Hardening your Windows Bitnami WampStack WordPress Install:
By default apache runs under an account with read/write to your entire machine, let’s fix that!
CREATING USERS
1. Create two new local users named apache and filezilla.
2. Add filezilla to the group administrators
3. Click Start -> Run
4. Type services.msc & hit enter
5. Find the service running apache (ex: wampsstackAPache)
6. Change the service to run as local user apache
7. OK out of everything
8. Give user Apache read/write to C:\Program Files\BitNami WAMPStack
9. stop & start the wampsstackAPache service
FYI, How to add a user:
1. Start -> Run -> Type ‘compmgmt.msc’ (no quotes) -> hit enter
2. Expand “local users and groups” -> right click on “users” folder -> (from popup menu) select “Add User”
PATH PERMISSIONS
(Note when i say “read only” i mean ‘Read & Execute’, ‘List Folder Contents’, and ‘Read’)
Modify security for the following paths:
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs\wp-content
-Users Administrator and Filezilla get read/write, Apache get’s read only
If you have WP Super cache plugin Give Apache read/write to the following:
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs\wp-content\cache
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs\wp-content\wp-cache-config.php
FTP SETUP
1. Install filezilla server
2. Change Filezilla service to run under the filezilla local user
3. Restart filezilla server
4. Configure SSL/TLS Settings
5. Add a user that wordpress plugins will use to connect to your ftp server
If you receive this error:
Protocol error: Invalid data, could not import account settings.
Could not change account settings
1. Delete these files:
FileZilla Server Interface.xml
FileZilla Server.xml
2. Stop the filezilla service
3. Start the filezilla service
4. Create your settings again
If you receive this error:
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs/ is writable. Please make it readonly after your page is generated as this is a security risk.
Change security permissions on that directory for user apache (as created above) to ‘Read & Execute’, ‘List Folder Contents’, and ‘Read’.
-If you find permissions are greyed out:
-1. click the “advanced” button in the Security tab (on properties of the folder)
-2. Uncheck “Allow inheritble permissions”….
-3. Click Apply
-4. When msgbox pops up click the button “Copy”
To fix “Download failed. Could not create Temporary file” error:
Create path wp-content/tmp and give apaceh read/write to it
Add this line to wp-config.php (replacing ***PREFIX***** with the prefix of your db, this can be found in security -> database tool that comes with the secure-wordpress plugin)
define(‘***PREFIX*****_TEMP_DIR’, ABSPATH . ‘wp-content/tmp’);
Also, get some wordpress security plugins!
wp-security-scan
Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
- passwords
- file permissions
- database security
- version hiding
- WordPress admin protection/security
download wp-security-scan here
secure-wordpress-plugin
http://www.sitesecuritymonitor.com/secure-wordpress-plugin
- removes error-information on login-page
- adds index.php plugin-directory (virtual)
- removes the wp-version, except in admin-area
- removes Really Simple Discovery
- removes Windows Live Writer
- remove core update information for non-admins
- remove plugin-update information for non-admins
- remove theme-update informationfor non-admins (only WP 2.8 and higher)
- hide wp-version in backend-dashboard for non-admins
- Add string for useĀ WP Scanner
- Block bad queries
- Validate your site with a free malware and vulnerabilities scan withSiteSecurityMonitor.com