How to Secure WordPress | HackerSploit Linux Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome to the linux linux server security series uh in this video we're going to be taking a look at wordpress security so we'll be taking a look at it from the ground up so from setting up your server how to do it securely we'll then take a look at securing the various web server technologies like apache by default and then we'll finally end off by taking a look at how to secure wordpress uh the web application of course um so we'll be taking a look at all the various configurations that need to be made the various plugins to install and some general best practices that are are recommended right so what i'm going to do is i'm just going to fire up a quick linux right over here and of course we can actually set up a wordpress server directly using the marketplace so again i'll just click on wordpress here that's the latest version uh always ensure that your wordpress installation is updated and has the latest version running so when you talk about the options we can specify immediately right over here number one is going to be your email address so this is where security actually begins believe it or not now some of you might be wondering well uh why and how exactly is that well number one when it asks for your email address of course you want to use an email address that you use regularly that's very important primarily because all your wordpress notifications are going to be sent via email right and they'll all be sent to this email that you specify here secondly all security notifications or any other important uh system based notifications will all be sent to this particular email so it's very important that you use an email that you have a frequent access to because you'll be getting a lot of important notifications regarding uh the users being logged in and you can actually configure what what gets sent to you but that's very important so in my case because i'm not going to be using this website i'm just showing you how to secure it i'll just specify the email at user at user.com as for the admin username you want to make sure you use something as clandestine as possible do not use the username admin the reason you don't want to do that is because attackers will always target the admin username because uh it's or it's usually selected by default on default wordpress installations so you want to use something as as clandestine as possible in my case i can just use something like hackersploit and of course that's just for me right um okay for the admin password what i recommend doing is you can type in a password that you remember or that you recall but that's not a very good practice when it comes down to security it's always recommended that you use a password generator to actually generate your passwords so what you can do is if i go into google.com here and i look for some mozilla add-ons that's primarily because i'm using mozilla firefox so i can look for mozilla firefox you can look for chrome extensions if you're running chrome so i'll just open up the add-ons page here what you want to look for is your password generator uh sorry about that then actually click on the search box so password generator there we are and you want to click on the secure password generator and i already have it installed right over here so your secure password generator will allow you to generate passwords or generate secure passwords based on various variables number one you can specify your password length i recommend a password length of 12 all the way to up to 15 or 18. in my case i'll just stick with 15. you can then specify both uppercase and lowercase in my case mixed case digits other special characters or symbols and all i need to do is just hit generate password and it generates it right over here and i can then copy it and there we are so that's what i actually recommend when generating your new passwords uh the second thing i recommend that you do and this is something i recommend you actually uh you actually integrate with your workflow is to use a password manager so you can search for keepassxc and this is just one example this is the password manager that i use a password manager stores and encrypts your passwords for you this is a much better alternative to actually noting down uh your passwords within a notepad or a word document or actually physically writing them down uh the the great thing about your password manager is it actually encrypts your passwords uh with one master password and of course you can then very easily list out all your passwords in one place and have them conveniently and securely stored there so i'll just copy that that password here and i'll just put it in here so the username we specified was hackersploit and the password is going to be as follows so i'll just make sure i save that right over here so i'll just copy this password and we'll put it right over here within the admin password and for the mysql root password i recommend generating a new one you never want to have the same password used again especially on your server never reuse passwords because if one account is compromised and the attacker is able to get the password for that particular account they can then use that same password to get access to the other services so so actually never reuse your password so mysql i'll just note that down over here root pass and i'll just paste that in here and of course i'm just doing this so i can i actually have all of this information in front of me uh the wordpress database i recommend just using the same for the mysql root password uh that's perfectly fine for the website title i i'll just call it wordpress security now i'm not linking this particular site to any domain uh if you are going to be setting or linking it up to a domain which i'm guessing you are i recommend using or changing your dns provider to cloudflare the reason i recommend using cloudflare is uh primarily because uh they provide you with ddos protection uh domain security uh you they also uh they also proxy your traffic to the website and what that means is an attacker cannot