WordPress ~ Security

WordPress ~ Security

Security plugins are in a separate file.

Really complete guide on WordPress Security.

WordPress Vulnerabilities Statistics

Block login attacks

Using fail2ban to block WordPress login attacks

Protecting the WordPress login in nginx | erick t. hitter

WordPress vulnerability scanners / Malware Scanner

WPScan by the WPScan Team Nikto2

Sucuri SiteCheck Gravityscan Website Security Check - Unmask Parasites

Free Tools to Scan Your WordPress Website for Vulnerabilities

Website Security | Recurring, Affordable, and Usable

Sources:


Hiding headers:

nginx/site.nginxconf at master · danielmiessler/nginx


PHP Shell Scripts

When an attacker finds an exploit in WordPress, one of their first goals is to escalate their access.

An attacker could upload a PHP Shell Script. Functionally, these PHP shells are nearly the same as an SSH shell. You can change permissions, read files, upload files and more. The tools are very robust.

C99Shell is a popular PHP tool designed to escalate access on your server. This is basically a full shell account in PHP.

Important: Local exploits become remote exploits when your WordPress site is insecure.

You can download these shells on multiple sites: c99 shell - r57 shell - c99.txt - r57.txt - r57shell - c99shell - r57 - c99 R57 Shell | C99 Shell | Shell | TXT Shell | R57.php | c99.php | r57shell.net r57.txt - c99.txt - r57 shell - c99 shell - r57shell - c99shell - r57 - c99 - shell archive - php shells - php exploits - bypass shell - safe mode bypass - sosyete safe mode bypass shell - Evil Shells - exploit - root - localshell.net


HACKED!

How to manually cleanup malware from WordPress Site


WordPress Security Tips · wpscanteam/wpscan Wiki WordPress Optimization Guide - Things To Do After Installing Wordpress WordPress Security Tips - The Best Plugins to Protect WordPress 10 Steps to Securing Your WordPress Installation - Tuts+ Code Article

How to Hide that You Use Wordpress

  • rename wp-content (safe to do / alternative to move level below)

    plugins: dodaci uploads: otprema, otpremnina Not sure if automatic updates of Wordpress will work?

    // define (‘WP_CONTENT_FOLDERNAME’, ‘assets’); // define( ‘WP_PLUGIN_DIR’, $_SERVER[‘DOCUMENT_ROOT’] . ‘/extensions’ );

Rename-move wp-content

Translations: wp-content - assets, sastav, sadrzina, sadrzaj, smisao, german: ressourcen

Move wp-content as per Codex. Not sure if it will improve security.

Set constants WP_CONTENT_DIR and WP_CONTENT_URL and replace /wp-content/ with /assets/ in all the tables.

Sources & Articles

Move the wp-config.php file one directory up, outside of the web root directory?

WordPress will look inside the web root directory for the wp-config.php file as well as within the directory above it. This will help in minimizing the file being exposed to the Internet.

Great reasons for doing that. 10 wp-config Tweaks To Improve Your WordPress Site

Set perfect file permissions
  • perfect file permissions (see: Codex)

    • wp-admin/ (admin area), wp-includes/ (application logic) - writable only by ftp
    • wp-content/ (user-supplied content) - writable by user account and web server process
      • wp-content/themes/ - as I dont want to use the built-in theme editor, files writable only by your user account
      • wp-content/plugins/ - all files should be writable only by your user account. That’s why you set FTP account.
      • wp-content/* - may be present with and should be documented by whichever plugin or theme requires them

    x

Move out the media upload folder

WordPress Optimization Guide - Things To Do After Installing Wordpress

There is an plugin to help out: Custom Upload Dir

Turn off Post Revisions in WordPress (on by default)

Post Revisions in WordPress (on by default) We will also change the post auto-save interval from

WordPress Optimization Guide - Things To Do After Installing Wordpress

Hardening WordPress « WordPress Codex Security Tips: What Should Be Done after WordPress Installation

Stealth login?

WordPress › Stealth Login Page « WordPress Plugins


WordPress › Support » How to change the admin url or wp-admin to secure login security - Can I rename the wp-admin folder? - WordPress Development Stack Exchange

Idea: With cookie on one and same subdirectory: systools

After that - it will not exsits*


WPScan and WPScan database

Tool to use as WordPress vulnerability scanner: wpscanteam/wpscan How To Use WPScan to Test for Vulnerable Plugins and Themes in Wordpress | DigitalOcean

GPL fork is delvelabs/vane

Vulnerability database for WPScan: WordPress Plugin Vulnerabilities

https://wpvulndb.com/plugins

Or use preinstalled environment: wpscanteam/docker-wpscan

Test in docker:

sudo docker run -t -i --name wpscan wpscanteam/wpscan bash

sudo docker start wpscan
sudo docker exec -it wpscan bash

Update wpscan:

ruby wpscan.rb --update

Also, great toturials: Online Vulnerability Scanners and Port Scans


How To Scan And Check A WordPress Website Security Using WPScan, Nmap, And Nikto

Woow: Web Application and Server Security Testing on Ubuntu 14.04 with Lynis, Nmap, Nikto, Wapiti, w3af, Arachni and Skipfish | Lisenet.com :: Linux | Security | Networking crylium/security-scripts-for-linux: Various scripts to check for web applications, Linux OS etc vulnerabilities.

