Categories
WordPress

Improving WordPress security with the .htaccess

In this article I’ll share some of the security tweaks I tend to add to the .htaccess to improve security of the WordPress-installation.

Hide the wp-config.php file

Since the wp-config.php file contains our database credentials, we do not want this file to be accessible, PERIOD. So by adding this snippet to our .htaccess file we can prevent access to it:

#hide wp-config file
<files wp-config.php>
order allow,deny
deny from all
</files>

This rule will prevent that the wp-config.php is accessible.

Hide the .htaccess file itself

Preventing abuse by adding rules to our .htaccess is only useful if the .htaccess can’t be compromised itself. To make sure that doesn’t happen we can add this to the .htaccess file:

#hide htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

Block requests towards the wp-includes folder and files

This is in fact a no-brainer. No legitimate request will ever go towards the wp-includes folder or the files in that folder. On the other hand it’s a popular spot to hide malicious files, such as backdoors and shells.

So let’s make sure this folder and its content isn’t accessible. We can do this by adding this little snippet to our .htaccess:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Blocking the TRACE method

Blocking the TRACE method will help to counteract XSS (Cross Site Scripting) attacks.

# Block trace method
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Prevent username enumeration

Within the url structure of WordPress, it’s (in some situations) easy to ascertain the usernames of the authors. This could be done by using following url string:

https://domain.com/?author=1
https://domain.com/?author=2
...

This will then result in a url similar to this:

https://domain.com/author/mysupersecretusername/

You immediately understand this can be used to ascertain a list of usernames, which can then be used for a brute forcing attack.

We can stop this by adding this snippet to our .htaccess file:

#Stop username enumeration
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]
Categories
WordPress

A small bash backup script for WordPress

As most of you know I work as an Escalation Engineer at Combell.com. Recently I crafted a tiny backup script that makes backups of my own site. While this script is optimized for use on shared servers at Combell.com, it can easily be adapted to be used anywhere.

#!/bin/bash

#### Settings ####
NOW=$(date +"%Y-%m-%d-%H%M")
FULL_PATH=$(pwd)
BACKUP_FOLDER=$FULL_PATH/data/

#### Site-specific Info ####
SITE_PATH="www" #Could also be subsites/subsitename
DB_NAME=`cat $SITE_PATH/wp-config.php | grep DB_NAME | cut -d \' -f 4`
DB_USER=`cat $SITE_PATH/wp-config.php | grep DB_USER | cut -d \' -f 4`
DB_PASS=`cat $SITE_PATH/wp-config.php | grep DB_PASSWORD | cut -d \' -f 4`
DB_HOST=`cat $SITE_PATH/wp-config.php | grep DB_HOST | cut -d \' -f 4`

#### Files backup ####

function files_backup {
    zip -r $SITE_PATH.$NOW.zip $SITE_PATH
    mv $SITE_PATH.$NOW.zip $BACKUP_FOLDER
}

#### Database Backup ####
function database_backup {
    mysqldump -h $DB_HOST -u$DB_USER -p$DB_PASS $DB_NAME > $DB_NAME.$NOW.sql
    mv $DB_NAME.$NOW.sql data/$DB_NAME.$NOW.sql
}

#### Runner Class ####
files_backup
database_backup

This script can be run automatically on a Combell-server by adding a cron for this script. You can do this in /etc/crontab by adding for example this:

0 */6 * * * /bin/sh /data/sites/web/youraccountname/backup.sh

The cron above will create a backup every six hours. Do not forget to put this backup.sh script in the root of your account.

Hope this helps you guys.

PS: the FULL_PATH variable is already included since I’m planning to iterate on this script and add more features, even though it’s currently only used to declare the backup directory path.

Categories
WordPress

Using WordPress as a static site generator

This weekend I spoke at WordCamp Nijmegen in The Netherlands. Below you can find my slides for that presentation.

Using WordPress as a Static Site Generator from Brecht Ryckaert