WordPress homepage security application summary..

WordPress

I made a homepage with wordpress 5 years ago, but from a certain moment, the homepage moves to a strange site. At first, I simply restored the homepage, but the same symptoms were repeated even after I recovered. So the WordPress version was low, so I uploaded php to 7.3 and updated WordPress to the latest. But the same symptoms are repeated. Eventually, the existing infected file was found, deleted, and the homepage was restored in a form that enhanced security. As I run this month, security seems to be no problem, so I will summarize it here.

We recommend that you back up the site and DB at each step before starting the work below.

Install Security Plugin

If you search for’security’ in the WordPress plugin, more than 100 plugins will be searched. Among them, I have installed and used it as a plugin mainly installed by users with high ratings. And I am using 3 plugins.

iThemes Security

Link: iThemes Security

This is the most helpful plugin. If you open’Settings’ in the administrator menu, you can see various settings. You can set it step by step. Most security settings can be done.

And the most recommended setting is File Change Detection. The site tracks and records changes to files, and also notifies you by email. It helps a lot to make sure that there are no problems with the site after setting it up early.

Wordfence Security

Link: Wordfence Security

Monitors attacks on the site. When an attack comes into the site, it blocks it and blocks the attack. Among the administrator menus, there is a menu called Live Traffic, where you can view the log of login attempts or hacking attempts. If you grasp it well, you will see “Oh~ you’re trying to hack this way.”

And, if you connect OTP with the two-factor authentication function, it is much safer from attacks related to login attempts.

Sucuri Security

Link: Sucuri Security

Although it overlaps a lot of the two plug-in functions in the front, it was installed as a supplementary role. It functions as security activity monitoring and malware inspection.

Although there are some overlapping functions in the above 3 plugins, 3 are installed for stability.

In personal opinion, it would be sufficient to install only [iThemes Security] (https://wordpress.org/plugins/better-wp-security) and [Wordfence Security] (https://wordpress.org/plugins/wordfence/) I see it.

Catching bugs by hand

By installing the above plugin, you can detect malware or various types of hacking attempts. However, there are cases where plugins alone are not caught. In this case, you have to hold one by one.

Find suspect files

find. -type f -name'*.php' | xargs grep -l "eval *("
find. -type f -name'*.php' | xargs grep -l "base64_decode *("
find. -type f -name'*.php' | xargs grep -l "gzinflate *("

eval is a function that allows you to use variable variables in php. Are used. The functions base64_decode and gzinflate obfuscate the string, making it difficult for the user to decrypt the php file immediately.

It is recommended to search for these 3 words and correct or delete files that are unlikely to be used or suspicious files.

find. -type f -name'*.php' | grep -i'<iframe'

Check if the iframe is included in the php file.

find wp-content/uploads -type f -iname'*.jpg' | xargs grep -i php

It scans for malware attacks that contain php inside a jpg file.

Upload folder check

Find the php executable file in the upload folder and delete the suspicious files.

find wp-content/uploads -type f -name'*.php'

Find recently changed files

find. -type f -name'*.php' -mtime -7

The list of files that have been changed in the php file for the last 7 days is displayed.

Editing .htaccess

Editing .htaccess can restrict access to the site. The security plugin also edits the .htaccess file.

However, some of them can be modified and set as desired.

Turn off directory browsing

Most of them create an empty index.php file to prevent browsing of the empty directory, but you can also turn this off in the .htaccess file.

Options -Indexes

protect wp-config.php file

The wp-config.php file contains important information of the site. It prevents direct access from the web. Add the following to the .htaccess file.

<files wp-config.php>
order allow,deny
deny from all
</files>

Turn off XML-RPC file access

The xmlrpc.php file allows the WordPress third-part app to access the site. If you are not using a third-party app, we recommend turning this feature off. Add the following to the .htaccess file.

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

You can also set it in [iThemes Security] (https://wordpress.org/plugins/better-wp-security/).

Turn off script injection

Do not allow scripts to be inserted to prevent hackers from inserting malicious code into existing php documents. Add the following to the mode_rewrite part of the .htaccess file.

<IfModule mod_rewrite.c>
...
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>

Allow access to wp-admin folder from specific ip

wp-admin is the admin folder. Restrict wp-admin access from specific ip.

Create .htaccess file in wp-admin folder and add the following contents.

<Limit GET POST>
order deny,allow
deny from all
allow from 1.2.3.4
allow from 1.2.3.5
</Limit>

Basically, access is restricted, and only ip that needs to access the administrator menu is registered as above.

Prevent php execution in specific wordpress folder

Some hackers attempt to hack a backdoor installation using the upload function of the WordPress site. You can treat php not to run in /wp-include/, /wp-content/uploads/ folder, etc. so that the installed files are not executed directly.

Create .htaccess file in /wp-include/ folder and /wp-content/uploads folder and put it as below.

<Files *.php>
deny from all
</Files>

Setting access rights for files and folders

Set stricter access rights to files and folders to prevent files from being changed.

The recommended permissions for each folder are as follows.

Path Authority
/ 755
.htaccess
Send feedback
History
Saved
Community