baumi's blog

baumi's personal blog … Linux, OS X, Windows, Random things, …

Hardening WordPress, tshark decrypting SSL traffic

From a security point of view, WordPress seems to be a nightmare. The default setup exposes hundrets of .php include files in wp-includes/ and wp-content/ that may be directly called. And indeed, many robots out there are scanning the whole internet for these kind of files.

Here are some ideas to improve security.

Step 1: Add password authentication to wp-login.php, block xmlrpc.php attacks, disable direct access to wp-includes.

in your-wordpress-root-directory/.htaccess add:

To create your-wordpress-root-directory/.htpasswd, simply call “htpasswd -C <your-username>”.

Step 2: Add additional HTTP authentication to your-wordpress-root-directory/wp-admin/ folder. This way you have a second security level provided by Apache Web Server and external tools cannot directly call your .php files in order to use known exploits in the PHP code.

for specific wordpress themes that are loading content via ajax we have found out that we need to create an exception for admin-ajax.php

Step 3: Restrict PHP execution in wp-includes. This is important so the PHP files that are meant to be included by other PHP files cannot be accessed directly. Create/add your-wordpress-root-directory/wp-includes/.htaccess

Step 7: Alternatively to blocking thins with .htaccess, you might consider additional filters for your firewall, some examples here:

Of course these can also be done via .htaccess but it shows the idea. However, .htaccess might be the preferred solution, as it will also work for https:// connections.

Step 8: Learn and use wireshark (or tshark for terminal). Here is a simple tshark example that allows you to monitor the requests in real time. The first time i did is i had quite a few “ahas”. Now i’m watching it from time to time. For the case i discover something i don’t like, i can add rules to firewall and .htaccess files.


For reference see

Screen Shot 2016-06-21 at 10.03.09

If you have read all the way down to this line and you think i forgot something important or have got feedback, ideas, improvements, please don’t hesitate to contact me: frank (at)

Comments are currently closed.