I was recently listening to Paul’s Security Weekly episode 366: How Security Weekly got defaced, and started thinking about my own security posture around my WordPress sites. When I first created The Rats and Rogues Podcast site, I read everything I could find and on WordPress security. There wasn’t much. Later when I created this site, I still wasn’t impressed.
Most of what I did was classic style Linux hardening. Iptables, changing ownership, etc. The problem is, changing ownership of the WordPress directory, while helpful and suggested by WordPress, breaks things. It disables the ability to easily update the site, from within the site and breaks some plugins.
Two plugins I highly recommend are Duo Security’s two factor authentication for WordPress and Attack Scanner.
Through trial and error, here is a script I have, called wp_maintenance. It’ll need some minor cleanup for it to work on other systems. When it comes to the plugins, you’ll have to trial and error your own to see what needs what ownership, I found while some have to be owned by the webserver user, not all the files need to be.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
#! /bin/sh echo "\nEntering Word Press Maintenance mode:\n" chown -R APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/ echo "\nsite is now insecure owned by APACHE-OWNER_GROUP\n" # pause script using read read -p '"Press [Enter] key to re-secure after upgrades..."' wait_for_user echo "\n starting to resecure wordpress directories:\n" # set main directory to be owned by regular user chown -R NON-APACHE-OWNER:NON-APACHE-OWNER \ /your/website/path/public_html/ # set plugins to be owned by wordpress - they fail otherwise # # Attack Scanner chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /wordpress-attack-scanner.png chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /data.txt chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /chevron-up.png chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /screenshot1.png chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /sincerely.png chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /screenshot2.png chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /.htaccess chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /wp-attack-scanner.css chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /chevron-down.png chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /Cryptography.inc.php chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /Attacks.inc.php chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /archive.txt chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /wp-attack-scanner-free.php chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /Logging.inc.php chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/wp-attack-scanner-free\ /screenshot3.png # DuoSecurity 2 factor chown -R APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/duo-wordpress # others chown APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/disable-xml-rpc\ /disable-xml-rpc.php chown -R APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/spam-free-wordpress chown -R APACHE-OWNER_GROUP:APACHE-OWNER_GROUP \ /your/website/path/public_html/wp-content/plugins/akismet # notify completion echo "\nYOUR-SITE is now re-secured with things owned by NON-APACHE-OWNER \n" |