Nikto2 scanningn

apt-get install nikto

# update databases
nikto -update

# check host with
nikto -h https://www.koviljaca.rs

Metasploit

Metasploit Unleashed Using Exploits - Metasploit Unleashed

Encripto AS - Tools


Protecting with a cookie

Protecting Wordpress with a cookie Directory Protection With A Cookie

Exactly what I want: Hide and protect WordPress wp-admin folder on Nginx server | Motekar Protect your Wordpress blog’s administration from prying eyes • has_many :codes

Nginx: Block URL Access (wp-admin/wp-login.php) To All Except One IP Address

Setting cookies in nginx

And, cookie can be hashed: HttpSetMiscModule

What is the best way to password protect folder/page using php without a db or username


Track login activity on server:

This oneliner will list all the IP adresses from which we had successfull login, from least to most logins. So, the dangerous ones will probably be in top of the list.

(last -if /var/log/wtmp; last -if /var/log/wtmp.1) | grep . | grep -v wtmp | grep -v boot | awk '{print $3}' | sort | uniq -c | sort -n | awk '{print $2}' | xargs -l sh -c 'printf "%15s / %s, %s, %s (%s)\n" $0 "$(curl -s "ipinfo.io/$0/country")" "$(curl -s "ipinfo.io/$0/city")" "$(curl -s "ipinfo.io/$0/org")" "$(curl -s "ipinfo.io/$0/hostname")"'

Explanation:

  • concat results for both the current and last month
  • remove empty lines and ones containing wtmp or boot
  • get only IP numbers (awk)
  • sort and count unique
  • sort again by number of occurrences
  • we only need IP number (awk)
  • xargs will print that nicely using ipinfo.io service

When you find suspicious IP do a little research:

(last -wf /var/log/wtmp; last -wf /var/log/wtmp.1) | grep "122.173.247.248\|31.129.182.183\|37.139.47.83\|122.173.2.10"
Geolocation

I will be using services to get easy geolocation: ipinfo.io is limited per 1000 requests per day. ifconfig.me

curl ipinfo.io/178.148.86.40

will give you a detailed report.

Or you can use local-only:

apt-get -y install geoip-bin
geoiplookup 178.148.73.195 | sed -re 's/(.*): (.*)/\2/g'

Or even more detailed local database:

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz

gunzip Geo*.dat.gz
sudo cp GeoIP.dat GeoIPASNum.dat GeoLiteCity.dat /usr/share/GeoIP/

And now, try again: geoiplookup 178.148.73.195

How to look up the geographic location of an IP address from the command line - Xmodulo

There is also:

freegeoip.net

curl freegeoip.net/xml/8.8.8.8

SeeIP - A Simple Public IP Address API


GeoIP Databases Maxmind GeoIP Updater (Based PHP)



There are known security vulnerabilities for each WordPress version. For this reason, displaying the version of your WordPress installation makes it an easier target for hackers. The version of an unprotected WordPress installation can be seen in the pages' meta data and readme.html files. The security check should verify that all readme.html files are empty and that every theme has a functions.php file, which contains the line: remove_action(‘wp_head’, ‘wp_generator’);. If the security check failed and you choose to secure the WordPress installation, the content of the readme.html files will be cleared, and the above line will be added to the functions.php file of every theme. If there is no such file in a theme, it will be created.

The wp-content directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check should verify that the execution of PHP files in the wp-content directory is forbidden. If the security check failed and you choose to secure the WordPress installation, execution of PHP files in the wp-content directory will be forbidden in the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.

The wp-includes directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check should verify that the execution of PHP files in the wp-includes directory is forbidden. If the security check failed and you choose to secure the WordPress installation, execution of PHP files in the wp-includes directory will be forbidden in the server

Woow. I really like this plugin!

define('DISALLOW_FILE_EDIT', true);

Detection of Malware: VirusTotal


Interesting for detecting exploits: Web Shell Detector A collection of PHP backdoors: bartblaze/PHP-backdoors


Hacked:

How to Find a Backdoor in a Hacked WordPress Site and Fix It Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked | Elegant Themes Blog

Getting Hacked Constantly? Stopping Backdoor Exploits for Good

Great explanation: Principles of Secure WordPress Code

date 01. Jan 0001 | modified 28. May 2021
filename: WordPress » Security