In the previous article we discussed wordpress hardening from a htaccess angle. In this article we will do various modifications to the functions.php file that comes with a wordpress theme , all the directives will be appended to the script without destroying the theme. The directives simply change how it shows things in the frontend, especially those that would be used for fingerprinting.
Patching the theme
Below are the series of things we will do to patch the theme to stop screaming too much.
Remove wordpress emoji code
Removing wordpress emoji code from the frontend enables us to avoid fingerprinting via this code. To do so we need to add four lines to the script.
remove_action(‘wp_head’, ‘print_emoji_detection_script’, 7);
remove_action(‘wp_print_styles’, ‘print_emoji_styles’);
remove_action( ‘admin_print_scripts’, ‘print_emoji_detection_script’ );
remove_action( ‘admin_print_styles’, ‘print_emoji_styles’ );
Remove junk in the wordpress header
WordPress has a number of items in the header that we really don’t need we can do without them so a little cleanup would be to do the things below:
- Remove adjacent posts link
- Remove wordpress meta generator
- Remove weblog client link (RSD) – if using services like flickr you might wanna keep it as it needs it otherwise let this baby go.
- Remove windows live writer manifest link
- Remove wordpress post/page shortlinks
- Remove Previous/Next shortlinks in header
- Remove json-api and X-Ping Back
- Remove Feed link
- Remove comment feed
The above can be achieved using the directives below:
remove_action (‘wp_head’, ‘rsd_link’);
remove_action(‘wp_head’, ‘wlwmanifest_link’);
remove_action( ‘wp_head’, ‘wp_shortlink_wp_head’);
remove_action(‘wp_head’, ‘wp_generator’);
remove_action(‘wp_head’, ‘start_post_rel_link’);
remove_action(‘wp_head’, ‘index_rel_link’);
remove_action(‘wp_head’, ‘adjacent_posts_rel_link’);
remove_action(‘wp_head’,’rest_output_link_wp_head’);
remove_action( ‘wp_head’,’wp_oembed_add_discovery_links’);
remove_action( ‘template_redirect’, ‘rest_output_link_header’, 11, 0);
remove_action( ‘wp_head’, ‘feed_links’, 2 );
remove_action(‘wp_head’, ‘feed_links_extra’, 3 );
add_filter(‘rest_enabled’, ‘_return_false’);
add_filter(‘rest_jsonp_enabled’, ‘_return_false’);
Scrape version information from frontend
Alot of scripts in the wordpress frontend in the format. ?ver=wordpress-version-information. For so many reasons you might want to have this removed. We will add the function below to the theme file to find and clear all of them when the page is rendered.
function vc_remove_wp_ver_css_js( $src ) {
if ( strpos( $src, ‘ver=’ ) )
$src = remove_query_arg( ‘ver’, $src );
return $src;
}
add_filter( ‘style_loader_src’, ‘vc_remove_wp_ver_css_js’, 9999 );
add_filter( ‘script_loader_src’, ‘vc_remove_wp_ver_css_js’, 9999 );
Beating user enumeration
WordPress allows for querying of users via the author parameter i.e. /?author=n where n is the author id. This exposes usernames and leaves attackers with only one piece of the puzzle to figure out i.e. the password. To stop this you can do the following in the theme functions.php file:
if (!is_admin()) {
if (preg_match(‘/author=([0-9]*)/i’, $_SERVER[‘QUERY_STRING’])) wp_redirect( home_url() );
add_filter(‘redirect_canonical’, ‘aliens_check_enumeration’, 10, 2);
}
function aliens_check_enumeration($redirect, $request) {
if (preg_match(‘/\?author=([0-9]*)(\/*)/i’, $request)) wp_redirect( home_url() );
else return $redirect;
}
So far we have covered a number of hardening tactics that would be key in hardening a wordpress site.
Good thing is the steps for this particular article have been made into a nice little plugin you can get on github.