amolvishwakarma/Wp_hardening.txt

## Wp_hardening.txt
1.) Changing File & Directory Permissions

Note: Run the below command from the shell and make sure to change the path where your wordpress installation done.

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

2.) Securing wp-admin

Note: Adding a second layer of protection to wp-admin, create a .htaccess file inside wp-admin directory & add the below code.
      Make sure to replace the path with your actual path where the file resides.

# Password Protected wp-admin
AuthType Basic
AuthName "Only Admins Are Allowed"
AuthUserFile /path/to/.htpasswd
require valid-user

<Files admin-ajax.php>
	Order allow,deny
	Allow from all
	Satisfy any
</Files>

3.) Securing wp-includes

Note: A second layer of protection can be added where scripts are generally not intended to be accessed by any user.
      To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

4.) Securing wp-config.php

Note: Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. It will deny access to wp-config if anyone is surfing for it.

<Files wp-config.php>
order allow,deny
deny from all
</Files>

5.) Disable File Editing

Note: The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files.
      This is often the first tool an attacker will use if able to login, since it allows code execution.
      WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent
      to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users, whenever you need
      to make the changes from the dashboard comment the code and after the changes are done make sure to uncomment it.

define('DISALLOW_FILE_EDIT', true);

6.) Plugins

Note: Keep the plugins always up-to-date to apply the security patches and also make sure to delete a plugin which is not 	required.

7.) Avoid common things that wordpress offers.

    a.) Don't use the account with name admin or webmaster it is easy to guess.

	Note: When creating an administrative account, avoid easily guessed terms such as admin or webmaster as usernames.

	On an existing WordPress install you may rename the existing account in the MySQL command-line client with the below 	     command.

	command: UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';

    b.) Change the table_prefix.

	Note: By default wordpress installation comes with wp_ prefix. Changing this can block at least some SQL injection 		 attacks.

8.) Backing up database.

Note: You can use wp-db-backup to manually create the backup or schedule it with an option to download or email to a db admin.

9.) Use secured passwords.

Note: Dont use easily guessable passwords for ex: company name, username or your real name.

10.) Hide wordpress version.

Note: Hide wordpress version from both your head file and RSS feeds.

Add the code in wp-includes/functions.php in the bottom.

Snippet:

function hide_remove_version() {
return '';
}
add_filter('the_generator', 'hide_remove_version');

11.) Block accessing xmlrpc file.

Note: An attacker will try to access your site using xmlrpc.php by using various username and password combinations.Xmlrpc supports post calls. Place the below code outside the # BEGIN WordPress and # END WordPress tags.

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

13.) Block account on x number of failed login attempts.

Note: There are multiple plugins to perform this task For ex: Login LockDown, Limit Login Attempts, etc.

14.) Simultaneous login.

Note: By default wordpress doesn’t restrict simultaneous login using same username and password on multiple devices.

You can use LoggedIn plugin , Prevent Simulataneous SignIns, etc and keep the no. of sessions which is allowed for the same user for security purpose dont share the same credentials with anyone otherwise for auditing it will be difficult to understand who has done the changes for ex: user1 and user2 are using same creds os user3 and edited multiple posts.

15.) Two Factor Authentication.

Note: Adding a second layer of protection on wp-admin to prevent bruteforce attacks and secure the user accounts which has the weak passwords. (WP 2FA plugin, mini orange, etc)

WP 2FA is free for all users & supports multiple 2fa methods, while mini orange has 3 users free lifetime.

16.) .git ownership

Note: Dont give ownership to apache user.
	1.) Changing File & Directory Permissions

	Note: Run the below command from the shell and make sure to change the path where your wordpress installation done.

	For Directories:

	find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

	For Files:

	find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

	2.) Securing wp-admin

	Note: Adding a second layer of protection to wp-admin, create a .htaccess file inside wp-admin directory & add the below code.
	Make sure to replace the path with your actual path where the file resides.

	# Password Protected wp-admin
	AuthType Basic
	AuthName "Only Admins Are Allowed"
	AuthUserFile /path/to/.htpasswd
	require valid-user

	<Files admin-ajax.php>
	Order allow,deny
	Allow from all
	Satisfy any
	</Files>

	3.) Securing wp-includes

	Note: A second layer of protection can be added where scripts are generally not intended to be accessed by any user.
	To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file

	# Block the include-only files.
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	4.) Securing wp-config.php

	Note: Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. It will deny access to wp-config if anyone is surfing for it.

	<Files wp-config.php>
	order allow,deny
	deny from all
	</Files>

	5.) Disable File Editing

	Note: The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files.
	This is often the first tool an attacker will use if able to login, since it allows code execution.
	WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent
	to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users, whenever you need
	to make the changes from the dashboard comment the code and after the changes are done make sure to uncomment it.

	define('DISALLOW_FILE_EDIT', true);

	6.) Plugins

	Note: Keep the plugins always up-to-date to apply the security patches and also make sure to delete a plugin which is not required.

	7.) Avoid common things that wordpress offers.

	a.) Don't use the account with name admin or webmaster it is easy to guess.

	Note: When creating an administrative account, avoid easily guessed terms such as admin or webmaster as usernames.

	On an existing WordPress install you may rename the existing account in the MySQL command-line client with the below command.

	command: UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';

	b.) Change the table_prefix.

	Note: By default wordpress installation comes with wp_ prefix. Changing this can block at least some SQL injection attacks.

	8.) Backing up database.

	Note: You can use wp-db-backup to manually create the backup or schedule it with an option to download or email to a db admin.

	9.) Use secured passwords.

	Note: Dont use easily guessable passwords for ex: company name, username or your real name.

	10.) Hide wordpress version.

	Note: Hide wordpress version from both your head file and RSS feeds.

	Add the code in wp-includes/functions.php in the bottom.

	Snippet:

	function hide_remove_version() {
	return '';
	}
	add_filter('the_generator', 'hide_remove_version');

	11.) Block accessing xmlrpc file.

	Note: An attacker will try to access your site using xmlrpc.php by using various username and password combinations.Xmlrpc supports post calls. Place the below code outside the # BEGIN WordPress and # END WordPress tags.

	<Files xmlrpc.php>
	Order allow,deny
	Deny from all
	</Files>

	13.) Block account on x number of failed login attempts.

	Note: There are multiple plugins to perform this task For ex: Login LockDown, Limit Login Attempts, etc.

	14.) Simultaneous login.

	Note: By default wordpress doesn’t restrict simultaneous login using same username and password on multiple devices.

	You can use LoggedIn plugin , Prevent Simulataneous SignIns, etc and keep the no. of sessions which is allowed for the same user for security purpose dont share the same credentials with anyone otherwise for auditing it will be difficult to understand who has done the changes for ex: user1 and user2 are using same creds os user3 and edited multiple posts.

	15.) Two Factor Authentication.

	Note: Adding a second layer of protection on wp-admin to prevent bruteforce attacks and secure the user accounts which has the weak passwords. (WP 2FA plugin, mini orange, etc)

	WP 2FA is free for all users & supports multiple 2fa methods, while mini orange has 3 users free lifetime.

	16.) .git ownership

	Note: Dont give ownership to apache user.