Wordpress and Xenforo Security Musings

RallyFan

New member
Hi all,

I'm going to using Wordpress and Xenforo together and am musing over security.

Wordpress (staging setup and soon to be nuked) is already heavily locked down and currently installed under root.

If Xenforo is installed under a subfolder, doesn't that means any security hardening (and plugins like Sucuri/Wordfence/Cerber) I have installed / coded for Wordpress, also apply that hardening to Xen as well (as it's recursive under Wordpress)?. My concern if so is that the WP site is running specfic versions of things, and the like. The other danger would be Xen getting breached and Wordpress being impacted (or vice versa).

As such, if my host provides a blank canvas, from a security perspective wouldn't I be better off to have separation between the two, by installing them in parallel directories?

For example (under root):
Xenforo installed to /xenforo; and Wordpress installed to /wordpress

Rather than:
Xenforo installed to /wordpress/xenforo; and Wordpress installed to /root.

Also how secure/resilient is Xenforo from a security perspective? Does it suffer from the same issues that Wordpress does?
 

RallyFan

New member
Just wondering if anyone had any thoughts on this one at all?

I might just have to trial and error otherwise (as I'm using a post live environment anyway).

To better explain is it easy to have:
----- Public_html
-------------------\wordpress (install and .htaccess file)
-------------------\xenforo

OR

----- Public_html (including base Wordpress install under root and .htaccess file)
-------------------\xenforo

I'm guessing in the last example anything in .htaccess will directly impact Xenforos usability, whereas in the first example changes in .htaccess would not impact Xenforo (as technically running 2 separate .htaccess files).

Note that this installation is also running Wordfence in addition to a server side firewall.


Thanks :)
 

l3ta

Well-known member
XF is like Fort Knox. It is more likely for WP to get compromised. That said, it appears that you are invested in keeping your content safe, so either setup looks okie. I would keep them separated just in case :-0
 

Alfa1

Well-known member
If Xenforo is installed under a subfolder, doesn't that means any security hardening (and plugins like Sucuri/Wordfence/Cerber) I have installed / coded for Wordpress, also apply that hardening to Xen as well (as it's recursive under Wordpress)?.
No.
Also how secure/resilient is Xenforo from a security perspective? Does it suffer from the same issues that Wordpress does?
XenForo is quite solid and I would consider it more secure than WP. This does depend on how well you secure and configure your server. Having an expert configure it is wise. Third Party addons do not get any check on XenForo so there is a risk there. There also is a risk with WP plugins.
WordPress has much more advanced security addons and integrations. WordFence and Sucuri/CloudFlare integration are good examples of this.
 

RallyFan

New member
My question is primarily because I'm concerned I've locked it down with .htaccess so much that it could cause issues with Xenforo.

E.G no php file execution.

I also have file and folder permissions locked down pretty heavily on the server (as Wordpress is purely a frontend to the page content).

Is that just for plugins, or .htaccess as well?

XenForo is quite solid and I would consider it more secure than WP. This does depend on how well you secure and configure your server. Having an expert configure it is wise. Third Party addons do not get any check on XenForo so there is a risk there. There also is a risk with WP plugins.
WordPress has much more advanced security addons and integrations. WordFence and Sucuri/CloudFlare integration are good examples of this.
Hence my thoughts about physical separation of folders, as if it gets breached (say Wordpress), if there's anything recursively under its folders it could be targeted. Whereas if the folders are parallel to each other, technically there shouldn't be an easy way to attack one or the other install unless my actual server was breached as a root level.
 

RallyFan

New member
Just noticed after installation that config.php contains the password to database in plan text (along with username).

Is .htaccess lockout enough to prevent that being a problem?
 

Claudio

Well-known member
Just noticed after installation that config.php contains the password to database in plan text (along with username).

Is .htaccess lockout enough to prevent that being a problem?
Php files can be only be processed by the server:
 

RallyFan

New member
Php files can be only be processed by the server:
Thanks for the post @Claudio

I'm not talking about client side PHP execution, but rather something like a GET command be used to grab the actual PHP file, and then (with the username, password and database details in that file in plain text), an SQL injection attack launched on the forum database?

Or for that matter bypassing .htaccess and having direct access to that directory?

Or is that thinking then in the realm of "if someone knows that sort of thing and goes to those lengths, they are getting in anyway?"
 

Jeremy P

Well-known member
Unless your web server is misconfigured then the actual contents of config.php wouldn't be output to the browser. It is run through PHP first and would simply output a blank page.
 
Top