How to prevent WordPress CSRF attack

How to prevent WordPress CSRF attack

WordPress CSRF attack happens the same way as it happens on other sites. WordPress provides some inbuilt tools to protect against CSRF. We will see how to make use of these tools while creating our own wordpress plugins.

Wordpress CSRF Attack
Photo credit – 2508581015littleblackcamera

What is CSRF ?

CSRF meansCross-Site Request Forgery (CSRF). It is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

How does it happen ?

For e.g. if you have a form on your website and you haven’t protected it for CSRF attacks then a hacker can create a similar form elsewhere and trick one of your users to submit the form. This means the hacker can fill any values in the form. The damage depends on the functioning of the form.

How to prevent CSRF

In short, to prevent CSRF attack all we need to do is to check if the right user is performing the right action on your website.

WordPress CSRF attack and Nonces

WordPress has inbuilt facility called as Nonces to prevent such attacks. Basically nonce is some code (mix of letters and numbers) which is automatically generated and sent as a hidden field in the form. This number is then compared with the number on the submit page and further action allowed only if both the numbers match. This number has limited lifetime and keeps changing after every regular interval i.e. after the lifetime of that particular nonce for that user has reached. Although the hacker could see this number in your source code the number would not be valid as it depends on the user and it keeps changing.

However wordpress nonces are not the only solution to prevent CSRF. We also need to check user permissions before executing a certain action.

CSRF protection on your forms

Some form fields here In the above form the function wp_nonce_field creates a hidden field with some nonce string.

Below code goes on your submit form action/page

On the submit page the nonce value in the hidden field is validated using the function wp_verify_nonce then only the form gets processed.

CSRF protection on your AJAX calls

Prevent wordpress csrf  attack by protecting your Ajax calls too. jQuery calling an unprotected PHP page can have severe security implications.

Here is how we can apply CSRF protection on Ajax calls

Below code goes on your PHP page

check_ajax_referrer verifies the AJAX request to prevent processing external (malicious) requests.

WordPress Custom Login page

Creating a WordPress custom login page has 2 benefits

  1. Login page can be created based on your own theme
  2. The URL for the login page would be different to the WordPress login URL. This is a good security practice provided you block the Wordpress default login page or redirect it to your custom login page.

This does not mean that you need to create your own methods to store and retreive cookies by creating your own login function. WordPress provides easy to use functions using which you can create own own plugin to create a wordpress custom login page.

So here is the sample login form

WordPress custom login page – form

Here the form action submits to a page which does the authentication part. If you have created your own plugin the page would most likely be in your plugin folder.

Here is the page which does the authentication and sets the cookie

WordPress custom login page – authentication

wp_authenticate authenticates the user. If ok wp_set_auth_cookie sets the cookie for the user

 

WordPress XMLRPC attacks – How to prevent

Wordpress XMLRPC

What is wordpress XMLRPC

RPC stands for Remote Procedure Call. WordPress XMLRPC is a protocol which allows remote systems to communicate with WordPress. The language to communicate is XML.

With WordPress XMLRPC support, you can post to your WordPress blog using many popular Weblog Clients.

XML-RPC functionality is turned on by default since WordPress 3.5.

Brute Force Attack through wordpress XMLRPC

Attackers user system.multicall method in XML-RPC to create hundreds of request combined in a single request to attack a system i.e. mostly to guess the username and password to the system. This is called as Brute Force Amplification Attacks  via WordPress XML-RPC

How to prevent XMLRPC attack

  1. The most recommended way is to disable XML-RPC completely. To disable XML-RPC completely add following to your APACHE configuration file.
  1. Some plugins in wordpress e.g. Jetpack is based on XML-RPC. In that case it is not possible to disable XML-RPC entirely. In that case you can disable system.multicall requests through your firewall
  2. Check server logs regularly and find IPs trying to access XML-RPC. Any suspicious IP can be blocked through your Firewall or iptables. Here are some sample logs

     

Clickjacking – How to prevent on wordpress sites

Clickjacking
Photo credit 3294310361cherry scented

What is clickjacking

In simple words Clickjacking means users are tricked into clicking or keystroking on a different site/page making them think they are on their usual site.

How can that be a problem from security point of view. Here is an example

An example of Clickjacking

Lets assume you own a website my_domain.com and you login to it everyday. If this site is not protected from clickjacking a hacker may be able to call this site in an iframe on some page hosted on his domain some_domain_owned_by_hacker.com

Now the hacker also adds some javascript to this page which records users keystrokes.

