Below is a list of commands to help secure your CentOS wordpress server.
SSH into your machine
sudo chown -R apache:apache /var/www/
If wordpress won’t allow you to update wordpress automatically and requests an FTP password, this command is especially important.
passwd --lock root
nano /var/www/html/.htaccess
If apache isn’t the user create who.php
<?php echo(exec("whoami")); ?>
If the file doesn’t exist, create it.
# BEGIN Protection against DDoS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} ^/wp-login.php RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_COOKIE} !paddos_yL3cF=1 [NC] RewriteRule ^(.*)$ http://127.0.0.1/ [R,L] </IfModule> # END Protection against DDoS <Files wp-login.php> order deny,allow Deny from all #whitelist My IP Address allow from 1.1.1.1 </Files> # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
nano /etc/firewalld/direct.xml firewall-cmd --reload firewall-cmd --direct --get-all-rules
<?xml version="1.0" encoding="utf-8"?> <direct> <rule priority="0" table="filter" ipv="ipv4" chain="INPUT_direct">-s 1.1.1.1/32 -j DROP</rule> </direct>
chmod 755 /var/www/html/wp-content/
Install fail2ban
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-10.noarch.rpm rpm -ivh epel-release-7-10.noarch.rpm yum install fail2ban-firewalld -y systemctl start fail2ban systemctl enable fail2ban nano /var/log/fail2ban.log
To enable support of fail2ban in firewalld, you need to enable the epel repository under RHEL/CentOS systems.
File permissions for WordPress
Relative Path | Suggested |
---|---|
/ | 0755 |
/wp-admin | 0755 |
/wp-includes | 0755 |
/wp-config.php | 0444 |
/wp-content | 0755 |
/wp-content/themes | 0755 |
/wp-content/plugins | 0755 |
.htaccess | 0444 |
You can set these using an FTP application such as Filezilla or using CHMOD if you have full control over your server.
Disable WordPress Pingback Exploit
There’s currently a way to exploit the Pingback command of wordpress; rather than go into great detail about it, I suggest you simply search for the plugin “Disable XML-RPC” and install it.
Affiliate information.
Photochirp.com is a participant in the Amazon Services LLC Associates Program and eBay affiliate programme; these are affiliate advertising programmes designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com & eBay.com.
As an Amazon Associate I earn from qualifying purchases. I am also a Capture One Pro affiliate partner. Please read the Privacy Policy page.