WordPress ~ Security
Security plugins are in a separate file.
Really complete guide on WordPress Security.
WordPress Vulnerabilities Statistics
WordPress Security Tips · wpscanteam/wpscan Wiki WordPress Optimization Guide - Things To Do After Installing Wordpress WordPress Security Tips - The Best Plugins to Protect WordPress 10 Steps to Securing Your WordPress Installation - Tuts+ Code Article
Turn off Post Revisions on WordPress (on by default)
Post Revisions in WordPress (on by default) We will also change the post auto-save interval from
WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Hide the non-essential WordPress RSS Feeds WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Disable directory listing In nginx,
autoindexis off by default -
Disable WordPress Login Hints WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Add Favicon and Touch Icons WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Better robots.txt - disallow Indexing of WordPress scripts WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Hide XML Sitemaps from Search Engine Results XML Sitemaps will help search engines better crawl your site but you don’t want search engines to actually show your sitemap in search results pages. WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Log 404 Errors in Google Analytics WordPress Optimization Guide - Things To Do After Installing Wordpress
-
Rename the administrative account (see: Codex)
-
Nicknames must be different to usernames WordPress Security with WPScan: Username Test with:
wpscan -url http://www.etaktiker.rs -enumerate uNo help for this - only Wordfence Security plugin that stops user enumeration. Sucuri Security does not do anything. We can also do it in nginx: Better Way to Defeat WordPress Brute Force Attack -
DISALLOW_FILE_EDIT (see: Codex)
-
Protect: wp-config.php (see: Codex)
-
Disable theme and plugin. Can be disabled within the wp-config.php
-
Remove all unneeded files WordPress Security Tip: Delete ReadMe Files
-
Hide WordPress Version Number How to Remove WordPress Version Number
-
Check WordPress Security Keys WordPress Security Keys | Digging Into WordPress
-
Disable Theme and Plugin Editors in Admin Panel WordPress Disable Theme and Plugin Editors in Admin Panel
Hardening WordPress « WordPress Codex Security Tips: What Should Be Done after WordPress Installation
Idea: With cookie on one and same subdirectory: systools
After that - it will not exsits*
Woow: Web Application and Server Security Testing on Ubuntu 14.04 with Lynis, Nmap, Nikto, Wapiti, w3af, Arachni and Skipfish | Lisenet.com :: Linux | Security | Networking crylium/security-scripts-for-linux: Various scripts to check for web applications, Linux OS etc vulnerabilities.
Nikto2 scanning
apt-get install nikto
# update databases
nikto -update
# check host with
nikto -h https://www.koviljaca.rs
Metasploit
Metasploit Unleashed Using Exploits - Metasploit Unleashed
Protecting with a cookie
Protecting Wordpress with a cookie Directory Protection With A Cookie
Exactly what I want: Hide and protect WordPress wp-admin folder on Nginx server | Motekar Protect your Wordpress blog’s administration from prying eyes • has_many :codes
Nginx: Block URL Access (wp-admin/wp-login.php) To All Except One IP Address
And, cookie can be hashed: HttpSetMiscModule
What is the best way to password protect folder/page using php without a db or username
Track login activity on server:
This oneliner will list all the IP adresses from which we had successfull login, from least to most logins. So, the dangerous ones will probably be in top of the list.
(last -if /var/log/wtmp; last -if /var/log/wtmp.1) | grep . | grep -v wtmp | grep -v boot | awk '{print $3}' | sort | uniq -c | sort -n | awk '{print $2}' | xargs -l sh -c 'printf "%15s / %s, %s, %s (%s)\n" $0 "$(curl -s "ipinfo.io/$0/country")" "$(curl -s "ipinfo.io/$0/city")" "$(curl -s "ipinfo.io/$0/org")" "$(curl -s "ipinfo.io/$0/hostname")"'
Explanation:
- concat results for both the current and last month
- remove empty lines and ones containing wtmp or boot
- get only IP numbers (awk)
- sort and count unique
- sort again by number of occurrences
- we only need IP number (awk)
- xargs will print that nicely using ipinfo.io service
When you find suspicious IP do a little research:
(last -wf /var/log/wtmp; last -wf /var/log/wtmp.1) | grep "122.173.247.248\|31.129.182.183\|37.139.47.83\|122.173.2.10"
Geolocation
I will be using services to get easy geolocation: ipinfo.io is limited per 1000 requests per day. ifconfig.me
curl ipinfo.io/178.148.86.40
will give you a detailed report.
Or you can use local-only:
apt-get -y install geoip-bin
geoiplookup 178.148.73.195 | sed -re 's/(.*): (.*)/\2/g'
Or even more detailed local database:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
gunzip Geo*.dat.gz
sudo cp GeoIP.dat GeoIPASNum.dat GeoLiteCity.dat /usr/share/GeoIP/
And now, try again: geoiplookup 178.148.73.195
How to look up the geographic location of an IP address from the command line - Xmodulo
There is also:
curl freegeoip.net/xml/8.8.8.8
SeeIP - A Simple Public IP Address API
The GeoIP Databases and the PHP based automatic updater from that site can be found on Gist, specifically the Maxmind GeoIP Updater (Based PHP).
Latest one that is and will be always really free reallyfreegeoip.org, just not perfectly accurate.
There are known security vulnerabilities for each WordPress version. For this reason, displaying the version of your WordPress installation makes it an easier target for hackers. The version of an unprotected WordPress installation can be seen in the pages’ meta data and readme.html files. The security check should verify that all readme.html files are empty and that every theme has a functions.php file, which contains the line: remove_action(‘wp_head’, ‘wp_generator’);. If the security check failed and you choose to secure the WordPress installation, the content of the readme.html files will be cleared, and the above line will be added to the functions.php file of every theme. If there is no such file in a theme, it will be created.
The wp-content directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check should verify that the execution of PHP files in the wp-content directory is forbidden. If the security check failed and you choose to secure the WordPress installation, execution of PHP files in the wp-content directory will be forbidden in the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.
The wp-includes directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check should verify that the execution of PHP files in the wp-includes directory is forbidden. If the security check failed and you choose to secure the WordPress installation, execution of PHP files in the wp-includes directory will be forbidden in the server
Woow. I really like this plugin!
define('DISALLOW_FILE_EDIT', true);