perform reverse dns resolution from the domain name and get the server ip address so if if you are setting your website i recommend using cloudflare you can just perform a quick google search for it it's absolutely free for your websites right over here so again if this is your first time hearing about about cloudflare uh again it allows you to just set up your dns much more securely and one of the key features that is very helpful is it prevents a reverse dns resolution right okay for the image we'll stick with the default debian 10 for the region we'll just use atlanta and for the lenoid plan we'll use a nanoed one gigabyte one cpu of the wordpress label i'll just say is going to be uh we'll just call it wordpress security right over here and i'll put in my root password for the server and we'll just create and provision this linux so i'll just wait for this to complete creating after which we can actually get started with the necessary steps to securing the server we'll then take a look at securing apache because that is the default configuration that the the wordpress lin node actually comes with if you want to learn more about nginx security you can check out the youtube series uh that was actually a prelude to this particular series and you can learn more about that there and then we'll move on to securing wordpress so i'll just wait for this to complete all right so it looks like the lynnote is created so we can actually just copy the ip here and we can try and load that up so if we try and open up the ipa on port 80 you can see we have the wordpress website set up so the first thing we want to do is we want to log in to the admin panel so we just use the wordpress admin page here and that'll take us to the login prompt and we'll just put in our username and a password so we'll just say the username was hack exploit and the password right over here and we'll log in and i don't want to save that and that's going to take us to the dashboard at the same time we want to actually log into the server so ssh root at um and let me just copy the ip because i'd copied the password so i'll just put that in here and we can then hit enter and it looks like i need to get rid of one of my keys or i can remove it using this command here so i'll just do that now and we can then try and log in again and i'm just going to hit yes put in my password and we can then update my packages so apt update and i also want to upgrade all my packages it's always a good practice to ensure that all your your repositories updated and your packages are upgraded so i'll just wait for this to complete upgrading all right so the packages have been upgraded we can now move on to the web server um so we'll just head over to wordpress here and go to the admin dashboard and we can get started with our initial security configurations now uh in my case i'm not setting this up on a particular domain however you can already see we have we we haven't configured https and again that's because i haven't linked this ip address to a particular domain now if you use cloudflare uh you'll actually get ssl or an ssl certificate set up for you it is recommended that you use something like cert bot if you if you don't have an ssl certificate however with most domains that you purchase and most domain providers you should actually be provided with an ssl certificate if that's not the case you can use apache cert bot and installing apache cert bot is really very simple and what this allows you to do is just generate ssl certificates that will expire within three months and it or it actually renews them automatically now to install cert bot you can just search for apt install apache and we're looking for cert bot within if you're currently running this on debian you should actually just find it under the package name cert bot and if i just hit enter that should install it and i'll just hit enter there we are and once we've installed certbot we then need to install um python set bot apache and then i'll show you how to activate an ssl certificate for your domain okay so uh we then need to install apt install our why our python we're looking for setbot apache uh right so there we are apache hit enter and we can then uh get started so if you are if you have linked this uh your wordpress server to your domain all you need to do is say sudo cert bot and you then specify the the web server technology you're using in my case it's going to be apache you then specify the domain that you want to install this ssl certificate for in my case an example would be something like hackersploit.org and then all you need to do is hit enter and that's going to generate your ssl certificate for you in my case i haven't linked this i haven't linked this ip address to uh to this particular domain within my dns server so again it'll not actually activate because what cert bot will actually do is actually perform authentication and we'll actually see if this particular server ip uh corresponds to that domain name and then after that is established it'll install an ssl certificate so that's something that you should ensure you have all your website should all have an ssl certificate and should have https set up in my case of course we're just going to have to improvise because i'm not setting it up on a domain so that's the first step ensure that you have uh adequate dns protection and an ssl certificate installed the second thing you want to do is you want to enforce a strict a secure password policy for all your users on the system so again you if you take a look at if your wordpress website uh has more than one user or is based on a registration model where you actually allow users to register and log into your website to get access to particular content then you want to ensure that you you you actually uh enable or you set up a secure password policy uh and of course that's uh that's something that you'll need to inform your users off um secondly if we go into settings and general here your general settings is where you can set up all valid information regarding the new user default role so again it's this is something that you want to make sure you