How to run a secure WordPress installation in an IaaS VM

In the cloud, a secure WordPress installation is important to the safety of enterprises. Expert Dejan Lukan provides detailed advice on this process.

WordPress is one of the more commonly used Web publishing platforms today. Unfortunately, WordPress has also been the recent target of a number of cyberattacks that seek to exploit vulnerabilities in the free and open source platform. This tip looks at how to secure a WordPress installation in an infrastructure as a service (IaaS) virtual machine (VM). With WordPress, it's best to follow a set of defined security measures to secure the environment against potential hackers.

Discovering WordPress version

The first step in analyzing security risks is determining what version of WordPress is in use. The program wpscan can be used to determine the WordPress version by looking for the /readme.html file present in every WordPress installation. The file contains information that can be used by an attacker to determine existing vulnerabilities and can thus be used to compromise the WordPress website.

The best thing to do is disclose the WordPress version in use. This is done by removing the readme.html file and installing the All in One WP Security plugin to also hide the WordPress version in other files.

Enumerate WordPress users

The wpscan program can also be used to enumerate users on the WordPress website. This data can be further used to brute force a user's password and gain access to the website in the name of that user. When the administrative interface is accessible, an attacker can login with the discovered username and bruteforced password to change the website and potentially add malicious code. This method is the basis for watering-hole attacks.

To protect against attackers enumerating users, enable the following rewrite conditions in .htaccess file to rewrite certain parts of the URI in order not to disclose information about users. To use the presented directives it's necessary to also enable the mod_rewrite module for Apache.

RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ [L,R=301]

Enumerate WordPress plug-ins

The wpscan tool can be used to enumerate plug-ins available on the WordPress website. By enumerating the installed plug-ins, an attacker can find a vulnerability in an unpatched version of a plug-in and gain unauthorized access to the WordPress website or possibly gain complete control over the website.

By keeping the framework up-to-date, it effectively patches those vulnerabilities and minimizes the risk of website compromise.

To protect against enumerating the plug-ins, find and delete the files disclosing the plug-in version. These files include readme.html, readme.txt and changelog.txt. Each plug-in contains at least one of these files in its directory /var/www/wp-content/plugins/<plugin_name>/, which can include the version of the installed plug-in. By deleting the mentioned files, wpscan will no longer be able to determine the exact version of the installed plugin. This is a step in the right direction, but it doesn't guarantee safety. If a vulnerability exists in an unpatched plug-in, the WordPress website can still be compromised. This is why it is imperative that all WordPress plug-ins are kept up to date at all times.

WordPress vulnerabilities

It's important to keep the WordPress framework updated to the latest available version, because vulnerabilities are also present in core files. By keeping the framework up-to-date, it effectively patches those vulnerabilities and minimizes the risk of website compromise.

An example of a WordPress vulnerability is CVE-2013-0235, which is present in WordPress versions prior to 3.5.1. The vulnerability affects the XML-RPC interface enabled by default and exploited by using the pingback functionality to port scan internal and external targets, thus hiding the attacker's activity.

To protect against WordPress vulnerabilities, always keep WordPress updated to the latest available version. Also install the All In One WP Security & Firewall plug-in to help harden WordPress security.

The XML-RPC interface

The xmlrpc.php file provides API access to the WordPress website, but requires authentication to execute most of the commands. An attacker can use the XML-RPC API to bruteforce the password of the user, allowing an attacker to login via admin web interface and gain total control over the website.

To protect against a dangerous xmlrpc.php file, deny access to it from all IP addresses except trusted ones that can still be allowed to access the XML-RPC API functionality. This can be done by using the .htaccess file as part of Apache web server configuration. The "Order Deny,Allow; Deny from all; Allow from" configuration can be used to allow access to the xmlrpc.php only from the IP address. Alternatively, the xmlrpc.php file could also be deleted, but first ensure the functionality is not needed.

Additionally, be sure to disable the X-Pingback HTTP header that is still being sent in HTTP responses to advertise the presence of XML-RPC API. To disable the HTTP response header, use the mod_headers Apache module and unset the header in .htaccess file.

Companion article

See Infosec Institute's accompanying article on Protecting WordPress Installations in an IaaS Environment.

Protecting against clickjacking

A clickjacking attack is when an attacker uses iframe element to embed a web page into another page and tricks the user into clicking on the button or link of the embedded page while viewing the contents of the top page.

To protect against a clickjacking attack, additional HTTP headers must be set in every response returned to the client, minimizing the attack surface. Use the mod_headers module to set the following HTTP headers used to prevent clickjacking attacks:

  • "X-Frame-Options: SAMEORIGIN" prevents the website from being included with another website on a different domain by using elements like <iframe>.
  • "X-XSS-Protection: 1"enables XSS protections in a browser itself that is specifically used in the Chrome web browser.
  • "X-Content-Type-Options: nosniff" prevents content spoofing in web browsers like Internet Explorer and Chrome.

Accessible administrative interface

The WordPress administrative web interface is usually enabled and accessible by anyone on the Internet, but it's a good idea to secure the interface to prevent against unauthorized login attempts. If it's not protected, it's possible for an attacker to bruteforce the password of the enumerated username and log in to the web interface to manage the website.

To protect against this, restrict access to trustworthy IP addresses only, so access from the other IP addresses is not permitted. To do this, use the "Order Deny,Allow; Deny from all; Allow from" configuration directives in the .htaccess file to allow access to the IP address only. To further protect access to the administrative interface, enable additional basic authentication by using the "AuthUserFile /var/.htpasswd; AuthType Basic; Require valid-user" configuration directives.


Protecting a WordPress installation is not an easy task and is not something that should be taken lightly. Thankfully, there are a number of precautions to take to ensure a website is secure. One thing to remember is that security is not a "do it once and forget it" thing, but a dynamic and ongoing process. This is why it's necessary to take the time to properly secure websites running on WordPress. They are constantly bombarded with attacks from various bots on the Internet. Security cannot be taken lightly as new attacks and techniques are constantly evolving and what's secure today might not be secure tomorrow.

About the author
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and constantly writes security-related articles for 
his own website.

Next Steps

Expert Michael Cobb gives advice on how to secure content management systems like WordPress.

Content management systems now offer content marketing tools.

Dig Deeper on Cloud Computing Infrastructure as a Service (IaaS) Security