WordPress – a convenient platform for the publication of articles and management, which is based on a huge number of different sites. Because of its prevalence, this CMS has long been a tasty morsel for hackers.

Unfortunately, the basic settings do not provide an adequate level of protection, leaving many holes uncovered credit default. In this article we will go through a typical “model” hacking site on WordPress, and show how to fix identified vulnerabilities.

Today WordPress content management system is the most popular. Its share is 60.4% of the total number of sites using CMS-engines. Of these, according to the statistics, 67.3% of the sites based on the latest version of the software. Meanwhile, in the twelve years of the web engine it was found 242 vulnerabilities of various kinds (excluding vulnerabilities found in third-party plug-ins and themes). A third-party add-ons statistic is even sadder. Thus, the company conducted an analysis in 2350 Revisium Russified templates for WordPress, taken from different sources. As a result, they found that more than half (54%) were infected Web Shell, backdoors, blackhat seo (“spam”) links and scripts contained critical vulnerabilities. So sit back, now we are going to understand how to carry out an audit on the WordPress site and eliminate the shortcomings found. Use will be version 4.

Indexing site

The first step in any test is usually to collect information about the target. And then very often it helps misconfiguration Indexing site which allows unauthorized users to view the contents of certain sections of the site and, for example, to get information about installed plug-ins and themes, as well as access to confidential data or backups of databases. To check which directories are visible from the outside, the easiest way to take advantage of Google. It is enough to run a query Google Dorks type site: example.com intitle: «index of» inurl: / wp-content /. The operator inurl: You can specify the following directories:

/wp-content/
/wp-content/languages/plugins
/wp-content/languages/themes
/wp-content/plugins/
/wp-content/themes/
/wp-content/uploads/

If you can view the / wp-content / plugins /, the next step is to collect information about installed plug-ins and their versions is greatly simplified. Naturally, you can prevent the indexing using the file robots.txt. So by default it is not included in the installation package WordPress, it is necessary to create and throw yourself to the root directory of the site. Manuals for creating and working with the robots.txt file is quite a lot, so leave this subject for self. To give just one of the possible options:

User-Agent: *
Disallow: /cgi-bin
Disallow: /wp-login.php
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /?author=*
Allow: /

If the files stored in a folder uploads, are confidential information, add to this list line: Disallow: / wp-content / uploads /. On the other hand, the robots.txt file is not recommended to place links to directories that have been created specifically for the storage of sensitive information. Otherwise, you thereby facilitate the task of the attacker, because this is the first place where usually all look in search of “yammy”.

Security-plugins for WordPress

• Login LockDown – limits the number of failed login attempts;
• Revisium WordPress Theme Checker – looks for typical malware pieces in the themes WordPress;
• Sucuri Security – carries out monitoring and detection of malicious code;
• IThemes Security (formerly Better WP Security) – to protect the multi plug WordPress;
• BackUpWordPress – makes a backup of files and databases;
• Google Captcha (reCAPTCHA) – establishes a captcha in the registration, login, password recovery, and in the form of comments.

Connect .htaccess

To restrict access to sensitive information is better to use the file .htaccess – it is a configuration file used by Apache Web Server. Consider the possibility of the file from the standpoint of safety. With it you can: deny access to directories and files, lock various SQL-injection and malicious scripts. For this standard .htaccess file for CMS WordPress 4.1 you need to expand a little. To close the list of files and folders, add:

Options +FollowSymLinks -Indexes

RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]

Block references containing the encoding Base64. Get rid of links containing the tag <script>:

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

To counteract scripts trying to set global variables or change _REQUEST variable via URL:

RewriteCond %{QUERY_STRING} GLOBALS (=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST (=|\[|\%[0-9A-Z]{0,2})

To counter SQL-injection blocking requests to the URL, containing certain key words:

RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]

To spoil the life common hacking tools, filters certain user-agents:

SetEnvIf user-agent «Indy Library» stayout=1
SetEnvIf user-agent «libwww-perl» stayout=1
SetEnvIf user-agent «Wget» stayout=1
deny from env=stayout

Protects files

It would be nice to limit and access to critical files that store configuration or just can give an attacker some information. You can select the following candidates:

• Wp-config.php, includes a database name, user name, password and table prefix;
• .htaccess;
• Readme.html and ru_RU.po, which contain a version of WordPress;
• Install.php.