set by default to subscriber or author based on your website you never want to set up the default user role as administrator that's something you want to avoid at all costs and you can configure any other options regarding the website here so in my case there's nothing really interesting from a security perspective apart from the new default user role so let's move on to the next step which is uh firstly ensuring that you have the latest version of wordpress running so most domain providers will allow you to set up wordpress automatically however those versions are not going to be running the latest version because they use uh installer scripts so ensure that you have wordpress updated on linux everything comes as the latest version so you don't have to do that now when we talk about account security the first thing you want to do is you want to set up two-factor authentication uh by default we have these two plugins which we don't need so delete any plugins you're not using that's always a security risk so i'm going to add a new plugin here and we're going to search for 2fa that is the plugin we're looking for so 2fa this will allow us to set up two-factor authentication for our our our accounts um so you can use any of these here in my case i i like using uh either one of these again you can just take a look at the various options they provide you with in my case i like using the two face light google authenticator because i use the google authenticate application on my website um so i'll install that the second plugin you want to install is you want to install loginizer now loginizer is a brute force protection uh plugin that allows you to protect your login page against brute force attacks so you won't also want to install that plugin and we'll install the wordpress the word fence security firewall and malware scan which allows you to set up a web application firewall to filter uh common attacks forms within the os list or vulnerability list and it also allows you to perform malware scanning on your server we'll also install that so i'll just take you through all the various plugins we need to install if you're having issues with ssl you want to just search for ssl here and you want to install a plugin called simple ssl there we are really simple ssl what this will do is it will actually take you through your ssl configuration and ensure you your website or your website is actually set up correctly uh to use ssl so again once we've installed all of these plugins we can just go to install plugins and activate all of them so we'll go into all of them and just hit activate and i'll apply that that's going to activate all the plugins and i'll just take you through the configuration really really quickly so for word fence uh you want to specify an email address that you use frequently and the reason i say this is because word fins will actually send you various emails regarding your security configuration any security events uh whether you know you're being attacked or your site has been infected with malware uh it will also again send you various security disclosures uh so it'll uh for example they usually have a newsletter that gives you a list of wordpress uh security vulnerabilities that have been discovered either for the themes or plugins so again i'll just specify in my case i'm just going to use user user.com uh make sure you use a legitimate email so i'll just hit continue and it's going to ask you for a premium key i don't want to upgrade to premium that's perfectly fine and we'll get to word fence shortly so you can see uh within when when i install the really simple ssl plug-in it's going to tell me it's failed to validate an ssl certificate so again we'll we'll just leave that as it is because we're not running with this issue anyway if we go to word fence um you can just see i'll just open that up wordfence will just give you a basic dashboard here for um for actually that will actually display your current security status um so your web application firewall is currently in learning mode uh the the reason it's currently in learning mode is because it's analyzing uh the types of traffic your website receives what time it receives traffic and it's sort of just building an understanding of what type of website this is in regards to the users that visit it and the frequency of these visits um so if we click on manage firewall we'll just click on that really quickly i don't want to spend too much time on this um so i'll just hit no thanks um so your firewall options you can configure them right over here you also have brute force protection enabled and you have the various options you can specify so uh the minimum amount of attempts before you want to lock out a user uh lockout after how many forgotten password attempts and of course you have the account you have the ability to count failures over the uh what amount of period uh or the the actual period of time so again if the user enters 20 failed attempts in in the space of four hours you can then abandon or block them i recommend changing this to something like 30 minutes because most brute force attacks happen in very short bursts so you make sure you do that um as for your malware scanner uh it's always recommended that you run this at least probably once a month if your website is very active and involves users registering submitting content so on and so forth right so that is wordfence we then have loginizer which again provides you with brute force protection i'll just get rid of all of these notices here and within uh within loginizer it also provides you with other other security recommendations that it actually would recommend you follow one of them is regarding the file permissions so you can see within wordpressconfig.php here it tells us to change the file permissions to zero four four four so that means change it to a readable file only so that no one can make changes to it the reason being the wordpress configuration file is where you you actually uh control your wordpress configuration or setup specific options and it's recommended that you always lock this file down we don't have an hd access file