Friday, 28 October 2016

How to install a secure Wordpress CMS in a FreeNAS Jail

بسم الله الرحمن الرحيم




Abstract 


A tutorial to install a secure Wordpress CMS on a FreeNAS 9.10.1 Jail.


Assumptions and Prerequisites



  • Domain: example.com
  • Hostname: www.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: www
  • Private IP: 10.0.0.56
  • Subnet Mask: 255.255.255.0/24
  • Database Server Name: db.example.com
  • Database Type and Version: MariaDB v10.1.18
  • Database Server IP: 10.0.0.57
  • Database Username: n7if835 (random generated)
  • Database Password: TunTeR3MPzqHy1KD (should be randomly generated)
  • Database Name: n7if835 (random generated)
  • Database Table Prefix: 24686nj9po7_ (should be randomly generated)
  • Database Server has SSL configured and enabled.
  • Apache has already been installed.
  • php56 and the necessary extensions are already installed.
  • Apache Webroot directory: /usr/local/www/apache24/data/
  • Apache 'AllowOverride' set to 'All'
  • Wordpress Version: 4.6.1


Instructions


Environment Setup

- Create a database 'n7if835' with username 'n7if835' with all privileges (Data, Structure, and Administration) and password 'TunTeR3MPzqHy1KD'

- Enable mod_rewrite module in apache by editing the file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (177)   LoadModule rewrite_module libexec/apache24/mod_rewrite.so

- Install package wget to download wordpress archive
# pkg install wget

Install and Configure Wordpress

- Download wordpress from http://wordpress.org/latest.tar.gz
# cd /tmp
# wget http://wordpress.org/latest.tar.gz
- Unzip archive /tmp/latest.tar.gz
# tar xvf latest.tar.gz

- Copy /tmp/wordpress/ contents to webroot directory /usr/local/www/apache24/data/
# cp -Rfv /tmp/wordpress/* /usr/local/www/apache24/data/

- Goto https://www.example.com/ via web browser and follow the installation instructions.

- Enter the following Database details:
        Database Name: n7if835
        Username: n7if835
        Password: TunTeR3MPzqHy1KD
        Database Host: db.example.com
        Table Prefix: 24686nj9po7_

- Copy the generated code by wordpress installer into the file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php

- Click on the 'Run the Install' button and that will create the necessary database tables.

- Enter the following Site details:
        Site Title: www.exampl.com
        Username: webmin2001 (for security reasons don't use anything like 'admin')
        Password: (Enter strong password)
        Your Email: (your email address for this wordpress admin account)

- Enable Direct File System access by wordpress
# chmod -Rv 775 /usr/local/www/apache24/data/wp-content
- Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (40)    /** If you don't want to use FTP to add/delete/update plugins/themes then define this option. **/
   (41)    define('FS_METHOD','direct');

- Test by deleting and adding a plugin or theme.

Securing Wordpress

- Enable DB SSL Connection by Wordpress
Edit File /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (43)    /** Force Wordpress to use SSL connection to Database **/
   (44)    define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);

- Goto https://www.example.com/phpmyadmin via web browser and change the following details:
           Username: n7if835 SSL setting from 'REQUIRE NONE' to 'REQUIRE SSL'.
           Remove Administration Privileges for user n7if835

- Disable file editing for editing plugins and themes.
Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (46)    /** Disable File Editing **/
   (47)    define('DISALLOW_FILE_EDIT', true);

- Force SSL Logins and SSL Admin Access
# vi /usr/local/www/apache24/data/wp-config.php
   (49)    /** Force SSL Logins **/
   (50)    define('FORCE_SSL_LOGIN', true);
   (51)
   (52)    /** Force SSL Admin Access **/
   (53)    define('FORCE_SSL_ADMIN', true);

- Delete files 'license.txt' and 'readme.html' in the wordpress root directory and also 'install.php' in wp-admin directory because they are possible site security holes.
# rm -v /usr/local/www/apache24/data/license.txt 
# rm -v /usr/local/www/apache24/data/readme.html
# rm -v /usr/local/www/apache24/data/wp-admin/install.php

- Make the file /usr/local/www/apache24/data/wp-config.php only readable by user and group
# chmod 440 /usr/local/www/apache24/data/wp-config.php

- Move the file /usr/local/www/apache24/data/wp-config.php up one directory to prevent web users access.
# mv /usr/local/www/apache24/data/wp-config.php /usr/local/www/apache24/wp-config.php

- Disable php functions that are not needed (good practice if website is on a shared host).
# vi /usr/local/etc/php.ini
    (303)  disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

- Turn off expose_php in php.ini
# vi /usr/local/etc/php.ini
    (363)  expose_php = Off

- Disable opening urls as files
# vi /usr/local/etc/php.ini
    (831)  allow_url_fopen = Off

- Create .htaccess file in the wordpress root directory and write the following to prevent web directory browsing, user enumeration, includes directory access, hotlinking of images, and users from reading the wp-config file.
# vi /usr/local/www/apache24/data/.htaccess
    (1)    Options -Indexes +FollowSymLinks
    (2)  
    (3)    <IfModule mod_rewrite.c>
    (4)    RewriteEngine On
    (5)    RewriteBase /
    (6)
    (7)    # Enable Permalinks to work
    (8)    RewriteRule ^index\.php$ - [L]
    (9)    RewriteCond %{REQUEST_FILENAME} !-f
    (10)   RewriteCond %{REQUEST_FILENAME} !-d
    (11)   RewriteRule . /index.php [L]
    (12)
    (14)   # Prevent user enumeration
    (15)   RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    (16)   RewriteRule .* https://www.example.com/? [L,R=302]
    (17)   RewriteRule ^wp-admin/includes/ - [F,L]
    (18)
    (19)   # Prevent includes directory access
    (20)   RewriteRule !^wp-includes/ - [S=3]
    (21)   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    (22)   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    (23)   RewriteRule ^wp-includes/theme-compat/ - [F,L]
    (24)
    (25)   # Disable hotlinking of images with forbidden or custom image option
    (26)   RewriteCond %{HTTP_REFERER} !^$
    (27)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
    (28)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
    (29)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/example [NC]
    (30)   RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
    (31)
    (32)   # Disable XMLRPC
    (33)   RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
    (34)
    (35)   # Restrict access to plugins and themes php files from unauthorised users
    (36)   RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
    (37)   RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
    (38)   RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
    (39)   RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
    (40)   RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
    (41)   RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
    (42)
    (43)   # Prevent Script injections
    (44)   RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    (45)   RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    (46)   RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    (47)   RewriteRule ^(.*)$ index.php [F,L]
    (48)   </IfModule>
    (49)
    (50)   # Protect wp-config.php from user access
    (51)   <files wp-config.php>
    (52)   Require all denied
    (53)   </files>

- Prevent execution of php scripts in the uploads directory
# vi /usr/local/www/apache24/data/wp-content/uploads/.htaccess
    (1)    # Disable php file execution
    (2)    <files *.php>
    (3)    Require all denied
    (4)    </files>

No comments: