{"id":2538,"date":"2020-04-17T22:08:05","date_gmt":"2020-04-18T02:08:05","guid":{"rendered":"https:\/\/blog.jonesling.us\/?p=2538"},"modified":"2020-04-28T17:18:55","modified_gmt":"2020-04-28T21:18:55","slug":"securing-wordpress-the-basics","status":"publish","type":"post","link":"https:\/\/blog.jonesling.us\/?p=2538","title":{"rendered":"Securing WordPress: The Basics"},"content":{"rendered":"

This is the first in an occasional series of documents on WordPress<\/a>.<\/p>\n

\n

WordPress<\/a> is ubiquitous but fragile.\u00a0 There are few alternatives that provide the easy posting, wealth of plugins, and integration of themes, while also being (basically) free to use.<\/p>\n

It’s also a nerve-wracking exercise in keeping bots and bad actors out.\u00a0 Some of the historical security holes are legendary.\u00a0 It doesn’t take long to find someone who experienced a site where the comments section was bombed by a spammer, or even outright defacement.\u00a0 (I will reluctantly raise my own hand, having experienced both in years past.)<\/p>\n

Most people that use WordPress nowadays rely on 3rd parties to host it.\u00a0 This document isn’t for them; hosted security is mostly outside of your control.\u00a0 That’s generally a good thing: professionals are keeping you up to date and covered by best practices.<\/p>\n

The rest of us muddle through security and updates in piece-meal fashion, occasionally stumbling over documents like this one.<\/p>\n

Things To Look Out For<\/h1>\n

As a rule, good server hygiene demands that you keep an eye on your logs.\u00a0 Tools like goaccess<\/a> help you analyze usage, but nothing beats a peek at the raw logs for noticing issues cropping up.<\/p>\n

The Good Bots<\/h2>\n

Sleepy websites like mine show a high proportion of “good” bots like Googlebot, compared to human traffic.\u00a0 They’re doing good things like crawling (indexing) your site.<\/p>\n

In my case they are the primary visitor base to my site, generating hundreds or even thousands of individual requests per day.\u00a0 Hopefully your own WordPress site has a better visitor-to-bot ratio than mine.<\/p>\n

We don’t want to block these guys from their work, they’re actually helpful.<\/p>\n

The Bad Bots<\/h2>\n

You’ll also see bad bots, possibly lots of them.\u00a0 Most are attempting to guess user credentials so they can post things on your WordPress site.<\/p>\n

Some are fairly up-front about it:<\/p>\n

\n
...\n132.232.47.138 [07:51:14] \"POST \/xmlrpc.php HTTP\/1.1\"\n132.232.47.138 [07:51:14] \"POST \/xmlrpc.php HTTP\/1.1\"\n132.232.47.138 [07:51:15] \"POST \/xmlrpc.php HTTP\/1.1\"\n132.232.47.138 [07:51:16] \"POST \/xmlrpc.php HTTP\/1.1\"\n132.232.47.138 [07:51:16] \"POST \/xmlrpc.php HTTP\/1.1\"\n132.232.47.138 [07:51:18] \"POST \/xmlrpc.php HTTP\/1.1\"\n...<\/pre>\n<\/blockquote>\n
They’ll hammer your server like that for hours.<\/p>\n
Blocking their individual IP addresses at the firewall is devastatingly effective… for about five minutes.\u00a0 Another bot from another IP will pop up soon.\u00a0 Blocking individual IPs is a game of whack-a-mole.<\/p>\n
Some are part of a “slow” botnet, hitting the same page from unique a IP address each time.\u00a0 These are part of the large botnets you read about.<\/p>\n
\n
83.149.124.238 [05:01:06] \"GET \/wp-login.php HTTP\/1.1\" 200\n83.149.124.238 [05:01:06] \"POST \/wp-login.php HTTP\/1.1\" 200\n188.163.45.140 [05:03:38] \"GET \/wp-login.php HTTP\/1.1\" 200\n188.163.45.140 [05:03:39] \"POST \/wp-login.php HTTP\/1.1\" 200\n90.150.96.222 [05:04:30] \"GET \/wp-login.php HTTP\/1.1\" 200\n90.150.96.222 [05:04:32] \"POST \/wp-login.php HTTP\/1.1\" 200\n178.89.251.56 [05:04:42] \"GET \/wp-login.php HTTP\/1.1\" 200\n178.89.251.56 [05:04:43] \"POST \/wp-login.php HTTP\/1.1\" 200<\/pre>\n<\/blockquote>\n
These are more insidious: patient and hard to spot on a heavily-trafficked blog.<\/p>\n
Keeping WordPress Secure<\/h1>\n
You (hopefully) installed WordPress to a location outside of your “htdocs” document tree.\u00a0 If not, you should fix that right away!\u00a0 (Consider this “security tip #0” because without this you’re basically screwed.)<\/p>\n
Security tip #1 is to make sure auto updates are enabled.\u00a0 The slight risk of a botched release being automatically applied is much lower than that of having an critical security patch that is applied too late.<\/p>\n
Like medieval door locks on your front door, there is little security advantage to running old software.<\/p>\n
Once an exploit is patched, the prior releases are vulnerable as people deconstruct the patch and reverse-engineer the exploit(s) – assuming a exploit wasn’t published before the patch was released.<\/p>\n
Locking WordPress Down<\/h2>\n
Your Apache configuration probably contains a section similar to this:<\/p>\n
<Directory \"\/path\/to\/wordpress\">\n    ...\n    Require all granted\n    ...\n<\/Directory><\/pre>\n
We’re going to add some items between <Directory><\/Directory> tags to restrict access to the most vulnerable pieces.<\/p>\n
You Can’t Attack Things You Can’t Reach<\/h3>\n
We’ll start by invoking the Principle of Least Privilege<\/a>: people should only be able to do the things they must do, and nothing more.<\/p>\n
xmlrpc.php is an API for applications to talk to WordPress.\u00a0 Unfortunately it doesn’t carry extra security, so if you’re a bot it’s great to hammer with your password guesses – you won’t be blocked, and no one will be alerted.<\/p>\n
Most people don’t need it.\u00a0 Unless you know you need it, you should disable it completely.<\/p>\n
<Directory \"\/path\/to\/wordpress\">\n    ...\n    <Files xmlrpc.php>\n        <RequireAll>\n            Require all denied\n        <\/RequireAll>\n    <\/Files>\n<\/Directory><\/pre>\n
There are WordPress plugins that purport to “disable” xmlrpc.php, but they deny access from within WordPress.\u00a0 That means that you’ve still paid a computational price for executing xmlrpc.php, which can be steeper than you expect, and you’re still at risk of exploitable bugs within it.\u00a0 Denying access to it at the server level is much safer.<\/p>\n
You Can’t Log In If You Can’t Reach the Login Page<\/h3>\n
This next change will block anyone from outside your LAN from logging in.\u00a0 That means that if you’re away from home you won’t be able to log in, either, without tunneling back home.<\/p>\n
<Directory \"\/path\/to\/wordpress\">\n    ...\n    <Files wp-login.php>\n        <RequireAll>\n            Require all granted\n            # remember that X-Forwarded-For may contain multiple\n            # addresses, don't just search for ^192...\n            Require expr %{HTTP:X-Forwarded-For} =~ \/\\b192\\.168\\.1\\.\/\n        <\/RequireAll>\n    <\/Files>\n<\/Directory><\/pre>\n
If you’re not using a public-facing proxy, and don’t need to look at X-Forwarded-For, you can simplify this a little:<\/p>\n
<Directory \"\/path\/to\/wordpress\">\n    ...\n    <Files wp-login.php>\n        <RequireAll>\n            Require all granted\n            Require ip 192.168.1\n        <\/RequireAll>\n    <\/Files>\n<\/Directory><\/pre>\n
This will prevent 3rd parties from signing up on your blog and submitting comments.\u00a0 This may be important to you.<\/p>\n
Restart Apache<\/h2>\n
After inserting these blocks, you should execute Apache’s ‘configtest’ followed by reload:<\/p>\n
$ sudo apache2ctl configtest\napache2      | * Checking apache2 configuration ...\u00a0\u00a0\u00a0\u00a0 [ ok ]\n<\/pre>\n
$ sudo apache2ctl reload\napache2      | * Gracefully restarting apache2 ...      [ ok ]<\/pre>\n
Now test your changes from outside your network:<\/p>\n
\"xmlrpc.php<\/p>\n
Apache’s access log should show a ‘403’ (Forbidden) status:<\/p>\n
... \"GET \/xmlrpc.php HTTP\/1.1\" 403 ...<\/strong><\/pre>\n
And just like that, you’ve made your WordPress blog a lot<\/strong> more secure.<\/p>\n
Interestingly, by making just these changes on my own site the attacks immediately dropped off by 90%.\u00a0 I guess that the better-written bots realized that I’m not a good target anymore and stopped wasting their time, preferring lower-hanging fruit.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is the first in an occasional series of documents on WordPress. WordPress is ubiquitous but fragile.\u00a0 There are few alternatives that provide the easy posting, wealth of plugins, and integration of themes, while also being (basically) free to use. It’s also a nerve-wracking exercise in keeping bots and bad actors out.\u00a0 Some of the … Continue reading “Securing WordPress: The Basics”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wprm-recipe-roundup-name":"","wprm-recipe-roundup-description":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[9],"tags":[355,151,555,83,556,354],"class_list":["post-2538","post","type-post","status-publish","format-standard","hentry","category-linux","tag-apache","tag-dad-needs-to-stop-bringing-work-home","tag-how-to","tag-linux","tag-netsec","tag-wordpress"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4o3FW-EW","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2538"}],"version-history":[{"count":11,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2538\/revisions"}],"predecessor-version":[{"id":2558,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2538\/revisions\/2558"}],"wp:attachment":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}