Your SlideShare is downloading. ×
0
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WordPress Security Presentation from South Florida WordPress Meetup

4,517

Published on

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

Published in: Technology, Business
5 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
4,517
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
124
Comments
5
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.
  • 2. How to HackProof Your WordPress Site<br />WordPress Security<br />South FloridaWordPress MeetUp<br />
  • 3. South FloridaWordPress MeetUp<br /><ul><li>I’m @JohnCarcutt
  • 4. SEO Manager at MediaWhiz www.MediaWhiz.com</li></ul>Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/ Mondays 5PM EST or listen on APPLE iTunes anytime<br /><ul><li>Long Time WordPress Evangelist</li></ul>Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC<br />
  • 5. Tonight<br />Link Injections<br />Basic WordPress Security<br />Security Based Plug-ins<br />South FloridaWordPress MeetUp<br />
  • 6. “Hackproof”<br />This is impossible.<br />Seriously… it’s IMPOSSIBLE!<br />Hackers are Lazy.<br />Make yourself a hard target.<br />They will move on to someone else.<br />South FloridaWordPress MeetUp<br />
  • 7. Link Injection<br />Hacker bots look for known exploits (SQL Injection, folder perms, etc). <br />This allows them to insert spam files/links<br />Your WordPress Themes, plugins, and core files are the target<br />South FloridaWordPress MeetUp<br />
  • 8. Link Injection<br />Hosting account contains two separate sites<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU<br />
  • 9. Link Injection<br />Hacker puts a file on WPMU install<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU<br />
  • 10. Link Injection<br />WPMU file hacks WordPress install<br />Installs spam links into files<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU<br />
  • 11. Link Injection<br />WPMU Shows No Spam, Appears Clean<br />Cleaning WP Results in Recurring Injections<br />South FloridaWordPress MeetUp<br />WordPress MU<br />WordPress<br />
  • 12. Link Injection<br />South FloridaWordPress MeetUp<br />
  • 13. Link Injection<br />What does this do to your site?<br />Part of a “Link Farm”<br />Loss of Trust and Authority<br />Reduced Page Rank<br />Lost Rankings<br />Showing up for non-relevant terms (Viagra)<br />South FloridaWordPress MeetUp<br />
  • 14. Basic WP Security<br />South FloridaWordPress MeetUp<br />Are you using the default “Admin” account?<br />
  • 15. Basic WP Security<br />South FloridaWordPress MeetUp<br />
  • 16. Basic WP Security<br />DON’T USE “ADMIN”<br />Create a Unique User Account<br />Assign it the Administrator Role<br />Log Out, Log Back in with new Administrator Account<br />Delete Original “Admin” Account<br />South FloridaWordPress MeetUp<br />
  • 17. Basic WP Security<br />Use of “Permissions”<br />Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.<br />Owner, Group, Public<br />Read, Write, Execute<br />South FloridaWordPress MeetUp<br />
  • 18. Basic WP Security<br />Use of “Permissions”<br />Good Rule of Thumb:<br /> Files should be set to 644<br /> Folders should be set to 755<br />Permission levels vary depending on server configuration<br />South FloridaWordPress MeetUp<br />
  • 19. Basic WP Security<br />Move the wp-config.php file<br />WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root<br />WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory<br />South FloridaWordPress MeetUp<br />
  • 20. Basic WP Security<br />Move the wp-config.php file<br />This makes it nearly impossible for anyone to access your wp-config.php <br />South FloridaWordPress MeetUp<br />If WordPress is located here:<br />public_html/wordpress/wp-config.php<br />You can move your wp-config.php file to here <br />public_html/wp-config.php<br />
  • 21. Basic WP Security<br />Move the wp-content Directory<br />WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice<br />If hackers can’t find your wp-content folder, they can’t hack it.<br />South FloridaWordPress MeetUp<br />
  • 22. Basic WP Security<br />South FloridaWordPress MeetUp<br />Move the wp-content Directory<br />1. Move your wp-content directory<br />2. Make two additions to wp-config.php<br />define( &apos;WP_CONTENT_DIR&apos;, $_SERVER[&apos;DOCUMENT_ROOT&apos;] . &apos;/blog/wp-content&apos; );<br />define( &apos;WP_CONTENT_URL&apos;, &apos;http://domain.com/blog/wp-content&apos;);<br />If you have compatibility issues with plugins there are two optional settings<br />define( &apos;WP_PLUGIN_DIR&apos;, $_SERVER[&apos;DOCUMENT_ROOT&apos;] . &apos;/blog/wp-content/plugins&apos; );<br />define( &apos;WP_PLUGIN_URL&apos;, &apos;http://domain.com/blog/wp-content/plugins&apos;);<br />
