Posted on by Tom

WordPress Hardening

Hi,

This is for people with there own server running cpanel/apache. People using shared hosting, their provider will probably enable this if asked.

First make sure mod_security & mod_security2-mlogc are enabled, this can done via easy apache 4.

Install and enable OWASP ModSecurity Core Rule Set V3.0 rules under Select ModSecurity™ Vendors. ModSecurity™ Configuration:

  • Audit Log Level
  • Connections Engine set to Process the rules
  • Rules Engine set to Process the rule

Install CMC:

https://www.configserver.com/cp/cmc.html

/etc/apache2/conf.d/modsec/modsec2.user.conf:

#Wordpress bruteforce
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch> 
#BadBots
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/modsec/badbotlist.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"
#Prevent DDOS to xmlrpc.php (wordpress) with ModSecurity
SecAction "phase:1,id:400000,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecRule REQUEST_URI "/xmlrpc\.php" "id:400001,nolog,drop,chain,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=2/60,expirevar:ip.ddos=120"
SecRule IP:DDOS "@gt 5" "nolog"

systemctl restart httpd

.htaccess (Shared hosting users can do this without contacting their hosting provider):

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from your.public.i.p
</Files>
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
<files wp-config.php>
order allow,deny
deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# disable directory browsing
Options All -Indexes

Thanks Tom

P.S Please feel free to comment.

Sources:

https://wpprofix.com/stopped-wordpress-brute-force-attacks-server/
https://www.hostinger.co.uk/tutorials/xmlrpc-wordpress
https://forums.cpanel.net/threads/wp-login-php-and-mod-security.430242/page-2
https://malware.expert/prevent-ddos-xmlrpc-php-wordpress-modsecurity/
https://www.cloudways.com/blog/protect-wordpress-with-htaccess/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.