Many WordPress owners don’t really worry about WordPress security hardening. In our practice we often face the issues which are connected to low level of server security. As a result hackers penetrate servers and upload shell scripts, bad code and various iFrames. Sometimes they even hack WordPress with malware or a virus and that’s why many online business may suffer. ITsyndicate’s experience lets us elaborate the most efficient strategy for WordPress security hardening and getting rid of vulnerabilities.
One of the oldest security measures in Internet is encryption of the HTTP traffic. By implementing an encrypted HTTPS connection all the way end-to-end to the client browser you’re protecting your business from any rogue men in the middle. In order to ensure the health of the protection level, you need to take careful attention to the encryption certificates and protocol configuration. The certificate is as good and secure as the final part in the signature chain. You might need to take specific and effective measures to ensure that end-users could not trick to ignore certificate exception.
To face the jungle of public Internet any modern web application requires protection against the Wild West of the Internet. The modern application architecture implements a protective outer edge into the architecture, which is designed to block even an distributed denial of service attack, which some of the traditional firewall-based solutions are not able to defend from. You can do it by integrating a proxy in the traffic between the public Internet and application servers, thus effectively also hiding the server network address like NAT routers would do.
Note! The application vulnerability level might still reveal the real server IP address, so depending on the business requirements, additional measures might be required to avoid this.
Firewall for WordPress security hardening
Approaching the outer edge to the public network, the firewall will block any irrelevant protocols and ports, and only relevant protocols such as HTTP and HTTPS are allowed. Furthermore advanced firewall configures to lock potential attackers and bot-nets out, e.g. in the case of brutte-force attack or scanning. Together with the next layer, CloudFlare or any other proxy solution, the architecture is able to face most of the modern world cyber-security challenges.
On the web server level the most common vulnerabilities are related to unprotected directories that are open to the outside world. In the architecture designed for WordPress security hardening specific measures are taken in the web server’s configuration (NginX) to ensure that only relevant directories are served to the Internet. This includes blocking of irrelevant folders in the application directory tree layout. Additionally you can ban executable scripts on the web server level. This brings additional measure to harden the PHP-executor level to ensure that it can execute only authorized PHP code.
There are various means to implement the proper PHP execution environment. We use PHP-FPM processor, which serves the PHP execution capabilities for the web server through Unix sockets. It is a really good choice for high volume applications. It provides specific process management capabilities to facilitate a secure PHP processing environment.
This solution will define a set of forbidden PHP functions. Sometimes you may even use not so many PHP functions in the application logic, but still some of them can be inherently insecure. To reduce the risk of any PHP-level vulnerability you need to harden the setup and exclude some specific functions. The best way to exclude the case when attacker uses forbidden functions is put PHP execution environment in secure borders.
One of the most advanced exploits is when someone implements shell code in common files such as: images, PDF’s or any other attachments. Thus, the victim system would not need to perform any unusual actions in order to activate the payload. In the server environment this would mean the application is just parsing the image. In order to deal with vulnerability this architecture needs to forbid the execution of the code in the images.
Furthermore you take specific measures to ensure the PHP process, and thus any potential attacker, would not be able to write to the disk surface. Running PHP under a dedicated and restricted user is additional manoeuvre to incapacitate a potential attacker by looking after that any application level vulnerability.
Secure web directories
The fundamental, classic and indeed one of the first vulnerabilities exploited in the web applications is writable web directory. This meant in effect, that an intruder could place executable files on the server. Even a script could compromise much of the server. However, many web applications need to have such permission in order to function as required.
The best way to solve this issue is to define specific directories, where the web application can perform writing. This action will also ensure that those directories would not exeсute any of forbidden files. The web server has read-only access to all of the other files and may perform WRITE operation only to the
/uploads directory. Administrator users may access the web root by a dedicated encrypted connection sFTP.
WordPress instance needs to have write-enabled access to some directories to update its plugins and components. This WordPress security option defines, that you update plugins only by using a dedicated FTP connection method. Local FTP server will provide that access, and it should listen to local interface only. That means, that no attacker can access it from the public Internet, even if they have the credentials at hand.
Restricting application privileges to the web directory will provide an effective defence against some of application level vulnerabilities. This is one of most important steps on WordPress security hardening path 🙂
Furthermore you can read more about our security approaches and ways to improve your e-business security in our recent article.