In our practice we often face the issues such as inefficient level of server security and as a result, servers are frequently penetrated, shell code is uploaded or WordPress is hacked with malware or a virus and that’s why clients’ business may suffer.
ITsyndicate’s experience let us elaborate the most efficient strategy for WordPress security hardening and getting rid of vulnerabilities.
One of the oldest security measures in Internet is the encrypting of the HTTP traffic. By implementing an encrypted HTTPS connection all the way end-to-end to the client browser, any rogue men in the middle along the vast and deep network would be defended against. In order to ensure the health of the level of protection, careful attention needs to be taken in regards the encryption certificates and protocol configuration. The certificate is as good and secure as the final part in the signature chain, and specific and effective measures might be required to be taken to ensure that end-users could not be tricked to ignore a certificate exception should they face such.
To face the jungle of public internet, any modern web application requires protection against the wild west of the public Internet. The modern application architecture implements a protective outer edge into the architecture, which is designed to block even an distributed denial of service attack, which some of the traditional firewall-based solutions are not able to defend against. This is done by introducing proxy in the traffic between the public internet and application servers, thus effectively also hiding the server network address like NAT routers would do. Note! The application level vulnerability might still reveal the real server IP address, so depending on the business requirements, additional measures might be required to be implemented to avoid this.
Approaching the outer edge to the public network, the firewall will block any irrelevant protocols and ports, and only relevant protocols such as http and https are allowed. Furthermore advanced firewall is configured to lock potential attackers and bot-nets out, eg in the case of brute-force attack or scanning. Together with the next layer, CloudFlare proxy, the architecture is able to face most of the modern world cyber security challenges.
[On the web server, the most common vulnerabilities are related to unprotected directories being exposed to the world, and the implementation of server-wide execution policy. In this architecture for the hardening of WordPress, specific measures are taken in the web server configuration (Nginx) to ensure that only relevant directories are served to the Internet. This includes blocking irrelevant folders in the application directory tree layout.
Additionally, on the web server level, the upload directory is configured to disallow any executable scripts. This protection on the level of web server brings an additional measure to harden the PHP-executor level to ensure that only authorised PHP code can be executed.
There are various means to implement the PHP execution environment into the web server application. We use PHP-FPM processor, which serves the PHP execution capabilities for the web server through Unix sockets. This PHP processor has been reported being a good choice for high volume applications and it provides specific process management capabilities to facilitate a secure PHP processing environment.
This solution will define a set of forbidden PHP functions. Many of the PHP functions are not used in the application logic and some of them are even inherently insecure. To further reduce the risk of any PHP-level vulnerability being exploited, the hardened setup will categorically exclude some of the functions. Should the PHP execution environment be compromised, then, the attacker would not be able to use those forbidden functions.
One of the most advanced exploit is embedded shell code in a common file such as images, PDF’s or other attachment. Thus, the victim system would not need to perform any unusual actions in order to activate the payload. In the server environment, this would mean the server application just parsing the image. To respond to this vulnerability, this architecture will specifically disallow the execution of code in images.
Furthermore specific measures are taken to ensure the PHP process, and thus any potential attacker, would not be able to write to the disk surface. Running PHP under a dedicated and restricted user is additional manoeuvre to incapacitate a potential attacker by looking after that any application level vulnerabilities being exploited could not escalate on the execution environment.
The fundamental and classic, and indeed one of the first vulnerabilities exploited in the web applications were in relation to the world writeable web directory. This meant in effect, that an intruder could place her file on the server, that being an executable one, even a script could compromise much of the server. However, many web applications need by design have such permission in order to function as required.
An industry standard response to this challenge has been to define specific directories where the web application is allowed to write, and ensure that any file those directories would not be exeсuted. The web server has read-only access to all of the other files and may write only to the upload directory. Administrator users may access the web root by a dedicated encrypted connection SFTP.
For WordPress instance to update its plugins and components, it needs to have write-enabled access to defined directories. This WordPress security option defines, that the plugins are updated only by using a dedicated FTP connection method. A locally run FTP server will provide that access, and it only listens a local interface. That means, that no attacker could access it from the public internet, even when they had the credentials at hand.
Restricting web server application privileges to the web directory will provide an effective defence against some of the application level vulnerabilities.