Allowing wordpress to update itself with CentOS and securing it from spammers

Below is a list of commands to help secure your CentOS wordpress server.

SSH into your machine

sudo chown -R apache:apache /var/www/

If wordpress won’t allow you to update wordpress automatically and requests an FTP password, this command is especially important.

passwd --lock root
nano /var/www/html/.htaccess

If apache isn’t the user create who.php

<?php echo(exec("whoami")); ?>

If the file doesn’t exist, create it.

# BEGIN Protection against DDoS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login.php
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_COOKIE} !paddos_yL3cF=1 [NC]
RewriteRule ^(.*)$ http://127.0.0.1/ [R,L]
</IfModule>
# END Protection against DDoS

<Files wp-login.php>
        order deny,allow
        Deny from all

#whitelist My IP Address
allow from 1.1.1.1

</Files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
nano /etc/firewalld/direct.xml
firewall-cmd --reload
firewall-cmd --direct --get-all-rules
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT_direct">-s 1.1.1.1/32 -j DROP</rule>
</direct>


chmod 755 /var/www/html/wp-content/

Install fail2ban

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-10.noarch.rpm
rpm -ivh epel-release-7-10.noarch.rpm
yum install fail2ban-firewalld -y
systemctl start fail2ban
systemctl enable fail2ban
nano /var/log/fail2ban.log

To enable support of fail2ban in firewalld, you need to enable the epel repository under RHEL/CentOS systems.

File permissions for WordPress

Relative Path Suggested
/ 0755
/wp-admin 0755
/wp-includes 0755
/wp-config.php 0444
/wp-content 0755
/wp-content/themes 0755
/wp-content/plugins 0755
.htaccess 0444

You can set these using an FTP application such as Filezilla or using CHMOD if you have full control over your server.

Disable WordPress Pingback Exploit

There’s currently a way to exploit the Pingback command of wordpress; rather than go into great detail about it, I suggest you simply search for the plugin “Disable XML-RPC” and install it.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.