HowTo: Harden Bitnami WampStack WordPress Install

Steve Stonebraker
July 7, 2010

Hardening your Windows Bitnami WampStack WordPress Install:
By default apache runs under an account with read/write to your entire machine, let’s fix that!

CREATING USERS
1. Create two new local users named apache and filezilla.
2. Add filezilla to the group administrators
3. Click Start -> Run
4. Type services.msc & hit enter
5. Find the service running apache (ex: wampsstackAPache)
6. Change the service to run as local user apache
7. OK out of everything
8. Give user Apache read/write to C:\Program Files\BitNami WAMPStack
9. stop & start the wampsstackAPache service

FYI, How to add a user:
1. Start -> Run -> Type ‘compmgmt.msc’ (no quotes) -> hit enter
2. Expand “local users and groups” -> right click on “users” folder -> (from popup menu) select “Add User”

PATH PERMISSIONS
(Note when i say “read only” i mean ‘Read & Execute’, ‘List Folder Contents’, and ‘Read’)
Modify security for the following paths:
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs\wp-content
-Users Administrator and Filezilla get read/write, Apache get’s read only

If you have WP Super cache plugin Give Apache read/write to the following:
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs\wp-content\cache
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs\wp-content\wp-cache-config.php

FTP SETUP
1. Install filezilla server
2. Change Filezilla service to run under the filezilla local user
3. Restart filezilla server
4. Configure SSL/TLS Settings
5. Add a user that wordpress plugins will use to connect to your ftp server

If you receive this error:
Protocol error: Invalid data, could not import account settings.
Could not change account settings

1. Delete these files:
FileZilla Server Interface.xml
FileZilla Server.xml
2. Stop the filezilla service
3. Start the filezilla service
4. Create your settings again

If you receive this error:
C:\Program Files\BitNami WAMPStack\apps\wordpress\htdocs/ is writable. Please make it readonly after your page is generated as this is a security risk.

Change security permissions on that directory for user apache (as created above) to ‘Read & Execute’, ‘List Folder Contents’, and ‘Read’.
-If you find permissions are greyed out:
-1. click the “advanced” button in the Security tab (on properties of the folder)
-2. Uncheck “Allow inheritble permissions”….
-3. Click Apply
-4. When msgbox pops up click the button “Copy”

To fix “Download failed. Could not create Temporary file” error:
Create path wp-content/tmp and give apaceh read/write to it
Add this line to wp-config.php (replacing ***PREFIX***** with the prefix of your db, this can be found in security -> database tool that comes with the secure-wordpress plugin)
define(‘***PREFIX*****_TEMP_DIR’, ABSPATH . ‘wp-content/tmp’);

Also, get some wordpress security plugins!

wp-security-scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

  • passwords
  • file permissions
  • database security
  • version hiding
  • WordPress admin protection/security

download wp-security-scan here

secure-wordpress-plugin

http://www.sitesecuritymonitor.com/secure-wordpress-plugin

  1. removes error-information on login-page
  2. adds index.php plugin-directory (virtual)
  3. removes the wp-version, except in admin-area
  4. removes Really Simple Discovery
  5. removes Windows Live Writer
  6. remove core update information for non-admins
  7. remove plugin-update information for non-admins
  8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
  9. hide wp-version in backend-dashboard for non-admins
  10. Add string for useĀ WP Scanner
  11. Block bad queries
  12. Validate your site with a free malware and vulnerabilities scan withSiteSecurityMonitor.com
Tags: , , , , , , , , , , , , , , , , ,