• Hardening WordPress

    Read more
    • replace wp_ db prefix
    • rename folders wp-content, uploads, plugins, wp-admin, wp-include
    define('UPLOADS', 'media' ); // we renamed uploads and moved it level up
    define('WP_CONTENT_DIR', '/path/to/wordpress/dir/content'); // no host name, no trailing slash
    define('WP_CONTENT_URL', 'http://example.com/content');
    define('WP_PLUGIN_DIR', '/path/to/wordpress/dir/content/mod'); // no host name, no trailing slash
    define('WP_PLUGIN_URL', 'http://example.com/content/mod');
    • change cookie’s names
    define('USER_COOKIE', 'my_user_cookie' );
    define('PASS_COOKIE', 'my_pass_cookie' );
    define('AUTH_COOKIE', 'my_auth_cookie' );
    define('SECURE_AUTH_COOKIE', 'my_sec_cookie' );
    define('LOGGED_IN_COOKIE', 'my_logged_cookie' );
    define('TEST_COOKIE', 'my_test_cookie' );

    Sources:

    • https://wpcerber.com/turn-wordpress-into-fort-knox/
    • https://developer.wordpress.org/advanced-administration/security/hardening/
  • file permission

    Read more
    # before setup
    chown www-data:www-data  -R * # Let Apache be owner
    find . -type d -exec chmod 755 {} \;  # rwxr-xr-x
    find . -type f -exec chmod 644 {} \;  # rw-r--r--
    
    # after setup
    chown <username>:<username>  -R * 
    chown www-data:www-data wp-content
    

    Source:

  • Input / output

    Read more

    Never trust user’s inputs, even from admin or database.

    Validation checks an input over a list of requirements.

    in_array( mixed $needle, array $haystack, bool $strict = false ): bool
    ctype_alnum( mixed $text ): bool
    strlen( string $string ): int
    ...

    https://developer.wordpress.org/apis/security/data-validation/

    Sanitizing cleans a input, removing / transforming all unwanted piece of data.

    // For text inputs:
    sanitize_text_field( string $str ): string 
    
    // Use specific sanitazing functions like for e.g.:
    sanitize_email( string $email ): string

    https://developer.wordpress.org/apis/security/sanitizing/

    Escaping ouputs is the process of securing output data by stripping out unwanted data. It is best to do the output escaping as late as possible, ideally as data is being outputted.

    esc_html( string $text ): string // will remove HTML tags
    esc_url( string $url, string[] $protocols = null, string $_context = 'display' ): string
    esc_attr( string $text ): string
    esc_js( string $text ): string
    
    // escaping with localization
    esc_html_e( 'Hello World', 'text_domain' );
    // can become ->
    echo esc_html( __( 'Hello World', 'text_domain' ) );

    https://developer.wordpress.org/apis/security/escaping/

    Source: https://developer.wordpress.org/apis/security/common-vulnerabilities/

  • REST API /users/

    Read more

    To enumerate users :

    curl -L http://$1/wp-json/wp/v2/users

    To prevent this :

    add_filter( 'rest_endpoints', function( $endpoints ) {
    
        if ( isset( $endpoints['/wp/v2/users'] ) ) {
            unset( $endpoints['/wp/v2/users'] );
        }
    
    	if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
            unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
        }
    
    	return $endpoints;
    
    });