  • 23. Basic WP Security<br />RemoveWordPress Version fromthe Header<br />South FloridaWordPress MeetUp<br />Viewing source on most WP sites will reveal the version they are running<br />&lt;meta name=&quot;generator&quot; content=&quot;WordPress 2.8&quot; /&gt; &lt;!-- leave this for stats --&gt;<br />This helps hackers find vulnerable WP blogs running older versions<br />To remove find the code below in your header.php file of your theme and remove it<br />&lt;meta name=&quot;generator&quot; content=&quot;WordPress &lt;?phpbloginfo(&apos;version&apos;); ?&gt;&quot; /&gt;<br />&lt;!-- leave this for stats please --&gt;<br />
  • 24. Basic WP Security<br />RemoveWordPress Version fromthe Header<br />South FloridaWordPress MeetUp<br />The wp_head function also includes the WP version in your header<br />To remove drop this line of code in your themes functions.php file<br />remove_action(&apos;wp_head&apos;, &apos;wp_generator&apos;);<br />Themes and plugins might also display versions in your header. <br />
  • 25. Basic WP Security<br />Use Secure Passwords<br />Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc<br />South FloridaWordPress MeetUp<br />BAD PASSWORD: johnrocks<br />GOOD PASSWORD: S-gnop2D[6@8<br />WordPress will tell you<br />when you have it right<br />
  • 26. Basic WP Security<br />South FloridaWordPress MeetUp<br />Are you using the same password in multiple places?<br />
  • 27. Basic WP Security<br />South FloridaWordPress MeetUp<br />
  • 28. Basic WP Security<br />Change WordPress Table Prefix<br />Edit wp-config.php before installing WordPress<br />Change the prefix wp_ to something unique<br />South FloridaWordPress MeetUp<br />/**<br /> * WordPress Database Table prefix.<br /> *<br /> * You can have multiple installations in one database if you give each a unique<br /> * prefix. Only numbers, letters, and underscores please!<br /> */<br />$table_prefix = ‘zztop_&apos;;<br />All database tables will now have a unique prefix (iezztop_posts)<br />
  • 29. Basic WP Security<br />Other Advanced Security Techniques<br />Force SSL Login for Administrators<br />Lockdown Admin via .htaccess<br />Use Secret Keys with Passwords<br />South FloridaWordPress MeetUp<br />
  • 30. Basic WP Security<br />Recommended Security Plugins<br />WP Security Scan<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/wp-security-scan/<br />
  • 31. Basic WP Security<br />Recommended Security Plugins<br />WP Exploit Scanner<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/exploit-scanner/<br />
  • 32. Basic WP Security<br />Recommended Security Plugins<br />WP Exploit Scanner<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/exploit-scanner/<br />
  • 33. Basic WP Security<br />Recommended Security Plugins<br />WordPress File Monitor<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/wordpress-file-monitor/<br />
  • 34. Basic WP Security<br />Recommended Security Plugins<br />Login Lockdown<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/login-lockdown/<br />
  • 35. Basic WP Security<br />WordPress Security Resources<br />South FloridaWordPress MeetUp<br /><ul><li>Security Related Codex Articles
  • 36. http://codex.wordpress.org/Hardening_WordPress
  • 37. http://codex.wordpress.org/Changing_File_Permissions
  • 38. http://codex.wordpress.org/Editing_wp-config.php
  • 39. http://codex.wordpress.org/htaccess_for_subdirectories
  • 40. Blog Security Articles
  • 41. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
  • 42. http://www.growmap.com/wordpress-exploits/
  • 43. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
  • 44. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
  • 45. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
  • 46. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
  • 47. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/</li></li></ul><li>Basic WP Security<br />WordPress Security Resources<br />South FloridaWordPress MeetUp<br /><ul><li>Security Related Codex Articles
  • 48. http://codex.wordpress.org/Hardening_WordPress
  • 49. http://codex.wordpress.org/Changing_File_Permissions
  • 50. http://codex.wordpress.org/Editing_wp-config.php
  • 51. http://codex.wordpress.org/htaccess_for_subdirectories
  • 52. Blog Security Articles
  • 53. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
  • 54. http://www.growmap.com/wordpress-exploits/
  • 55. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
  • 56. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
  • 57. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
  • 58. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
  • 59. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/</li></li></ul><li>South FloridaWordPress MeetUp<br /><ul><li>I’m @JohnCarcutt</li></ul>Questions?<br />Credit Where Credit is due …<br /> Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC<br />

×