Skip to content

Anti-hacking tools deploying configuration for Wordpress

Notifications You must be signed in to change notification settings

cr0hn/wordpress-docker-sec

Repository files navigation

Anti-hacking tools deployment of WordPress

This repo only do a small hardening of Wordpress, without change any internal functionality of Wordpress.

The main goal is to disable hacking tools lik: WP-Scan or Plecost

Support this project

Support this project (to solve issues, new features...) by applying the Github "Sponsor" button.

Remove Metas && versions from statics

Followed this: https://tehnoblog.org/wordpress-security-how-to-hide-wordpress-meta-generator-version-info/

Remove PHP Warnings and debug info

Not only do security tasks, also configure the Wordpress site to suppress the PHP Warning & debug info to the website

Changing default CSS / Javascript hashed

Some security tools for Wordpress check .css / .js files, calculate a hash and can determinate the version of Wordpress from these files.

We change these files adding spaces at the ending of these files

Memory limit

Increased default Wordpress memory limit to 128M by default

Examples

This docker image must be complemented with the nginx-wordpress-docker-sec image, that you can find at: https://github.com/cr0hn/nginx-wordpress-docker-sec

To quick test, you can download the docker-compose.yml form this repo and launch a complete hardened stack of Wordpress:

version: "3"
services:

  wordpress:
    image: cr0hn/wordpress-docker-sec
    depends_on:
      - mysql
    environment:
      - WORDPRESS_DB_USER=my-user
      - WORDPRESS_DB_HOST=mysql
      - WORDPRESS_DB_PASSWORD=my-secret-pw
      - WORDPRESS_DB_NAME=wordpress
      - WORDPRESS_TABLE_PREFIX=mycustomprefix_
    volumes:
      - wordpress:/var/www/html

  nginx:
    image: cr0hn/nginx-wordpress-docker-sec
    depends_on:
     - wordpress
    volumes:
     - wordpress:/var/www/html/
    ports:
     - "8080:80"
    environment:
      POST_MAX_SIZE: 128m

  mysql:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: my-secret-pw
      MYSQL_DATABASE: wordpress


volumes:
  wordpress:

Screenshots

If you deploy this version of configuration for Nginx + wordpress-docker-sec (see below) hacking tools will tell you something like:

WP-Scan

WP-SCan

Plecost

Plecost

Nmap

Nmap

Releases

No releases published

Sponsor this project

 

Packages

No packages published