This is done as follows:

<Files file_name>
Order Allow,Deny
Deny from all
</Files>

The file .htaccess, containing these lines should be in the same directory as the file is protected. Then do not allow listing of users (remember, a little higher, we talked about how easy it is to get a list of users?):

RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

So, what else? You can allow the entrance only from specified IP-addresses. To do this, create a .htaccess file in your wp-admin with the following rules:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
allow from 178.178.178.178  # IP Home computer
allow from 248.248.248.248  # IP Work computer

The method is not very flexible and is applicable only if you are working with a limited number of fixed IP-addresses. Otherwise it is recommended to set a password to the folder wp-admin panel through hosting (if this functionality).

WWW

A set of rules 5G Blacklist and 6G Blacklist beta from Perishable Press, which allows you to deal with prevalent malicious URL-requests for WordPress.

Additional measures

Besides what has been said above, the following recommendations can be added. First, use only the latest versions of WordPress and its components – this will eliminate known vulnerabilities. Second, remove the plugins and themes, which can also be proekspluatirovat. Third, download the WordPress themes and plugins from reliable sources, such as the sites of developers and the official site of WordPress. As well as home PC, you need to periodically check your web resource Web Antivirus, for example AI-Bolit. If you have access to the web server, the mood of access rights to files and directories. Typically, WordPress sets full rights in the installation phase, but if necessary can be set manually chmod. For directory – chmod 755 for files – chmod 644. Make sure that the rights of 777 assigned only to those facilities that need it (sometimes it is necessary for the normal operation of some plug-ins). If WordPress ceased to function normally, experiment with access rights: First try 755, then 766 and finally 777. For all the htaccess-file to expose chmod 444 (read only). If the site no longer work, try experimenting with values of 400, 440, 444, 600, 640, 644.

Move the file wp-config.php. This file contains information about the settings, MySQL, the table prefix, secret keys, and more. Therefore, it is necessary to transfer to the file was not available from the Internet. If the site is not located in the folder public_html, then drag the file wp-config.php in the folder level above, and WordPress will automatically find it in the root directory (applies if there is only one hosting site this CMS).

To complicate the casting shell, disable the ability to edit threads console WordPress. To do this, insert the following line in the file wp-config.php:

define ('DISALLOW_FILE_EDIT', true) ;

Another weak spot – the file install.php (in the folder wp-admin). Therefore, it is better to remove, block or change. Perform one of the following:

1. Simply delete this file – after installation it is no longer necessary.
2. Deny access to the file via .htaccess.
3. Rename the original file install.php (eg, install.php.old) and create a new file install.php with the following contents:

<?php header("HTTP/1.1 503 Service Temporarily Unavailable"); ?>
<?php header("Status 503 Service Temporarily Unavailable"); ?>
<?php header("Retry-After 3600"); // 60 minutes ?>
<?php mail("your@email.com", "Database Error", "There is a problem with teh database!"); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en"xmlns="http://www.w3.org/1999/xhtml"lang="en">
<head>
<meta http-equiv="Content-Type"content="text/html; charset=utf-8" />
<title>Error Establishing Database Connection</title>
</head>
<body>
<h1>Error Establishing Database Connection</h1>
<p>We are currently experiencing database issues. Please check back shortly. Thank you.</p>
</body>
</html>

In addition to notifying visitors of the site, this script does the following:

• Sends the customer and the search engines the status code 503 (“Service unavailable”);
• Specifies the time interval through which customers and the search engines can return to the site (adjustable parameter);
• Notify by e-mail about a problem with the database for appropriate action.

The fact that in earlier versions of WordPress (< = 2.7.1) with faults MySQL (for example, DDoS-attack) CMS makes it possible to reinstall. In addition, it can happen and fault / damage to one of the tables WordPress. In particular, the attack is possible when the damaged table ks29so_options (in WordPress 2.6.2) or ks29so_users (in WordPress 2.0.3 and 2.0.11). That is, in different versions of WP different tables at the main check in the installer - it can be either table ks29so_options, or ks29so_users.

Finally, disconnect the registration of new users, if this is not necessary. If, however, provides online registration, take care of that new users after registration received minimal privileges.

Useful links

• Hardening WordPress
• Ten steps to protect your WordPress-blog
• Every second Russified template for WordPress infected or vulnerable
• Presentation on hacking WordPress

Closing

WordPress – a fairly large and complex product, with its pluses and minuses. Unfortunately, in the default configuration, its safety is questionable, since even in the presence of normal skriptkidis straight hand and the Internet will be able to break through the protection. Therefore, we strongly recommend checking out the resource in the same way as we did in the article. And if you find flaws – fixed them to reduce the chances of an attacker to compromise a resource to a minimum.