Many WordPress owners don't really worry about WordPress security hardening. In our practice, we often face issues that are connected to a low level of server security. As a result, hackers penetrate servers and upload shell scripts, bad code, and various iFrames. Sometimes they even hack WordPress with malware or a virus and that’s why many online businesses may suffer. ITsyndicate’s experience lets us elaborate on the most efficient strategy for WordPress security hardening and getting rid of vulnerabilities.
One of the oldest security measures on the Internet is the encryption of HTTP traffic. By implementing an encrypted HTTPS connection all the way end-to-end to the client browser you're protecting your business from any rogue men in the middle. In order to ensure the health of the protection level, you need to take careful attention to the encryption certificates and protocol configuration. The certificate is as good and secure as the final part of the signature chain. You might need to take specific and effective measures to ensure that end-users could not trick to ignore certificate exceptions.
To face the jungle of the public Internet any modern web application requires protection against the Wild West of the Internet. The modern application architecture implements a protective outer edge into the architecture, which is designed to block even a distributed denial of service attack, which some of the traditional firewall-based solutions are not able to defend from. You can do it by integrating a proxy in the traffic between the public Internet and application servers, thus effectively also hiding the server network address like NAT routers would do.
Note! The application vulnerability level might still reveal the real server IP address, so depending on the business requirements, additional measures might be required to avoid this.
Firewall for WordPress security hardening
Approaching the outer edge of the public network, the firewall will block any irrelevant protocols and ports, and only relevant protocols such as HTTP and HTTPS are allowed. Furthermore, advanced firewall configures to lock potential attackers and bot-nets out, e.g. in the case of brute-force attack or scanning. Together with the next layer, CloudFlare or any other proxy solution, the architecture is able to face most of the modern world cyber-security challenges.
On the web server level, the most common vulnerabilities are related to unprotected directories that are open to the outside world. In the architecture designed for WordPress security hardening, specific measures are taken in the web server's configuration (Nginx) to ensure that only relevant directories are served to the Internet. This includes blocking irrelevant folders in the application directory tree layout. Additionally, you can ban executable scripts on the web server level. This brings additional measures to harden the PHP-executor level to ensure that it can execute only authorized PHP code.
There are various means to implement the proper PHP execution environment. We use a PHP-FPM processor, which serves the PHP execution capabilities for the web server through Unix sockets. It is a really good choice for high-volume applications. It provides specific process management capabilities to facilitate a secure PHP processing environment.
This solution will define a set of forbidden PHP functions. Sometimes you may even use not so many PHP functions in the application logic, but still, some of them can be inherently insecure. To reduce the risk of any PHP-level vulnerability you need to harden the setup and exclude some specific functions. The best way to exclude the case when an attacker uses forbidden functions is to put PHP execution environment in secure borders.
One of the most advanced exploits is when someone implements shell code in common files such as images, PDF’s or any other attachments. Thus, the victim system would not need to perform any unusual actions in order to activate the payload. In the server environment, this would mean the application is just parsing the image. In order to deal with vulnerability, this architecture needs to forbid the execution of the code in the images.
Furthermore, you take specific measures to ensure the PHP process, and thus any potential attacker, would not be able to write to the disk surface. Running PHP under a dedicated and restricted user is an additional maneuver to incapacitate a potential attacker by looking after that any application-level vulnerability.
Secure web directories
The fundamental, classic, and indeed one of the first vulnerabilities exploited in web applications is the writable web directory. This meant in effect, that an intruder could place executable files on the server. Even a script could compromise much of the server. However, many web applications need to have such permission in order to function as required.
The best way to solve this issue is to define specific directories, where the web application can perform writing. This action will also ensure that those directories would not exeсute any of the forbidden files. The web server has read-only access to all of the other files and may perform WRITE operations only to the
/uploads directory. Administrator users may access the web root by a dedicated encrypted connection sFTP.
WordPress instance needs to have write-enabled access to some directories to update its plugins and components. This WordPress security option defines, that you update plugins only by using a dedicated FTP connection method. The local FTP server will provide that access, and it should listen to the local interface only. That means, that no attacker can access it from the public Internet, even if they have the credentials at hand.
Restricting application privileges to the web directory will provide an effective defence against some of the application-level vulnerabilities. This is one of the most important steps on WordPress security hardening path :)
Furthermore, you can read more about our security approaches and ways to improve your e-business security in our recent article.