Context Navigation

Securing Wordpress 2.7

Status of this, compared to other blog security articles

There already exists fine wordpress security tutorials online (notably, this BlogSecurity article). What they describe is overall fine (though sometimes, it goes into the security through obscurity direction, ie hiding your wordpress version doesn't resist any serious attack - this is, however, another debate).

What the problem is

This is a small addition, which is particularly relevant for Wordpress 2.7. We noticed that, since the 2.7 release, Wordpress loves to connect to external websites when it is started or as soon as it receives connections.

This has several consequences :

Wordpress 2.7 does not work well if you firewall outgoing port 80 to the internet.
Wordpress 2.7 does not work well if you install it somewhere with no Internet access.
Wordpress 2.7 does not work well if some "random" servers on the Internet do not answer.
Wordpress 2.7 is a server application, but it acts as a client, and opens connections to the outside.

Solution

In terms of security, we particularly dislike the fourth statement, so we have been looking for ways to prevent those connections to the outside. The following can be done:

Wordpress internal option

Connect to http://your.blog.host.com/wp-admin/options-discussion.php Unselect the Attempt to notify any blogs linked to from the article (slows down posting.) option. We are not sure about the exact consequence of this, and it probably isn't enough, but it should prevent a couple of outbound connections.

Prevent connections at an upper level

We found that some websites are hardcoded (see wp-admin/includes/dashboard.php), and it seems Wordpress loves to connect over there when you start it. To prevent this, we currently found no better way than editing your /etc/hosts file:

127.0.0.1 api.wordpress.org rpc.pingomatic.com planet.wordpress.org wordpress.org blogsearch.google.com

This makes your server believe that those hostnames are hosted locally, so it will try to connect to itself rather than on the internet. If you don't want to pollute your server logs, you can add this Apache configuration at the end of the existing stuff:

<VirtualHost *:80>
   ServerName dummy
   ServerAlias *
   DocumentRoot /nonexistent
   ErrorLog /dev/null
   TransferLog /dev/null
</VirtualHost>

Of course, adapt this to your needs, since this will get any request not directed to your defined hostnames not be logged. Maybe that's not something you desire.

Last point

Since 2.7, Wordpress seems to be wanting to open HTTP connections to itself, probably to check that attachements/pictures, etc are still valid. So if you keep it behind a reverse proxy, and your DNS (logically) points to the reverse proxy, Wordpress will try to open HTTP connections to your reverse proxy. Some firewall settings can block that, since it is not natural to have a backend server connect to a reverse proxy. It is probably better to have it open its connections to itself directly, by editing /etc/hosts to point your blog hostname to the loopback address.

Download in other formats:

Plain Text