yet so it's going to tell us the actual permissions are zero so that's perfectly fine so again with login as a security you can take a look at your brute force protection uh you also have two-factor authentication with this particular application and you can use this if you want to you also have the ability to set up a captcha on your login page however this will require your google site key from uh from google because google actually controls captcha um so ensure you get the key and enable it here that will prov that'll also uh prevent a brute force uh attacks on yours on your site uh right okay so setting up two-factor authentication with 2fas lite is very very simple all you need to do is download an authenticate application on your mobile phone both on android or uh or the apple store and then you scan this particular code here and then it's going to give you your your security code or your token and you enter that token in here and add that device and what this will do is it'll actually set up authentication or two-factor authentication on your website so once you log in with your username and password it's then going to ask you for your authentication token that's on your device alone and without that token you'll not be able to log in so that's a very very important and this is something that many many websites or website administrators overlook but it can really really prevent a large-scale attacks on on your accounts right okay so that is a mouthful so we've talked a lot about some of the most important uh plugins to install let's talk about uh of course taking backups now uh when we talk about taking backups uh you know there's multiple plugins that you can use to take backup backups in my case i recommend uh not taking uh content backups alone but actually cloning your website so if i look for migrator if i just search for migrator here this is one of the plugins i use on my on my various websites and i control about five wordpress websites that haven't been attacked yet or haven't been attacked by malware so you want to look for duplicator which i use quite a bit i also use another plug-in and if we just click on duplicator here duplicator essentially does what it says it duplicates your wordpress installation and in the event your wordpress website gets taken down or it gets attacked by malware you can uh easily just uh you can easily just use your duplicated wordpress installation and clone it onto another server and it will be exactly uh the way you left it so when we talk about backups it's recommended that you take at least weekly backups and then monthly backup so on and so forth ensure that you also take backups before you make any changes to your website uh because i've i've seen many people uh you know take backups before they make the changes uh or they take them after they've made changes and then those changes actually have issues and they they cannot find a way of going back i also recommend keeping redundant backups uh up to maybe uh one or two months that is very very important so again this is the plug-in i recommend for that as you can see it it handles uh it handles updates very differently as as would something like updraft which actually just backs up your content and uh i've actually tried multiple times to restore data from updraft and it hasn't worked at all i haven't had any success with it so i i recommend using the duplicator plug-in it really really is very useful uh in my case i'm not going to install it but if i were to install it i'll just show you how to use it really quickly so i'll just hit activate here and we can then move on to the next options that i want to configure so again we can take a look at duplicator here and you can see all you need to do is just create a new package right over here and you give it a name specify the storage well in my case you can uh by the the diff in with the current plan uh you can also subscribe to duplicator pro if you want the current plan will store it on your web server and then you can download the package or the archive so you can specify the the various files you want to exclude or include and then you specify the database right over here okay so in my case we'll just stick to the default options i can also specify a password for the installers to password protect my backups and then just hit next all right and that is going to start the build process so it's going to scan the website and of course i'm just going to there we are the scan is actually complete and it's going to give you a highlight or a summary of of your current site's status and the backup status and then all you need to do is click on build and i'll just wait for this to complete building the package all right so uh once the package is completed uh just ensure you click on one click download that will download the archive and the installer file uh which you put on your web server it's a php a file that will automatically allow you to us upload the archive and then it'll it'll handle the rest so you don't need to worry about any of that so just click on the one-click download here and you should have your your wordpress website in one package that you can then transfer to multiple servers and this 100 will work that being said if we just actually uh let me let me just take a look at my uh terminal we're currently logged in so we can move on to the next step uh now the next step is going to involve um we'll go to the we'll add actually add a new plug-in uh we need to actually prevent the rpc endpoint on wordpress so we're looking for xml rpc uh now xml rpc is used currently by wordpress and is used by a ton of other it's used by a ton of other plugins so it's very important that you understand uh how this works this is just your remote procedure called endpoint for wordpress and you can see we have multiple plugins that will actually allow you to block the xml rpc attacks now when you talk about the types of vulnerabilities introduced by the xml rpc endpoint one of them is the ability to easily brute force your website and so you want to ensure that you disable or stop your xml rpc attacks again if your plugins require it