How to harden your WordPress install (ssh)

jz — Fri, 23 Oct 2009 08:36:11 +0000

I figured out how to harden wordpress using ssh and some common sense.

I changed ownership (user) of the cache and uploads folder to apache by

chown apache uploads chown apache cache

to enable apache to write to it

chmod was set to more restrictive value of 755 each instead of easily
exploitable (as it happened on solarvps and zone.net) chmod 777

chmod 755 uploads chmod 755 cache

giving me the following structure

ls -l /wp-content/

drwxr-xr-x 2 apache psacln 60416 May 3 05:39 cache -rw-r--r-- 1 comh4x3d psacln 30 Nov 14 03:26 index.php drwxr-xr-x 83 comh4x3d psacln 3072 Apr 17 12:48 plugins drwxr-xr-x 9 comh4x3d psacln 1024 Apr 17 12:37 themes drwxr-xr-x 5 comh4x3d psacln 1024 Mar 25 07:04 upgrade drwxr-xr-x 3 apache psacln 8192 May 3 05:38 uploads

by that wordpress can upload files to the uploads folder and files can
be created in the cache folder.

to restrict the folders even more I added a
.htaccess file with chmod 644 each

vi .htaccess

for uploads:
Deny from all Allow from 72.249.95.104 # server IP address


Options -ExecCGI # disallow execution of below files

AddHandler cgi-scriptscript .php .pl .py .jsp .asp .htm .shtml .sh .cgi

# we dont want any dodgy pearl scripts or php to executed

Order Allow,Deny Deny from all # deny everything but the image and text files Allow from all

# deny opening those files Order Allow,Deny Deny from all

similar file for the cache folder, but instead of the image and doc
files only meta and html are allowed, make sure to remove html from
execcgi line

I hope you appreciate this article,

best,
julian klewes
h4x3d.com

h4x3d.com » harden

How to harden your WordPress install (ssh)