• wordpress

WordPress

About

• https://wordpress.com/

• https://wordpress.org/

• https://developer.wordpress.org/

• Wordpress Download

  • https://wordpress.org/latest.zip

  • https://wordpress.org/latest.zip.sha1

• github.com WordPress/wordpress-develop

• WordPress Trac - Bug Tracker

• Wordpress Advanced Administration Handbook

  • Wordpress Advanced Administration Handbook wp-config.php

• Wordpress Support Forums

• wpbeginner.com Wie man automatische Updates in WordPress für Hauptversionen aktiviert

• wpbeginner.com Automatische Updates für WordPress Plugins und Themes aktivieren

Configure

wp-cron

• https://developer.wordpress.org/plugins/cron/

By default

• WP-Cron works by checking, on every page load, a list of scheduled tasks to see what needs to be run. Any tasks due to run will be called during that page load.

• Costs performance, as tasks are executed on click.
  • Latency, Slow down, …
• Scheduling errors occur, if no click happens within 3 hours.
  • Auto-updates fail …
• The system cron based solution actually is only an automated web request to wp-cron.php.
• WTF?!

Install lightweight curl (wget is default by Wordpress docs)

   1 apt install curl

/etc/cron.d/wordpress

   1 #
   2 # Ansible managed
   3 #
   4 
   5 SHELL=/bin/sh
   6 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
   7 
   8 # Example of job definition:
   9 # .---------------- minute (0 - 59)
  10 # |  .------------- hour (0 - 23)
  11 # |  |  .---------- day of month (1 - 31)
  12 # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
  13 # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
  14 # |  |  |  |  |
  15 # *  *  *  *  * user-name command to be executed
  16 */5  *  *  *  * www-data   curl --silent --show-error --output /dev/null -k "https://localhost/wp-cron.php"
  17 #*/5  *  *  *  * www-data   wget --delete-after --no-check-certificate https://localhost/wp-cron.php
  18 

To disable click based scheduling add the following line to
wp-config.php

   1 define( 'DISABLE_WP_CRON', true );

When Wordpress is served behind a reverse proxy, it may be necessary to configure the hostname to a local address in /etc/hosts, because the NAT may not provide in reflection.

You may check this by calling the API

   1 curl -vvv https://FQDN/wp-json/wp/v2/types/post?context=edit

Password Hashes

PHPass details

By default Wordpress uses PHPass (P H Pass) (Portable PHP password hashing framework) hashed passwords.

For the implementation details please see
wp-includes/class-phpass.php

They look like these:
$P$Hzp60wGyNNrc1I1BGWzMLerexnIKPg1

Attributes

• Length: 34 characters

• Based on MD5
  wp-includes/class-phpass.php

     1                 # We were kind of forced to use MD5 here since it's the only                                                                                                                        
     2                 # cryptographic primitive that was available in all versions                                                                                                                        
     3                 # of PHP in use.  To implement our own low-level crypto in PHP                                                                                                                      
     4                 # would have resulted in much worse performance and                                                                                                                                 
     5                 # consequently in lower iteration counts and hashes that are                                                                                                                        
     6                 # quicker to crack (by non-PHP code).                                                                                                                                               
  

• Salted with 8 chars
• Exponential cost factor

Substrings

• OFFSET=0, LENGTH=3: Identifier, usually $P$, only PHPBB3 (PHP Bulletin Board 3) uses $H$

• OFFSET=3, LENGTH=1: Cost, number of hash rounds (of salt+prev_hash) log_2_
  • encoded as position of the character in the string

    ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz (64 chars -> Positions: 0-63)

  • examples:

    • B ~ 13 -> 2¹³ = 8192 rounds

    • H ~ 19 -> 2¹⁹ = 524288 rounds (better)

• OFFSET=4, LENGTH=8: Salt of 8 chars
• OFFSET=12, LENGTH=22: Actual hash

Structure

   1 012 3    4  -  11 12        -         34
   2 $P$ H    zp60wGyN Nrc1I1BGWzMLerexnIKPg1
   3 ID  COST SALT     HASH

When with Python Passlib is available these can be generated in Ansible with

   1 "{{ lookup('ansible.builtin.password',
   2   '/dev/null', length=16, ident='H', encrypt='phpass') }}"

Password conclusion

• Use a password per wordpress instance that is unique.

• A plugin should be used to provide a more appropriate password hashing algorithm in case of theft or leakage of the database.

Plugins

Automatic upgrades of plugins should always be activated.

W3 Total Cache (W3TC)

• WordPress.org Plugin-Homepage - W3 Total Cache

• Why Speed Up Your WordPress Website: A Difference of Just 100ms in Page Load Speeds Can Cause a Visitor to Prefer Your Competitor’s Website.

Significantly speeds up the site thought caching of static content.

Wordfence Security

• https://www.wordfence.com/

• WordPress.org Plugin-Homepage - Wordfence Security – Firewall & Malware Scan

Disable & Remove Google Fonts

• WordPress.org Plugin-Homepage - Disable & Remove Google Fonts