then just keep it enabled and of course i'll just use the stop xml rpc attacks our rpc attacks and we'll hit activate and we can then just go into settings and uh actually it's i think it's within tools uh the xml rpc plugin um where is the configuration for that i just go into it should actually be somewhere here all right so uh with this particular plugin uh it will actually just block them completely uh the other plugin uh that i was using before which is actually does not work with wordpress 5.0 allowed you to configure certain options um so again just taking a look at the brief description of what it does it will actually secure your site xml rpc endpoint by removing some methods instead of disabling uh xml rpc totally which again as i said is used by plugins an example of these plugins are going to be jetpack and some mobile applications so again that's something you want to keep in mind or in consideration so that's the xml rpc endpoint let's take a look at one more important plugin that i really recommend you have this is something that is really very important when you run a wordpress website that has a lot of traffic uh one that has a lot of other users on the system and that is the audit log right now we talk about security in a general sense a key component of security is the ability to audit a certain actions on a system and through the audit log you're able to establish a sense of responsibility for these actions you want to click on wordpress audit log that's the application right over here and we'll just click on that and activate it as well and all all that this plugin will do you can see it's going to tell you thank you for installing wordpress audit log do you want to run the wizard i'm going to hit yes it's going to take me through the wizard so this wizard will help you configure the basic plugin settings i'll hit start and it's going to say plus please select the level of detail for your wordpress activity log so if you're an advanced user who understands how to read logs you can specify base sorry a geek level if you're not an advanced user you can just hit on basic and this will give you a high level overview of all the activities that are performing that are being performed on the server so if someone deleted an image if someone added a new post if someone updated a post all of these will actually be logged if you specify the geek option you'll actually get traffic logs telling you hey uh someone visited this uh this unknown uh this unknown url on the website or they try to access a web page that doesn't exist it'll give you all of that information so i'll just click on next uh i'm a geek so i will click on that so it's going to say do you want your users to use other pages to log into your wordpress other than the default login page i'm going to hit no because we are only going to be using the default one you can change that if you want to uh do you want to keep a log of non-locked visitors requests through non-existing urls uh i recommend hitting no if your website gets a lot of a lot of activity and you don't have and you don't have a registration model so again that's entirely up to you so can visitors register for a use on your website i'm going to know if they're allowed to hit yes log retention i recommend keeping uh 12 months or you can keep all data but do note that the the more the traffic the bigger the logs the more the storage they'll occupy solid next there and that should be it so i'll just click on finish and uh if we click on the wordpress activity log and click on the log viewer that will actually give you a log of all that is currently going on uh on this particular wordpress website so you can see it lists it it lists it out here in the form of the id the severity the date the user the ip address the object the event type and then it gives you a message here in this case it tells us that we installed the a the plugin wordpress security audit log so again that's a very very important plugin that i recommend everyone install on the wordpress website uh right okay uh we can now move on to some more interesting aspects of wordpress security and that is working with the web server technology and in our case that's going to be apache so let's go back into our terminal and the first thing we want to do is we want to go into the default directory so if i list out um lsal var dub dub and it looks like we have the wordpress directory so within the wordpress directory we are looking to first of all change the permissions for the wordpress um for the wordpress uh wordpress admin uh we will actually talk about wordpress admin shortly but the wordpress configuration file uh so that's wordpress config right over here and then we'll take a look at wordpress admin shortly but before we do that let's actually go into that directory so far dub dub dub and we'll go into wordpress like so and we can then list out all the files within here okay interesting so within uh within this particular directory you can actually view the various permissions right over here and the owners ensure they are all owned by www data or the web server system or the web server service account in our case you can see it's www data which is perfectly fine we don't want to have that uh being owned we don't are these files being owned by a user with administrative privileges uh so the first thing we want to do is we want to disable file editing and this will prevent any files like the theme files from being edited or configured and this will typically prevent a defacement attacks or attacks that actually involve injection of code into your word into into your wordpress website um so we'll just use the vim editor and we'll click on wordpress config and i believe yeah wordpressconfig.php and we'll open that up and it also it already has its own configurations and in in here you can see the important information i was referring to when i was talking about keeping this particular file as secure as possible it has the database password in here so again you can just look for an area where you can insert this this particular line of code in my case i'll just enter it right at the