My WordPress Security Posture: A Work In Progress
Hello everyone, I am back with my second blog post and I have been absolutely humbled by the great response from my first post, I thank you all for the amazing response! As you all know my learning in this field is a work in progress, and I am open to all security suggestions. I have started this blog to share my developing experiences in this industry, and learn a thing or two along the way about securing my own website.
My (Current) Security Posture:
Recently I have been meticulously researching best WP practices and will share what I have configured currently. There is always more to be done with security and I encourage any readers to give me suggestions!
The first step I have taken towards securing my website is to install the Wordfence security plugin. I am currently running the free edition of the plugin and I have been pleasantly surprised at the capabilities of the plugin.
Here are the configuration steps I have taken:
- Firstly, I have enabled both the WAF (Web Application Firewall) and Scan options.
- I have put the WAF into “Enabled and Protecting” mode.
- Under ‘Advanced Firewall Options’ I have enabled every rule in order to help block attempts at common vulnerabilites (ie. XSS, LFI, SQLi, etc.)
- Under Brute Force Protection I have an IP block set for 12 hours after 3 incorrect attempts.
- I have also setup an auto-block for anyone who enters the common defaults like admin, administrator, etc.
- Under ‘Additional Options’ I have enabled every option including “Don’t let WordPress reveal valid users in login errors” and “Prevent users registering ‘admin’ username if it doesn’t exist.”
- Within the ‘Rate Limiting’ I have set the auto-block rule for fake google crawlers. Additionally,
I set it to block any user for 6 hours if they hit 3 or more 404s within a minute. Thanks to reddit user c0llision41 for pointing out reasons against this, please view the bottom of this post for more details.
WP Hide Plugin:
I am a major fan of also securing through obscurity and this plugin does just the trick. This has allowed me to easily shift many of my default paths to custom made locations. Here are the locations I have moved:
- Firstly, I have changed my theme path to a custom location.
- Also, I have moved wp-content, comments, XML-RPC, JSON etc. to a new location.
- I have moved my plugins to a new location, and custom named every one.
- Lastly, I have changed my default wp-login.php and wp-admin.php locations.
Note: I understand that it is quite easy to re-find many of these paths manually, but its just another measure to wear an attacker down! Also, Security through Obscurity should be just one of many countermeasures, and should definitely not be the leading security defense!
I have configured cloud flare mostly just for their amazing speed boost and their great ability to cut down on server load, but they also have exceptional DDOS protection so I figured I would toss it in here! Also, they are my Certificate Authority, HTTPS is important too!
- I have done my best to strip out all WP Version Number leaks, though WPScan still successfully gets my version through “advanced fingerprinting” pretty vague I know.
- I have configured DNSSEC (I know it’s not super applicable, but it is a security measure nonetheless!)
- Every plugin and theme is up-to-date as well as the WordPress core.
- Also, I have deleted every theme and plugin that is not currently in use.
- Lastly, I have disabled the ability to edit directly from the WP admin panel.
Note: I understand that WP Version Number isn’t a big deal, and it is pretty easy for anyone with actual knowledge of WP to identify the nuisances from version-to-version, but I am trying to do everything I possibly can! — Also, I know there are code editor plugins that can circumvent that last security control.
I have tried to pen test my own website a bit and have come to no avail. WPScan actually thinks that my website is not even a WordPress site, though if you add the argument –force it’ll still grab the version number, theme, and plugins. I have had WPScan try to enumerate users, vulnerable plugins etc. and it has come back empty handed. I have run a level 5 sqlmap against my 404 search page, and once again it has come back with nothing. Lastly, I have run searchsploit against all of my plugins and theme, and I have tried every previous exploit.
Now I open it up to you, the reader. If you have any other suggestions to add please let me know and I would love implement your ideas. I am completely open to ideas and know that true security is incredibly hard to be accomplished. Thank you for taking the time to read my post.
- Major thanks to reddit user “c0llision41” for pointing out the reasons against having this aggressive IP block policy, here is his comment:
“That seems a bit aggressive. If you accidentally posted an incorrect URL on your blog you could end up blocking a huge number of legitimate users. You also risk blocking many benevolent bots. In fact it could be argued that extremely easy to trigger IP blocks like this are in fact a security issue because they can be used as a DoS attack to prevent legitimate traffic from accessing your website. For example, someone could easily write a script that connects to each Tor exit node and requests a few invalid URL’s on your website in order to get every Tor exit node IP banned, making it impossible for Tor users to access your site.”
I have now amended this policy within my website to a higher number. Also, I have ensured that bots have even more headway than human users for hitting 404s. Thanks c0llision!