Wordpress is broadly used CMS (Content Management System) on the internet with maximum user base. Wordpress is easier to understand for everyone and the plus point is that one can right away get on with creating a new blog article or a website in easy steps without having to know about coding. This makes Wordpress attractive to most of bloggers, content developers and even small businesses.
Initially, Wordpress began as a platform for people who wanted to create blogs and publish it on the internet. Eventually, it became famous and as it is an open source project, the community contributed to its development and rest is history.
As of now, Wordpress has evolved to one of the most flexible platform out and a user can control virtually all the aspect of this CMS. There are tons of plugins, themes and other goodies that suits the needs of almost all users. The popularity of Wordpress is growing due to the ease of use and manageability. The Wordpress based sites can take a form of a simple blog to a full-featured business marketplace, depending on the customisation applied. More information on Wordpress can be found here on the official Wordpress site and on this page of dreamhost
Wordpress Security
With this huge popularity on Wordpress there has been a steady rise of attacks - simplest to complex ones, which can be attributed to various factors. Let's just put this in the following sections, roughly
Obsolete Wordpress components. (Plugins / Themes / etc)
Wordpress misconfigurations.
Inappropriate file permissions.
Weak authentication mechanisms.
Security at the administrator's Desktop / Laptop.
The above listed categories are broad in nature and can be drilled down deeper as per the security scope of the Wordpress site under question.
Our Recent Wordpress security analysis
Here, at Evolution Info Secure, we were tasked with a security analysis of a Wordpress site. The site was a blog that author maintained as single owner / administrator and updated with the contents.
The client noticed some anomaly in the past days and acted proactively for his website security and visited us. We understood the issue pertaining to the client, and acted quickly to find any vulnerabilities that can be exploited by hackers. Keeping this in the scope for the work, we initiated the security testing for the wordpress site.
Security Strategy employed & findings.
The initial strategy which we used was to map out the functionality of the website under scope and then get an understanding of the threats that the site can face - both technical as well as logical flaws.
After this step, we were able to understand the flow of the application and perform a threat analysis as per the famous OWASP top 10 standard. During this course, we came across a lot of technical vulnerabilities for the site. Issues such as old wordpress themes, plugins, unwanted wordpress services, weak credentials, missing 2 Factor Authentication, Missing of necessary security headers & CSRF tokens as well as missing audit trails and partial/insufficient event logging were found out.
As the application was a bit small in scope, the chance of other logical bugs were close to none.
So, after the initial assessment, the roadmap was clear and it was time to get cracking to resolve the issues.
Resolving security issues
As we always know that security consists of a layered approach, securing each layer and considering the threat actors at each layer. With that philosophy, we began with
The administrator Laptop / Desktop.
The site owner managed his blogging site from a single laptop, so it became mandatory to secure the laptop from any sort of malware attack. Standard security procedures were suggested to secure operating system. Points related to:-
Keep the base OS on automatic updates.
Remove any unwanted programs / unused components.
Update browsers and other necessary packages.
Setup and configure antivirus and antispyware solution.
were followed.
Security tips related to social engineering and phishing and similar risks that can arise due to unauthorised or pirated softwares were passed on to client for security of the Laptop.
After this, we moved on to solve other technical issues discovered.
Obsolete Wordpress components
Most of the Wordpress authors / administrators frown upon having to update their wordpress installation, themes, plugins, etc.on time. This is ignorance is the number 1 cause for most of the wordpress hacking incidents globally.
Vulnerabilities such as SQL injection, Cross Site Scripting, Remote Code Execution, Command Execution, etc. have been widely reported for various wordpress themes, plugins, etc. but still these components are very rarely updated.
Our client in this case was too on the same boat. Most of the necessary and recommended updates were missing and we immediately updated the required components and then we set to auto-update, so next time the client did not have to bother much in this area.
So, with this area covered, we moved on to the next area of concern.
XMLRPC.php enabled
What is xmlrpc.php?