bottom so to disable file editing all we need to do is we can just click on define we can say define we can set a comment here so we can say this is going to disable file editing so disable um file editing right over here and we can then close the comment um so i'll just get rid of that and we can get started with by entering the code um so we are going to say define i'm going to define and we're going to say a disallow file edit so this um this allows you to make sure that is in uppercase so this allow and we then specify underscore file edit like so and we then set the value to true so in my case i'll just use a single quote here and we'll then say we'll use a comma so end the code comma and we set the value to true in my case i'll just use the lowercase here so true and that's going to disable file editing and we then close that up and end it with a semicolon so that will disable file editing the next thing we want to do is we want to change the permissions of the wordpress config file to readable uh in this case you can see it is uh it is actually writable so we'll actually change this and say chmod uh zero four four four that was the recommended permissions uh that we were supposed to set and set wordpress a config but of course we will still be able to edit it because we are we actually have root access um so we try and reload the website i'll just try and open that up in a new link we can see that everything works uh works out fine if we go to the loginizer security and the dashboard we can actually take a look at the file permissions here so you can now see that everything is set according to the suggested permission levels we then have the hd access file which we will be creating shortly so that's the first step the next thing we can do is we can actually secure the wordpress admin or the wordpress login page using authentication with apache so in addition to having the the login um into having the login or the ability to log into the server if your website does not have a user registration system or your website is simply just a blog where users can just view the webpage and they don't need to log in or sign up then it's recommended that you secure your wordpress login page because you're the only one that's going to be logging into it um so to do this as we covered within the linux series on youtube when we were talking about securing apache the first thing we need to do is if we take a look at the uh at the apache configuration file i'll do that right now so we take a look at the apache configuration file under etsy and apache 2. and we're looking for apache2.conf and we hit enter if we take a look at it right over here we can see we have the default i'll just go to the directories we have the default directory which is under var dub dub dub and we can also create one for the uh for the wordpress directory but what i'll be doing is i'll be putting everything within an hd access file so we will actually just stick within within this particular directory and we'll just say vim hd access and we will hit enter and within here within this particular file is where we can start specifying our options the first thing we want to do is we want to disable file or directory listing which again should be disabled by default if i click on this and i go to a wordpress content and uploads and we hit enter you can see directory listing is currently enabled so we want to get rid of our directory listing and the reason we want to get rid of it is because it actually allows users to to actually check out the uploads directory and they can view any uploads on the server this was again covered within the apache security video so we want to disable that to disable that we simply say options and we use the indexes option so we are saying minus indexes so that will get rid of indexing we can then save that and we say system control system control restart apache 2 and we'll just let that restart the service hit enter we can then reload that and we'll just see if that gives us access there we are we can then say um wordpress content sorry with not wordpress admin but wordpress content content and uploads right over here hit enter you can now see it tells us you don't have a permission to access this particular resource so that is set up correctly fantastic um if you want to learn more about the apache security you can check out the linux series on youtube that covers uh some more advanced options there okay so that was how to set up or disable a directory listing and indexing so we were talking about the actual login page so if i just log out here and whatever you use it's always going to redirect to wordpresslogin.php if you have a website that does not have users logging in and it's only you that's going to be logging in what you can do then is try and secure this using apache and we already talked about authentication using apache all is very very simple what we'll do is we'll create our we will use hd password and to do this i'll say apt install apache utils and i think it's apache 2 utils i believe so that's already set up and installed so we'll use the hd password command um to actually generate it so hd password uh and we'll save it within the um we'll save this within the apache directory so we'll say etsy apache two and what we'll do is we'll we'll just call it hd password and the user will specify is hacker exploit and just hit enter it's going to ask us to provide a password so i'll provide the password here and that's going to add it to this to the hd hd password file uh right over there within the hc apache 2 directory right okay so now that we've done that we now need to go into the wordpress admin directory which is we will put in our new htaccess file if we list this this is these are just admin files so we'll just create a new hd access file right so so like so so hd access like so and um what i will do now is uh we will put in the following options so number one we are specifying the auth name so the auth name is simply just going to be the name of the authentication we'll just say admin uh login just a simple message we then need to specify the auth user file so auth user