Portal Home > Knowledgebase > Articles Database > Securing Wordpress using mod_sec ?


Securing Wordpress using mod_sec ?




Posted by OpenInternet-Vince, 08-22-2013, 01:41 PM
Been searching for a good set of mod_sec rules to harden wordpress installs. Are there any free ones out there?

Posted by p3durungan, 08-22-2013, 03:38 PM
the most basic security is never install your wordpress with hosting installer (softacolous/fantastico), the best secure installation is manually.

Posted by Vernard, 08-22-2013, 03:41 PM
Here is a good one to stop brute force attacks. http://www.frameloss.org/2011/07/29/...nst-wordpress/ Do elaborate please? I don't see how a Softacolous/Fantastico installation would make Wordpress unsecure. Not unless the host is refusing to update the script version, but even then the installers have a automatic updater.

Posted by serve-you, 08-22-2013, 08:27 PM
This is a ridiculous statement. The autoinstallers install it the same way you would do it manually.

Posted by zacharooni, 08-23-2013, 12:14 AM
1 for OWASP-CRS

Posted by dragonvps, 08-23-2013, 04:30 AM
Auto installation will use wp_ as the database prefix and for the fantastico it will generate wrdp1, wrdp2, ... for the postfix. If attacker found bug in your website, that will be more easy to find your database name and takeover your website. Sure, they have automatic updater, but it never provide the latest wordpress version.

Posted by dragonvps, 08-23-2013, 04:35 AM
you can check the atomicorp. Sign up and you will get many mod_sec rules. Some of the rules is for Wordpress hardening

Posted by serve-you, 08-23-2013, 08:11 AM
I don't know about fantastico (do people really still use that?), but softaculous and installatron are both usually updated within a day or so of a WP upgrade. Besides that, you can always update through the wp-admin regardless of how it was installed. And let's be honest here, for those who install it manually, how many are actually deviating from the generic wordpress or blog db names? Security by obscurity is great and all, but it's gonna take a lot more than knowing a default db name to get in. ASL is awesome. OWASP as well.

Posted by monitorscout, 08-23-2013, 11:28 AM
You can check out with the following article, I hope this help you in what you are looking for: http://halfelf.org/2013/wp-login-protection-modsec/

Posted by OpenInternet-Vince, 08-23-2013, 03:03 PM
Thanks for all the inputs. Not sure if the brute force login is the problem but I am seeing a lot of exploits of malicious scripts being uploaded to the plugins dir.

Posted by WPCYCLE, 08-23-2013, 03:06 PM
Wow. WordPress done with auto-install is a key to a hack, BUT manually installing the same way as the auto script is the same thing...which the whole point of doing manual is to change the defaults. Auto-installs as some as mentioned sets up databases as wp_ and sometimes setup the user as "admin"....script kiddy playground. There's many practices out there to make it more secure, but it does fall into the user/installers knowledge and willingness to make those changes from day one. And for the OP, firewall plugins, login lockdown, secure htaccess rules, avoid timthumb themes, wp-login attack protection (the host could have this place from the attacks in May or you could use the botnet attack plugin),etc. Nothing is 100% hack/exploit proof, but doing all the steps will make it much harder to get through to the point of giving up and moving on.

Posted by WPCYCLE, 08-23-2013, 03:09 PM
Try Firewall 2. It will block those attacks. I see them all the time. Although that plugin is 2-3 years old, it does the job. There is a newer version (firewall 3 or a fork of 2) that I can across. The name slips me, but it should function the same and is recent. For brute force, BotNet Attack plugin or talk to the host. Many hosts have put measures in place to protect from those attacks.

Posted by OpenInternet-Vince, 08-23-2013, 06:55 PM
Thanks, looking into Simple Wordpress Firewall.

Posted by brianoz, 08-24-2013, 05:55 AM
This is, unfortunately, completely wrong. As far as I know, most autoinstallers change the table prefix when they install, which is what I think this poster is trying to get at. I don't think any of the autoinstallers do all the hardening tricks; you're better off using Better WP Security to do them, and Wordfence to keep your site safe. The basic tricks are: change the admin username;change the admin uid from 1;change the DB table prefixensure the wp-config.php is mode 600 Most hacks aren't yet sophisticated to bypass these so they currently work really well, but unfortunately it's just a matter of time.

Posted by ChronicMusic, 08-25-2013, 07:09 PM
It's well worth installing as stated above. What do people think of Sucuri's plugin btw, is it worth installing?

Posted by RRWH, 08-25-2013, 11:25 PM
this might be the post of the week! Now, last time I looked, which was a few minutes ago Softaculous, which is a script auto-installer, give a user-configurable option for the basics of the install. You might be shocked to know that you can select the db name (who would have guessed!), The table Prefix (and the default value is wp_ but nothing stopping anyone from changing it), Yes, you can even change the admin account username (shock horror! - but it defaults to admin) and guess what, you can even set the password for the admin account! And it looks like there is an option to install a plugin to limit login attempts as well, right at the time it is installed. Yep, it sets up the database username and password (OK, a little weak in setting the DB password as it is only 10 chars long and no option to select the password length/complexity, but at least it is not blank. While not perfect, it is far from the train-wreck of an in-secure install out of the box. While it does not go far enough, it is a pretty good start and gets you part way there already on the best practices.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
CIS Benchmarks (Views: 617)
SemoWeb Orlando Down (Views: 631)