Lets simplify things. Suppose, you want to post an article from your mobile device, then this feature enables us this functionality. It was a pretty friendly feature back then, but this feature is widely abused by attackers to launch a DDoS attack or to bruteforce authentication to gain access to the site administrator panel.
This was evident in the incomplete logs that we saw. There were several bruteforcing instances via the xmlrpc.php endpoint and thankfully, the firewall of the web hosting provider acted and dropped the connections after a certain threshold.
We have 2 options to either to stop xmlrpc.php using a plugin or by making changes in the .htaccess file of the public_html path.
We preferred to make changes to the .htaccess file that was in the public_html folder and made some changes as follows:
#Block XMLRPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>after making the backup of the file and then adding the above lines of code, to the .htaccess file, we verified the same and on this XMLPRC validator and it was finally stopped.
wp-cron.php
From our previous experience on dealing with the issues caused by keeping the wp-cron.php enabled. We were pretty sure that wp-cron has to be disabled so that this doesnt cause any issue later in future. You can find the article related to our web security analysis. We disabled the wp-cron.php from the wp-config.php file by adding this small line
define(‘DISABLE_WP_CRON’, ‘true’);NOTE - While it has been observed that the wp-cron can also be associated with unattended automatic upgrades for the whole wordpress installation, this feature is provided with many hosting providers. We highly recommend that you confirm this with your hosting provider and also test the same by disabling this feature and monitor for any unwanted behaviour.
Missing Security headers
Security headers are often and vastly neglected components for a web application. Actually, the missing security headers do not pose any direct threat to an application, but when chained with other medium and high rating vulnerabilities, the missing security headers can have a very damaging effect on a web application. For instance, missing security headers can lead to attacks such as Click jacking, Cross Site Scripting or XSS as we know it, Cross Site Request Forgery or CSRF, etc.
A typical wordpress installation will have the minimum or negligible security headers deployed. Security headers such as - strict-transport-security, x-content-type, and x-frame-options, CSRF nonce/token, content security policy, x-frame-options, X-XSS-Protection, etc. will be missing
For implementation, thankfully there were plugins available and the plugins were installed. Plugins such as - Comment form CSRF protection & GD Security Headers were installed and tested on the free security headers tool by Scott Helme
White listing HTTP Request methods
During the phase of assessment, it was observed that the application was accepting random HTTP methods and even methods that were not existing. From our experience we have seen that the HTTP request methods are mostly ignored while deploying a web application and this ignorance can lead to authentication and authorization bypasses. Hence, It becomes very important to filter out and white list HTTP request methods.
To accomplish that, first we understood the common ways the site was being managed and administered and then it was decided that we need only the GET, POST, OPTIONS Methods in the site. The following directives were added to the .htaccess file to whitelist the HTTP methods.
# ALLOW ONLY NECESSARY REQUEST METHODS
RewriteCond %{REQUEST_METHOD} !^(GET|OPTIONS|POST) [NC]
RewriteRule .* - [F,L]The above rule was tested and was successful in giving back the error code 405 - Method not allowed for any HTTP method except GET / POST / OPTIONS
Visible Wordpress version
This issue comes under low or informational, we still prefer to close this too, as recent wordpress verison have been reported to have Remote code execution vulnerabilities and if in case the client misses out to update wordpress installation, then they may be at risk from the exploitation, so to reduce the attack surface, we followed the principle of Security through obscurity.
For hiding the wordpress version, In the wordpress root folder of the public_html folder, the file functions.php we added the following lines of php code
function wp_remove_version() {
return '';
}
add_filter('the_generator', 'wp_remove_version');save the file and then reloaded the site and we are good to go.
Apart from the discovered vulnerabilities, the following additional steps were taken so as to add more security layers and make the client site more robust against any sort of malicious attempts to damage the wordpress installation.
Controlling access to the 'wp-admin' folder.