file will be equal to the directory so etsy apache two and we then say hd password so we then move on to the um auth group file we don't have an auth group file we can then say auth type is just going to be basic so auth type is going to be that of basic and we then specify the require option so we're going to require a valid user that's very important so valid user and we'll save all of this now and we can then restart apache or the apache service so i'll just hit restart there we are and if we now try and access this uh we should actually be prompted to firstly enter authentication for apache and then we'll be able to to actually log in so this is almost like three-factor authentication if you set up your authenticator application with google or you set up two factor authentication so we log into this first so hack exploit and then we put in the password like so and then it's going to ask us to log into wordpress and then it's going to ask us for our security token from our authenticator application on our mobile device so that's something that i really recommend um okay the next thing we need to do is we need to disable a php code execution now the important thing here is or the reason why we need to do this is because if if a user is able to upload a php or a php file that could potentially give them access to the web server through the form of a reverse shell we need to disable php execution within particular folders of interest one of these folders is the uploads folder which you actually saw was able to be accessed uh through the directory listing vulnerability um so if we list out the the actual folders within here you can see we have the wordpress um the wordpress content folder and uh we then have the uploads directory under that so we're going to go into wordpress content right and this directory here is very important because all user data from uploads from themes and plugins will all be stored in here uh right so we want to go into the uploads directory and we want to disable it there the reason i'm saying that is because within the other directories you can see they actually have php files so we we don't want to disable php code execution uh you know for legitimate files or for actual actual files that are required by wordpress so we'll upload it i will just say vim and we'll just say hd access right over here and we'll just put in within this and we'll save files we'll just create a tag here so files and we specify the file type which is we'll just use the wildcard denoter so php and we then say deny from all so deny from all that is going to prevent any php file from being uploaded here um so we just say files like so and that is going to again as i said prevent any php files from being uploaded regardless of whether uh you've protected your site or disabled php uploads uh in that case uh that being said that's pretty much all of the options that you need to configure regarding your web server in this case it's apache uh you can also set up authentication for any other wordpress web pages or any other aspects of the website that you need to secure you can do that using the auth settings that we set up so your hd access file is your is your best friend uh however if we go back and we try and log in here so i'll just say accusploit and we always want to take a look at the file permissions and we'll just uh get the password for the login page here or the admin account and i'll just hit login i don't want to save the password uh we want to go to the loginizer plugin so again we'll just wait for this to log in there we are it's taking us to the dashboard we're going to loginizer security and we want to go into uh well we want to actually just check out the dashboard here so we also have the ability to set up file checksums so you can see the htaccess permissions are currently set to o644 you want to make sure they're only readable not writable because attackers can change these configurations so let's start off with this one so chmod zero four four four and we specify htaccess here and we then go back and into the wordpress admin directory because we had actually created one there so wordpress admin and we then change that so chmod zero four hundred actually zero four four four and we set the hd access file here hit enter we're gonna go back in to the uh directory here and into the root directory and also change that one more time so zero four four four and we change the permissions for the htaccess file if we reload this we should be able to see that the permissions have been changed and they are all matching the suggested file permissions which is excellent so uh we should we are pretty much we are pretty good from that and all of these plugins that i've shown you uh that i've actually showed you to install are extremely vital in keeping your wordpress site running securely and of course when you talk about up when we talk about backups i recommend duplicating your website as opposed to actually backing up content because uh as you'll see uh there's a lot of aspects to to your wordpress site one of them being the database and it's better to take what i would like to call a snapshot so a just capture all the data from the from the database from your from your wordpress website just completely copy everything including the configurations and you can then clone the this particular website on multiple servers without any issue that being said that's going to be it for this video and i'll be seeing you in the next video [Music] you

Info

Channel: Linode

Views: 1,367

Rating: 5 out of 5

Keywords: linode, linux, cloud computing, alternative cloud, linux server, open source, sysadmin, wordpress security, wordpress security 2021, wordpress security without plugins, secure wordpress vps, linux wordpress security, wordpress security tutorial, wordpress security best practices, securing wordpress website, wordpress sysadmin security, wordpress security audit, wordpress security tips, wordpress security plugins, how to secure wordpress website, wordfence security plugin

Id: OlMpaKz0Op8

Channel Id: undefined

Length: 44min 4sec (2644 seconds)

Published: Mon Apr 05 2021