Hide your identity

Well, first of all you need to hide details about who you are, or rather what your webserver is. It is a good practice to always run on the latest security patch, but not always feasible. So if you can’t upgrade in time, at least make attackers life harder by hiding details about your server:

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off

Allow only basic HTTP methods

HTTP protocol defines GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE and CONNECT methods. Guess how many of those are actually used (intensively). Yup, only two. Most of the webservers would do just fine with only GET and POST methods. You might however find that you need more, so enable them as you see fit. In the example below I only allow two basic, commonly used methods:

<Location />
   <LimitExcept GET POST>
     Order allow,deny
     Deny from all
   </LimitExcept>
 </Location>

Disable old and insecure SSL

Use only new protocols and only strong ciphers.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Disable modules that you don’t need

Again, this depends on your installation and what you’re actually using, but in most of the cases most of the modules that Apache loads by default are not needed. Search for LoadModule instruction and remove anything you don’t need. Good list to start:

• mod_imap
• mod_include
• mod_info
• mod_userdir
• mod_status
• mod_cgi
• mod_autoindex
• mod_dav

Other settings

Reduce timeout, which is 300 seconds by default. Meaning that the server waits for 5 minutes before it decides that the client is no longer there. Reduce it to something sensible, like 20-30 seconds to avoid potential DDoS attacks.

Timeout 20

Disable directory browsing for any directory that has no index file:

Options -Indexes

Related posts:

1. Securing WordPress
2. Use SSH to upgrade WordPress plugins automatically
3. Sorting out YUM repositories on CentOS 5.4

Software development is really complex process and although  WordPress developers take security very seriously, you should also take extra measures to ensure safety and security of your blog/web site.

There are few simple steps to make your WordPress installation lot harder for attacker to compromise.

WordPress software

Always keep up to date. Flaws in security model are being identified and addressed immediately as soon as they are reported. So it’s important for you to always keep your WordPress installation up to date. It’s very easy to do now that WordPress has automatic update feature, where all you have to do is just to tell it to install the newer version of it.

File permissions

You need to make sure that webserver can modify only those files that it is allowed to. Do not rely on WordPress to enforce this, use file system permission model. All files in WordPress installation need to be owned and writeable to by the user that installed the system and not the user which is used to run webserver. Only exceprion to this is /wp-content/ directory, which contains uploaded contents.

Make sure you perform all actions in whatever your WordPress installation directory is, and not outside of it!

Let’s make all files owned by your user and set the group to web server group:

$ sudo chown -R myuser.www-data *

Then change all file permissions so that files can be written to by your user only, and read-only by other users:

$ find . -type d -exec chmod 755 {} \;
$ find . -type f -exec chmod 644 {} \;

Finally allow group write for wp-content/ directory, so that web server can do automatic updates for plugins and user content could be uploaded:

$ chmod -R g+w *

Secure wp-admin access

WordPress recommend using additional plugins and HTTP authentication to provide additional security to the administration pages, but I think this is not necessary if you implement the following two security measures: enforce SSL only traffic to /wp-admin/ and allow access only from certain IP addresses.

Make /wp-admin/ available on SSL connection only, so all traffic to and from (including passwords) is encrypted. This prevent attackers hijacking traffic and intercepting passwords and other sensitive data.

This may sound bit complicated, but bear with me, it’s not that scary as it may look like. So you will need two <VirtualServer> directives: one for normal web traffic and one for SSL.

In default HTTP definition, you then need to make a special case for /wp-admin/ URL, and enforce redirection to HTTPS, so whenever you try to access wp-admin/ using http:// you will be redirected to https:// instead. HTTPS VirtualHost on it turn has instructions to deny access from all, but only the IPs listed in the configuration:

<VirtualHost server_ip:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/virtual/www.example.com
    ErrorLog /var/log/apache2/www.example.com-error.log
    CustomLog /var/log/apache2/www.example.com-access.log combined
    <Location /wp-admin/>
        RewriteEngine on
        RewriteRule ^(.*)$ https://%{SERVER_NAME}/wp-admin/ [R=permanent,L]
    </Location>
</VirtualHost> 

<VirtualHost server_ip:443>
    ServerName example.com
    ServerAlias www.example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example.com.pem
    SSLCertificateKeyFile /etc/ssl/private/example.com.key
    DocumentRoot /var/www/virtual/www.example.com
    ErrorLog /var/log/apache2/www.example.com-error.log
    CustomLog /var/log/apache2/www.example.com-access.log combined
    <Location /wp-admin>
        Order deny,allow
        Deny from all
        Allow from trusted_ip_1
        Allow from trusted_ip_2
    </Location>
</VirtualHost>

Other security measures

Install WP Security scan plugin which will provide a good overview of how your installation looks like from the security point of view.

Also remove advertising of the WordPress version that you are using. Add the following line to functions.php file, which you are using:

remove_action('wp_head', 'wp_generator');

And did I mention that you need to make regular backups?…

Related posts:

1. Use SSH to upgrade WordPress plugins automatically
2. Basic Apache security
3. Essential WordPress plugins