From the error logs we saw, along with the bruteforcing on the xmlrpc.php endpoint, we also saw lots of login attempts to access the wordpress administrator area. To deal with that issue, we moved ahead to protect and limit access to the wp-admin folder and the associated files, especially the administrator login. First, we considered to implement IP based white listing to the administrator area, but the client did not have static IP to lock to. so, the next obvious step was to implement 2 Factor Authentication and set a rate limit for login to the wordpress panel.
To simplify things, we suggested and configured wordpress plugin for adding 2 Factor Authentication to the admin panel and linked the plugin to the Google Authenticator app.
Next up, we added another security layer for administrator login by limiting the login attempts again, we considered use of the wordpress plugin for login lockdown and set the threshold for 5 incorrect logins, the account will be locked down. This plugin also has the facility to block an IP range.
This implemented feature was successfully tested and deployed for the client site.
Protecting wp-config.php
Anyone using the wordpress CMS knows it nicely that the file wp-config.php is the key file and any changes or any sort of compromise can lead to a catastrophic situation.
To protect this sensitive file, we recommended a 2 fold approach.
Restrict access to the wp-config.php file.
Move the wp-config.php to another location in the server's file system.
To accomplish this, we first put to test and then after verification, we proceeded with these steps. So, any readers who want to try this out should first test this procedure and then proceed.
1. To Restrict access to wp-config.php file, we added some directives in the .htaccess file located in the wordpress root directory as follows:
#restrict access to wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>after the completion of above step, we then proceeded to next step.
2. Move the wp-config.php file contents to another location in server's file system
First, we made a backup of the wp-config.php file as wp-config.php.bak next, we copied all the contents of the wp-config.php to a new file called config.php the location of this file config.php was in server's filesystem (non-www directory) path - /home/user1/config.php
Then in the file wp-config.php which is located at /home/user1/public_html/ we remove all the content and add this single line to the wp-config.php
<?php include('/home/user1/config.php'); ?>So, whenever, there is a need to refer to the contents of wp-config.php, the file will refer to the original contents that are located elsewhere in the server filesystem.
Also, as the wp-config.php is protected with directive in the .htaccess, the actual path of the file will not be disclosed easily.
So, these 2 steps have helped us protect the critical wp-config.php file from any unauthorised access or modification.
Protecting the .htaccess file
Till now we added many rules to the .htaccess file for protecting sensitive files of wordpress, however, there could be chances that the file .htaccess can still be accessed by an intruder, so to protect the .htaccess file, we can add the following directive to the file.
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>The above directive in the .htaccess file will restrict any access to the file that starts with '.hta', we can add this directive in other folders where the .htaccess file has been implemented.
This was tested and we got an error 403 - Forbidden so, it was confirmed that the directive and rules were working fine.
Now for the last part, on hardening wordpress site, we helped the client setup another plugin that generated audit trails for the site, this would help the client monitor the site activity and take any necessary steps in case needed.
In addition to the above steps, there were some real good plugins available on the wordpress store that we put to the site. There are a lot of security plugins but for initial try we installed ithemes security and wordfence
We enabled the required features in both these plugins some of which includes - Attack detection, audit trails, disable PHP execution in upload folders, bruteforce detection, etc.
Final Thoughts on Wordpress Security
Wordpress offers an excellent platform for anyone who wishes to write and create his/her own blog or a website - personal or business, Wordpress has all the required components that can be useful for anyone who can put a little time and effort to create a blog or a website. However, this simplicity too has side-effects. As most of the plugins and components are available ready-made, this becomes a single point of failure for security. For example, if a theme or plugin is exploited and re-packaged with backdoor and that plugin or theme then can affect users who have installed the backdoored component. Also, misconfiguration of wordpress site is one of the major root cause for wordpress sites to be under attack and exploitation.
Moreover, there are very few developers or wordpress owners who take account of security and most of the cases that we have seen till date come to light when the data breach has caused a significant loss to the organization or business owner / blogger. Just because, an initial web security assessment was not taken into account. Here in this case, the approach from the client was proactive and that is what goes a long way.