Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1.
I decided to allow WordPress to upgrade itself to the latest version. I just go into it to do the plugins.
I have been hardening down my Fortinet firewall and WordPress servers. I moved the wp-config.php file and added an include into the one on each web site for the new location. I added the security keys and salts to the moved wp-config.php file for all the web sites. I changed all the SQL passwords for each site. I changed the .htacess to stop browsing. I added some plugins for brute force login attacks. I removed the webalizer servers, logs, and other etc files from the servers. I removed other directories and files that are no longer need and could pose and issue to security. I changed all files to chmod 644. Directories are 755. I keep all the LAMP components up to date and check weekly. I keep the WordPress components up to date like themes, plugins, etc. The Fortinet firewall has web filter blocks for wp-admin and other private directories.
I have two .htaccess files: In the web site base folder and one in wp-admin to stop access to it.
base folder : You can add Options – Indexes to stop browsing.
WP-Admin folder: I add Require ip xxx.xxx.xxx.xxx for each IP I want to access this folder. I will add external ip addresses from work, I add the server ip for Health Check to loopback. You also add these into /etc/hosts or your Windows hosts file.
How did I repoint www to wp for my web sites?
On Godaddy DNS, I setup A records for wp and www pointing to my ISP IP address.
In the etc/https/sites-available/ conf files I added
The ServerAlias is the old www address. The redirect points to the new SSL server address. The redirect is much faster now since it happens in the website itself.
Both WordPress servers have been duplicated and moved to Ubuntu 18.04.3 and latest components. I then upgrade Ubuntu with LTS Enablement for the kernel updates.
I add the repository for Digital Ocean MariaDB, PHP 7.3.x, Apache 2.4.x. I install phpMyAdmin’s latest version after installing the base product in Ubuntu. phpMyAdmin is a quick way to create the WordPress databases and user for each web site. I have pages dediicated for each of these. I copy in The Hacker News bug reports on all the components I use. It is best to stay on the latest components for WordPress.
Here is how I set the rights for directory and file for WordPress sites. I could use wildcards but chose to use types.