Securing your WordPress Site – Aaditya Purani

Hello,

I am Aaditya Purani, a 18 year old Ethical Hacker / Security Researcher from India currently doing ICT Engineering and CEO of @IndianHacking. I have been in Security Research field since a long time and love to make people aware about Security. Today, i would like to present my first post on Linked In as Securing a WordPress Website. (https://www.linkedin.com/pulse/securing-your-wordpress-site-right-way-aaditya-purani)

WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015.

23.3% out of top 10 million websites, yes . You heard that right. People uses wordpress CMS for their own blogs, personal website, for their business and lots of more purpose. But you will be shocked to hear that 18,000 sites which uses WordPress CMS gets hacked in a single day. That’s not the problem with WordPress at all. It’s the owner fault. So we will look at the possibilities of how your site using WordPress CMS can be pawned. I have been worked with WordPress for a few time, and also wrote some of the WordPress exploits which can be dangerous to the site’s security and helped Vendors to patch.

There are basically two WordPress sites : WordPress.com and WordPress.org .The wordpress.org is for self hosting by the user and wordpress.com is ready made wordpress site for the user. But it’s feature are limited as per as the Package you choose. People uses wordpress.org more than wordpress.com as wordpress.org is like starting a website from scratch. You need to buy Hosting with Cpanel, downloads themes and get a domain name to make site live.

So, as wordpress.com based website are hosted by wordpress itself. Mostly wordpress.com websites are blogs either xyz.wordpress.com or if someone buys the domain for $18 per year, but you get less features as you need to upgrade your site to avail more features like CSS Editing, themes, plugins etc.

Such wordpress hosted sites are less hacked and main reason for it getting hacked is Weak Password. If you as a user have a tougher password then hacking a wordpress.com hosted site is little bit tougher as mostly sites are free blog or may not be having Business plan (https://store.wordpress.com/plans/). But if you have stronger password and 2 Factor authentication security then it’s difficult to hack into. But as a safety measure i always recommend to not store any Credit Card Details in your profile of wordpress.com site.

So now, let’s move to main portion in which all of you must be interested in is the wordpress sites in which the admin starts making his site from scratch. Here, web developer / admin plays a major part. So, consider you have a .com domain , you got a hosting from a reliable web hosting service provider and you decide to use WordPress CMS for your site.

So, you can install wordpress from softaculous directly from Cpanel or by extracting wordpress.org zip file of the version which you downloaded. Now, after doing it. You move to your admin panel, change your passwords, Installs some plugins and your’e ready with your own site and then you sit back and relax thinking your site would be secure , and one fine day your site gets hacked.

I know, no one wants to make their site getting hacked. But it’s true sites using WordPress CMS are not secure if your’e not vigilant. So let’s deeply dive into how can you make your wordpress site secure and how to hackers can hack into your site . Learning the Hacker’s way.

So, primary thing to do after making your site live is adding this thing into .htaccess
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Because wp-config.php is the configuration of the wordpress, it contains the credentials for the server, and no one wants it to be directly visible to any user. Additional to it make the it more secure  make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). WordPress tells you to set at 600 but if you are on shared hosting, then attacker can read your config via symlink and it may result into massacre.

Second thing, is to add Options -Indexes into your .htaccess which will hide the content of the directory and will show FORBIDDEN when public trys to access the directory.

Third thing,  I have heard many people that their sites is having a Full Path Disclosure (FPD) which reveals the hosted public_html or wwwroot path of the site which can be beneficial to attacker in many ways. To check if your own site is vulnerable or not. Just go to www.yoursite.com/wp-includes/rss-functions.php

If you would see a full path then yes you are affected else it’s okay. Now, many people asks that how to patch it and most people doesn’t gets any perfect reply from anyone and usually people ends up in 500 Internal Server Error. So, it’s one of my favorite thing to answer. Simply all you need to do make a .htaccess inside /wp-includes/ directory and add the following line

php_flag display_errors 0

It will not display the PHP errors and you would see that FPD bug has been gone. I recommend newbies to try this.

