How to Secure WordPress Installation – Hardening Best Practices on Linux. Learn how to secure WordPress with these WordPress hardening tips for sites hosted on Linux servers. This tutorial uses Ubuntu 21.04.
Table of Contents
The days of WordPress as just a blogging tool are long gone. It has since evolved into a full blown CMS and a full blown enterprise website. It’s popularity is largely due to the fact that it’s free and easy to use and a massive ecosystem. Not only it provides support to all skill levels, but also the means to extend the CMS with custom functionality by way of plugins.
The plugin vulnerabilities of WordPress are coming hard and fast.
While WordPress is secure out of the box any modifications, plugins, themes and custom code increases the CMS’s attack surface. To this end, the WordPress Performance Team has proposed a new tool that will check plugin/custom code against best practice guidelines.
But even with such a tool in hand, if you’re running WordPress on a Linux machine (dedicated or virtual), it’s good practice to harden your WordPress installation. This is to protect your information and to avoid crippling fines and to maintain visitor trust. Let’s get started with how to secure WordPress installation- hardening Best Practices on Linux.
How to Secure WordPress Installation - Hardening Best Practices on Linux.
Disable XML-RPC
XML-RPC was created to facilitate connection to your WordPress blog, typically via mobile phone. Useful back in the day when internet connections were slow, it has since become more of a nuisance used by threat actors for brute force attacks. Follow these steps to block access to XML-RPC:
Step 1: Open .htaccess in your website’s root directory:
sudo nano /var/www/html/.htaccess
Note: Replace ‘html’ with your site’s directory name
Step 2: Add the following code to the top of your .htaccess file:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
If you’ve done a bit of research already, you’ll have seen many websites suggesting adding the following line of code to a plugin file, or optionally to functions.php in your /wp-content/themes directory:
add_filter('xmlrpc_enabled', '__return_false');
However, as security consultant Scott Brown notes, this method is ineffective since it only blocks “authenticated XML-RPC methods, not all XML-RPC methods”.
With WordPress it is easy to edit your theme’s files from within the admin dashboard. You can see it in action at Appearance > Theme file editor. While convenient for quick changes or when you don’t have access to a terminal, it’s also a major security risk since it allows anyone with the necessary privileges to make changes to theme files and gain access to all your information.
Step 1: Open wp-config.php file in your site’s root directory:
sudo nano /var/www/html/wp-config.php
Step 2: Add the following code to your wp-config.php file:
We can take the previous step a bit further by disabling file and plugin management in the WordPress dashboard. This is useful when, for example, a threat actor has somehow gained admin access to your WordPress dashboard, since it prevents the modification of theme files or malicious plugins from being uploaded. At the same time, it also prevents users from uploading themes and plugins which could either harm the site or introduce vulnerabilities.
When the DISALLOW_FILE_MODS constant is set to true in wp-config.php, theme installation and updates, plugin installation and updates, as well as the file editor functions are removed from the dashboard.
Note: When theme, plugin, and file functions are removed from the dashboard, you’ll have to use the WordPress CLI as a substitute to accomplish these tasks. Learn more about the WP CLI at wp-cli.org.
Step 1: Open wp-config.php file in your site’s root directory:
sudo nano /var/www/html/wp-config.php
Step 2: Add the following code to your wp-config.php file:
User enumeration refers to a process by which threat actors can determine valid WordPress users. With a valid username, attackers can attempt to brute force their way into your WordPress site.
You can easily test user enumeration on your site: add /?author=1 to your website address. For example https://yourdomain.com/?author=1
If users can be enumerated on your site, you’ll see the username corresponding with the user ID, along with all posts by that user. With the use of a script, the user ID can be incremented automatically to get a list of all users on the WordPress site.
Step 1: To prevent user enumeration, open the .htaccess file in your site’s root directory:
sudo nano /var/www/html/.htaccess
Step 2: Add the following code to .htaccess
# Prevent user enumeration
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule (.*) $1? [L,R=301]
Reducing the amount of sensitive information freely available about the software powering a WordPress site can help reduce the potential for an attack.
Type the following in a terminal window:
curl –head https://www.yourdomain.com
Here’s the output of a server with expose_php enabled:
X-Powered-By reveals not only that we’re running PHP (which is obvious, since we’re running WordPress), but also the exact version of PHP supporting our WordPress installation. Set expose_php to off in your php.ini file:
sudo nano /etc/php/7.4/apache2/php.ini
Then, find expose_php (around line 379 on my system) and set it to off:
When you look at the output of the curl command above, you’ll notice that it still reveals the Apache2 version, as well as our server’s operating system. Just like the PHP version number, that’s information we’d like to hide from attackers. We can achieve this by making a small change to the Apache2 security configuration file.
Step 1: Open the security.conf file:
sudo nano /etc/apache2/conf-enabled/security.conf
Step 2: Find and change ServerTokens to Prod
ServerTokens Prod
Step 3: Find and change ServerSignature to Off
ServerSignature Off
Step 4: Save and close the file, then restart Apache2:
sudo systemctl restart apache2
Now when we run our curl command, we get the following output:
Above we’ve hidden information about our PHP version, Apache2 version, and our operating system. But what about our WordPress version? Removing WordPress version information can help protect against version targeted attacks. A possible use case is being unable to perform a WordPress upgrade due to potential compatibility issues. Or, you just haven’t gotten round to it yet.
We can find the WordPress version of a site by opening the site and then viewing the source of the site (CTRL+U). Press CTRL+F and search for ‘WordPress’. Alternatively, download your site’s feed file by appending /feed to your site’s URL, e.g. https://www.yourdomain.com/feed. Open the downloaded file in a text editor, where you’ll see this line:
https://wordpress.org/?v=6.0.1
We can remove WordPress version information by adding a few lines of code in functions.php.
Step 1: Open functions.php in your theme directory:
Login to WordPress (WP) using Azure AD, Azure B2C, Okta, ADFS, Keycloak, OneLogin, Salesforce, Google Apps (G Suite), Shibboleth, Ping, Auth0 and other IdPs.
SAML SP (Service Provider) that establishes a trust between our WordPress SSO plugin and IDP to securely authenticate and enable SSO.
How to Secure WordPress with WordPress Hardening Best Practices Conclusion
Implementing these hardening best practices on Linux will help shrink the attack surface of your WordPress website. Installing an intrusion prevention package like fail2ban and a WordPress security plugin like Wordfence will go a long way to complement your CLI efforts, and help keep your WordPress installation safe.
I'm a freelance writer in the tech industry. When I'm not writing about hosting-related topics, I spend my time doing calisthenics or in the ocean doing my level best to stand on a surfboard.
00votes
Article Rating
Subscribe
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.