WordPress Hardening Best Practices Conclusion
Implementing these hardening best practices on Linux will help shrink the attack surface of your WordPress website. Installing an intrusion prevention package like fail2ban and a WordPress security plugin like Wordfence will go a long way to complement your CLI efforts, and help keep your WordPress installation safe.
Please take a look at our WordPress content here.
