Wordpress and Xenforo Security Musings

[RallyFan]

Hi all,

I'm going to using Wordpress and Xenforo together and am musing over security.

Wordpress (staging setup and soon to be nuked) is already heavily locked down and currently installed under root.

If Xenforo is installed under a subfolder, doesn't that means any security hardening (and plugins like Sucuri/Wordfence/Cerber) I have installed / coded for Wordpress, also apply that hardening to Xen as well (as it's recursive under Wordpress)?. My concern if so is that the WP site is running specfic versions of things, and the like. The other danger would be Xen getting breached and Wordpress being impacted (or vice versa).

As such, if my host provides a blank canvas, from a security perspective wouldn't I be better off to have separation between the two, by installing them in parallel directories?

For example (under root):
Xenforo installed to /xenforo; and Wordpress installed to /wordpress

Rather than:
Xenforo installed to /wordpress/xenforo; and Wordpress installed to /root.

Also how secure/resilient is Xenforo from a security perspective? Does it suffer from the same issues that Wordpress does?

 

[RallyFan]

Just wondering if anyone had any thoughts on this one at all?

I might just have to trial and error otherwise (as I'm using a post live environment anyway).

To better explain is it easy to have:
----- Public_html
-------------------\wordpress (install and .htaccess file)
-------------------\xenforo

OR

----- Public_html (including base Wordpress install under root and .htaccess file)
-------------------\xenforo

I'm guessing in the last example anything in .htaccess will directly impact Xenforos usability, whereas in the first example changes in .htaccess would not impact Xenforo (as technically running 2 separate .htaccess files).

Note that this installation is also running Wordfence in addition to a server side firewall.


Thanks

 

[l3ta]

XF is like Fort Knox. It is more likely for WP to get compromised. That said, it appears that you are invested in keeping your content safe, so either setup looks okie. I would keep them separated just in case :-0

 

[Alpha1]

If Xenforo is installed under a subfolder, doesn't that means any security hardening (and plugins like Sucuri/Wordfence/Cerber) I have installed / coded for Wordpress, also apply that hardening to Xen as well (as it's recursive under Wordpress)?.

No.

Also how secure/resilient is Xenforo from a security perspective? Does it suffer from the same issues that Wordpress does?

XenForo is quite solid and I would consider it more secure than WP. This does depend on how well you secure and configure your server. Having an expert configure it is wise. Third Party addons do not get any check on XenForo so there is a risk there. There also is a risk with WP plugins.
WordPress has much more advanced security addons and integrations. WordFence and Sucuri/CloudFlare integration are good examples of this.

 

[RallyFan]

My question is primarily because I'm concerned I've locked it down with .htaccess so much that it could cause issues with Xenforo.

E.G no php file execution.

I also have file and folder permissions locked down pretty heavily on the server (as Wordpress is purely a frontend to the page content).

No.

Is that just for plugins, or .htaccess as well?

XenForo is quite solid and I would consider it more secure than WP. This does depend on how well you secure and configure your server. Having an expert configure it is wise. Third Party addons do not get any check on XenForo so there is a risk there. There also is a risk with WP plugins.
WordPress has much more advanced security addons and integrations. WordFence and Sucuri/CloudFlare integration are good examples of this.

Hence my thoughts about physical separation of folders, as if it gets breached (say Wordpress), if there's anything recursively under its folders it could be targeted. Whereas if the folders are parallel to each other, technically there shouldn't be an easy way to attack one or the other install unless my actual server was breached as a root level.

 

[RallyFan]

Just noticed after installation that config.php contains the password to database in plan text (along with username).

Is .htaccess lockout enough to prevent that being a problem?

 

[Claudio]

Just noticed after installation that config.php contains the password to database in plan text (along with username).

Is .htaccess lockout enough to prevent that being a problem?

Php files can be only be processed by the server:

dummies - Learning Made Easy

www.dummies.com

 

[RallyFan]

Php files can be only be processed by the server:

dummies - Learning Made Easy

www.dummies.com

Thanks for the post @Claudio

I'm not talking about client side PHP execution, but rather something like a GET command be used to grab the actual PHP file, and then (with the username, password and database details in that file in plain text), an SQL injection attack launched on the forum database?

Or for that matter bypassing .htaccess and having direct access to that directory?

Or is that thinking then in the realm of "if someone knows that sort of thing and goes to those lengths, they are getting in anyway?"

 

[Jeremy P]

Unless your web server is misconfigured then the actual contents of config.php wouldn't be output to the browser. It is run through PHP first and would simply output a blank page.

 

[RallyFan]

Looks fine from here now.

If I attempt to access that location from my host (i.e http://domain.com/xenforoinstallfolder/upload/src/config.php I get an error from Xenforo:

Oops! We ran into some problems.

The requested page could not be found.

Just trying to lock everything down as securely as possible before launching the site that's all, and was concerned about potential backends into the site.