Through some means the hacker may trick you in clicking and opening this page. If you do not notice the domain name in the URL then you may feel that it is your own website and may even log in.

Due to the keystroke recording script the hacker is then able to get your password.

However you may feel that you always check the domain name before performing any transaction on a website and more so if it is your own website. So would this still be a problem?

Remember that the hacker can even trick other administrators on your site and they may not be as careful as you are and it follows the same about your website users.

Further to this

Let’s assume you are already logged in to your website and the hacker tricks you in clicking some button on his page. Through the above mentioned iframe and button overlapping the hacker may perform a malicious administrative task on your website on your behalf by just tricking you to click on a link.

Solution to prevent clickjacking using X-Frame-Options

Solution to this is very simple. Simple add below code in your .htaccess file

The above code checks if the page called within iframe is from the same origin. If not it does not display the page

 

For more information read Clickjacking – OWASP

 

WordPress Security – Configuration / Installation

Wordpress Security
Photo credit – 2508581015littleblackcamera

1. WordPress security at the Configuration and installation level

This section explains measures to be taken for achieving wordpress security while installing and configuring wordpress.

1.1 Change default table prefix

Many published WordPress-specific SQL-injection attacks make the assumption that the tableprefix is wp, the default. Changing this can block at least some SQL injection attacks.

1.2 Securing wp-config.php

Are you aware that wp-config.php can be stored one directory level above the WordPress installation?

This is quite a simple task. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). This file contains quite sensitive information like password, database user etc so it’s very imp to protect this file

1.3 Disable File Editing through WordPress Dashboard

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard.

Add below line in wp-config.php

1.4 Blocking Search Engine Spiders from Indexing the Admin Section

Search engine spiders crawl over your entire blog and index every content. Using robots.txt file we can restrict the content which we would like to be indexed by Search engines. Obviously the admin section is not required to be indexed. Just create a file named robots.txt in your root folder (generally public_html) folder and paste below contents in that file.

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$

1.5 HTTPonly cookie

This prevents the cookie to be accessed by any Javascript

Add below in your htaccess file.

php_flag session.cookie_httponly On

Reference: OWASP XSS Bonus Rule SQL injection

1.6 Subscriber account

Login with a  subscriber account regularly to check of any of your plugins have created any unnecessary administrative links which are not supposed to be accessed by subscribers

1.7 Keep your wordpress and plugins uptodate with latest versions

Latest wordpress version mostly has fixes related to recent security vulnerabilities. It is very important to update your wordpress installation as soon as a new version is released. The same follows for plugins. However plugins security is mostly upto the author so it is very important to select a secure plugin.

1.8 Change the default login URL

WordPress default login URL is http://www.yoursite.com/wp-login.php

A hacker who wants to break in to you site typically uses Brute Force technique on this URL. Brute Force in this case means a script which will automatically try various usename/password combinations on your login URL. You would think that you are safe because your firewall is set to track this particular activity and would just block the IP. Howerver the hackers are one step ahead. They keep trying this script from various IPs. So if one IP is blocked the script automatically runs from a different IP. Also the script is set to run at regular intervals to avoid any DDoS alarlms

To avoid such scripts attacking your login page, just change/redirect your login page to some secret page e.g. http://www.yoursite.com/entermysite. That way you would protect yourself from such automated scripts trying to Brute Force your authentication.

To change your login page just install the plugin Rename wp-login.php and on the settings page on this page provide your new URL.

WordPress – How to disable dashboard access to subscribers

Control Dashboard Access
Photo credit – declanjewell2472470758

For security reasons you may wish to disable dashboard access to subscribers and allow access to only Admins, Editors and Authors.

Below is a simple snippet of code to achieve this. Add below code in your theme’s functions.php file

The above code will redirect the user to your home page when the user tries to visit the Dashboard.

However in some cases you may want a certain subscriber to access Dashboard. In that case I have created a capability called as dashboard_access. This capability can be assigned to the required user.

WordPress how to assign only necessary capabilities to users

Quite often there is a requirement in wordpress to give certain users access to certain Administrative function e.g. manage widgets but you do not want to make them administrator for obvious reasons

Here are some steps to achieve this requirement

  1. Create some role e.g. widgets_manager (based on the Author role i.e. same as Author role)
  2. Assign edit_theme_options capability to this newly created role
  3. Now just add below code to your functions.php