Now, i suggest you some of the plugins which are to be installed first and always use cloudflare which acts as reverse proxy for website helping from Distributed denial of service attacks (DDOS).

404 error monitor : This plugin will send you logs when the user reaches a 404 Page which doesn’t exist and helps you track the exact path. It’s useful when a person is trying to use exploits on your site
Add logo to admin : A kind of a showoff feature on Admin Panel
Better-wp-security : Best plugin i would consider, you can change the location of your admin panel using this plugin and also rate limit login attempts, blocks malicious comments, IP block, IP whitelisting and much more things.
Bots visitor counter: It will track down all the bots which tried to scan your site

Captcha on login : A simple rate limit protection / Bruteforce protection technique

Remove xmlrpc pingback : XML RPC is a interface which would be available at www.yoursite.com/xmlrpc.php 

wp-includes/class-wp-xmlrpc-server.php

XML-RPC could prove into

  • Hijacks your website without your knowledge
  • Uses your site for a DDoS attack
  • Potentially gets your domain labelled as a spammer

Ithemes security : Just another security plugins which helps you to keep neat and secure themes.

WordFence : Another great Security plugins, which has been top-rated since quite a time. It automatically mails you when backdoor is added to your site and also removes backdoor itself

WP-DB Manager : WP-DBManager allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. It also supports automatic scheduling of backing up, optimizing and repairing of database.

Sucuri Security Firewall : Its features include security activity auditing, file integrity monitoring, remote malware scanning, blacklist monitoring, security notifications, and much more. I also use Sucuri for the web clients which i have.

and there are many more good ones.. (Post will be too long if i include, ask me in message)

Such are little ways to strengthen your site security. No one can assure complete security of your website. As, if a single site hosting on your shared server is vulnerable attacker can directly Hack it by either symlinking the server of by rooting the server. I would try to talk deeper on Symlinking in near future as this post is dedicated to make your wordpress safer and better.

So question is

Now you have plugins, is your site now secured?

A tough question, but it doesn’t guarantee you 100% security as zero day vulnerability can use benefit of Plugins and Themes which you use. Even the vendor doesn’t know about the zero day, but a bad guy keeps himself one step ahead and destroys as many site as he can. Here, is recent example of Revslider in which more than millions of site got Hacked/ affected as many sites used Revslider plugin. Now, vendor released a fix. So as the basic of the story is you can’t be safe from zero day. I have reported many zero days from Shell Upload to Cross site scripting to vendors and help them patch before bad guys attack.

So, here is few tips which you must apply:

1)Make sure your web site was built following secure coding principles.

2) Make sure you don’t use admin as the username as it is most common for Blind attacks and use tougher password

3) Make sure that your Web server / Kernel is Up to date.

4) Don’t use malicious themes, plugins which haven’t been verified by some authorities.

5) Perform a regular check on your site and try to hardening your wordpress as possible as you can and download latest update to wordpress.

6) Backup the data to avoid loss when your site gets hacked

7) Use SSL to encrypt the traffic, if you are having a business site which sends transactions, credit card, private information over the server.

8) 2 Step Authentication, so even if attacker has your password. He won’t be able to log in.

8) THE MAIN POINT : HIRE A SECURITY RESEARCHER like us 🙂
Because i believe “Only a hacker can counter a Hacker”.
You always need someone who thinks like attacker 😉 .

That’s were many big companies lag behind, responsible disclosure, bug bounty programs are need of the hour. We are the hackers on whom you can trust upon

So, I would like to thank to those who read my article. I welcome suggestion, constructive criticism and responses as it boost me to work more so that i could help millions of people to get their security right. You can share, like and can also post this on your wall but please don’t forget to add me in Credits 😉 .

You can always contact me here, or at

https://twitter.com/aaditya_purani

https://www.facebook.com/aadityapuraniofficial

http://aadityapurani.com

http://www.facebook.com/aaditya.purani.1

I would be back with other interesting Post soon. Till then “Be Secure”

Regards,

Aaditya Purani

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: