How to sanitize and reset all WordPress user accounts with linux shell scripting and wp-cli

Hello! There are several key best practices insofar as how to deal with security intrusions, including but not limited to restoring from backups on a clean server. In this article, I will be going over how to create an automated shell script that completes the following actions across multiple WordPress sites on your linux server : 1. Sanitize user and group permissions 2. Sanitize WordPress core admin and include files 3. Update WordPress Core 4. Update All installed plugins 5. Iterate through all WordPress user accounts and reset the passwords The above actions can be implemented as part of a broader security policy when dealing with shared hosting environments where you are hosting multiple WordPress sites. I will touch on each of the above items including the shell script snippets that are required to implement each. At the bottom of this article I will share the entirety of the shell […]

How to block your WordPress site from being scanned by WPScan with Nginx

Hello! First and foremost, why would you want to block WPScan from probing your site? Well we all know that security through obscurity is a bad practice. That said the risks of malicious activity on your site is undoubtedly heightened through many points of information disclosure that is freely available to parse and organize to make an accurate security risk assessment of your WordPress site. This type of information is easily attainable through automated scanners like WPScan. Tools like this scan for version tags in readme files, file size fingerprints and meta tags to determine not only the version of WordPress you are running but the version of each of the plugins you have installed. Why is information disclosure bad? Some would argue its not bad. Others would also point out that a 0-day WordPress core or plugin vulnerability could mean that minutes and hours of circumvention or lowered risk […]

How to protect WordPress media files and only allow the users who uploaded them to view

Hello! In the past we have written about how to protect your WordPress media files. In the past exercises we utilized a strategy to set a session cookie with encrypted details that can be read and validated at the http service (i.e. nginx) as well as application (php/wordpress) level. Since then we have refined this process to be much more secure, flexible and efficient. We have abandoned the cookie validation process for verifying the request before serving it and replaced it with a slightly more complicated but much more secure method. First before getting into the details, why would we want to protect WordPress media files? Well the answer depends on what sort of site you have and what you are trying to do, obviously. In our scenario, which isn’t necessarily unique, we have end-users that register for an account in order to check out of a Woocommerce store. We […]

WordPress Woocommerce plugin to disable payment methods based on zip or postal codes

Hello! Woocommerce is a great easy-to-implement and versatile e-commerce platform. With the robust development community, expanding the core functionality can be relatively straight forward with the availability of a wide assortment of 3rd party plugins for Woocommerce. One of the things that we felt was missing, but a simple requirement, was the ability to manipulate the payment methods available based on the zip or postal code of the customer. This means that under certain conditions, the end-user will have a catered list of payment methods available to them. The system would need to have the ability to “Remember” the user, and subsequently the available payment methods, even if they came back later to purchase with a different postal or zip code. Why is this necessary? There could be many different justifications for this type of behavior with Woocommerce. If you are offering products and services to customers on a national […]

Protect and lock down your WordPress media files

Hello! Occasionally it was necessary for us to lock down some or all of the WordPress media library from public viewing, indexing. The reasons why this would be necessary can vary from sensitive information leakage to private user information protection (i.e. custom user media files uploaded on a per user account basis). Either way, there is a relatively straightforward way to lock down the visibility and permissions of files or folders in your media library from either being indexed (And disclosed more easily to the public for access) or randomly accessed through browsing the wp-content/uploads folder. Remember this folder usually (by default) has directory index enabled. This means you can usually visit a WordPress site, manually access the site.com/wp-content/uploads folder and browse the files and folders therein in order to see if any sensitive information is contained within. Sometimes its not enough to simply edit your robots.txt to not allow […]

Tips to secure your WordPress site

Security is a huge deal. Sometimes your at the mercy of the open source solution or content management system that you choose. There are occasions that even after ensuring your CMS and the subsidiary plugins are consistently up to date, you still fall mercy to a zero day exploit that circumvents the security of your site and allows an attacker to upload a file or modify your backend database. That’s not good! Especially if you are diligent to the best of your abilities. We’ve decided to put together a quick security guide specifically to help people ensure their WordPress implementation is as secure as possible. Web Hosting environment This is obviously a big one. Your hosting environment may or may not be able to provide layers of security as requests to your website are processed and served. There are elements that most web hosting companies should be able to provide […]