Wednesday, September 26, 2012

Tightening WordPress Security

I have developed a method to tighten Wordpress security for a scenario in which there is only one admin, and another admin will never be added. Since my Wordpress blog only has 1 admin, there is no legitimate reason for any human being to ever access wp-signup.php. Anyone who does is hacking, so they should be banned forever.
#Ban WP attackers
Redirect 301 /wp-signup.php /kick/
This code in .htaccess will redirect anyone who attempts to sign-up to a bot-trap located in /kick/. An alternative for those who do not have a bot-trap installed would be to Redirect 403 /wp-signup.php. I recommend installing a bot-trap to allow your site to dynamically respond to attackers by banning their IP addresses. This will slow down hackers attempting to probe your site for vulnerabilities.

Additional code, below, scans for common hack attacks against WordPress installations that I have observed firsthand in my server log. Again, because I do not permit registration, I ban it. Why permit something that no human being will ever use?
RewriteCond %{QUERY_STRING} action=register [NC,OR]
RewriteCond %{REQUEST_URI} ^/timthumb [NC,OR]
RewriteCond %{REQUEST_URI} ^/uploadify [NC,OR]
RewriteCond %{REQUEST_URI} ^/marketplace [NC]
RewriteRule \.* http://techlorebyigor.blogspot.com/kick/? [R=301,L]
The question mark at the end of the above RewriteRule truncates any query string that was used, avoiding potential complications if the bot-trap is activated. Those bots that attempt to find exploits in WordPress plug-ins timthumb, uploadify, or marketplace will be banned. I do not use those plug-ins, however if you do, then you had better not use the above code.

Other useful snippets, ubiquitous on the web and not original, follow:
<files wp-config.php>
order allow,deny
deny from all
</files>
Although my wp-config.php is already locked down tight with a security of 400, I decided to add an additional layer of security in .htaccess. Why? Just because. Perhaps it is unnecessary, but I like it. There is no such thing as redundant security.
<FilesMatch "\.(htaccess|htpasswd|fla|psd|log|sh|gz|zip|tar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
There is no legitimate reason for any human or bot to be reading any file with the above extensions. Although I won't ban any who do, I will show them my special 403 page which has many links to harvester-killers on other web sites.Post a Comment
by igor 04:20 4 replies by igor 09:32 0 comments
by topics:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
techlorebyigor is my personal journal for ideas & opinions