WordPress Security Presentation from South Florida WordPress Meetup
Upcoming SlideShare
Loading in...5
×
 

WordPress Security Presentation from South Florida WordPress Meetup

on

  • 5,448 views

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

Statistics

Views

Total Views
5,448
Views on SlideShare
5,113
Embed Views
335

Actions

Likes
5
Downloads
120
Comments
5

8 Embeds 335

http://www.recruitmentdirectory.com.au 286
http://hopeschlais.wordpress.com 25
http://www.slideshare.net 9
http://wordpressflorida.com 9
http://clearwatertg.com 2
http://www.linkedin.com 2
http://www.lmodules.com 1
https://pramati1.pcmk-2.pramati.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 5 Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Very good. Now I need to implement it!
    www.jeschke.com
    Are you sure you want to
    Your message goes here
    Processing…
  • güvenlik.
    Are you sure you want to
    Your message goes here
    Processing…
  • Damn! you got this on the front page of slideshare like 5 minutes after you submitted it.

    Damn you know what you're doing with this social media stuff! When are we going to see a presentation of THAT!
    Are you sure you want to
    Your message goes here
    Processing…
  • Nice Job John. very informative...
    Are you sure you want to
    Your message goes here
    Processing…
  • Watch the entire Presentation here:

    http://wordpressflorida.com/blog/dec-9th-2009-wordpress-security-hack-proof-your-wp-site/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WordPress Security Presentation from South Florida WordPress Meetup WordPress Security Presentation from South Florida WordPress Meetup Presentation Transcript

    • How to HackProof Your WordPress Site
      WordPress Security
      South FloridaWordPress MeetUp
    • South FloridaWordPress MeetUp
      • I’m @JohnCarcutt
      • SEO Manager at MediaWhiz www.MediaWhiz.com
      Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/ Mondays 5PM EST or listen on APPLE iTunes anytime
      • Long Time WordPress Evangelist
      Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC
    • Tonight
      Link Injections
      Basic WordPress Security
      Security Based Plug-ins
      South FloridaWordPress MeetUp
    • “Hackproof”
      This is impossible.
      Seriously… it’s IMPOSSIBLE!
      Hackers are Lazy.
      Make yourself a hard target.
      They will move on to someone else.
      South FloridaWordPress MeetUp
    • Link Injection
      Hacker bots look for known exploits (SQL Injection, folder perms, etc).
      This allows them to insert spam files/links
      Your WordPress Themes, plugins, and core files are the target
      South FloridaWordPress MeetUp
    • Link Injection
      Hosting account contains two separate sites
      South FloridaWordPress MeetUp
      WordPress
      WordPress MU
    • Link Injection
      Hacker puts a file on WPMU install
      South FloridaWordPress MeetUp
      WordPress
      WordPress MU
    • Link Injection
      WPMU file hacks WordPress install
      Installs spam links into files
      South FloridaWordPress MeetUp
      WordPress
      WordPress MU
    • Link Injection
      WPMU Shows No Spam, Appears Clean
      Cleaning WP Results in Recurring Injections
      South FloridaWordPress MeetUp
      WordPress MU
      WordPress
    • Link Injection
      South FloridaWordPress MeetUp
    • Link Injection
      What does this do to your site?
      Part of a “Link Farm”
      Loss of Trust and Authority
      Reduced Page Rank
      Lost Rankings
      Showing up for non-relevant terms (Viagra)
      South FloridaWordPress MeetUp
    • Basic WP Security
      South FloridaWordPress MeetUp
      Are you using the default “Admin” account?
    • Basic WP Security
      South FloridaWordPress MeetUp
    • Basic WP Security
      DON’T USE “ADMIN”
      Create a Unique User Account
      Assign it the Administrator Role
      Log Out, Log Back in with new Administrator Account
      Delete Original “Admin” Account
      South FloridaWordPress MeetUp
    • Basic WP Security
      Use of “Permissions”
      Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.
      Owner, Group, Public
      Read, Write, Execute
      South FloridaWordPress MeetUp
    • Basic WP Security
      Use of “Permissions”
      Good Rule of Thumb:
      Files should be set to 644
      Folders should be set to 755
      Permission levels vary depending on server configuration
      South FloridaWordPress MeetUp
    • Basic WP Security
      Move the wp-config.php file
      WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root
      WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
      South FloridaWordPress MeetUp
    • Basic WP Security
      Move the wp-config.php file
      This makes it nearly impossible for anyone to access your wp-config.php
      South FloridaWordPress MeetUp
      If WordPress is located here:
      public_html/wordpress/wp-config.php
      You can move your wp-config.php file to here
      public_html/wp-config.php
    • Basic WP Security
      Move the wp-content Directory
      WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice
      If hackers can’t find your wp-content folder, they can’t hack it.
      South FloridaWordPress MeetUp
    • Basic WP Security
      South FloridaWordPress MeetUp
      Move the wp-content Directory
      1. Move your wp-content directory
      2. Make two additions to wp-config.php
      define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
      define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
      If you have compatibility issues with plugins there are two optional settings
      define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
      define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
    • Basic WP Security
      RemoveWordPress Version fromthe Header
      South FloridaWordPress MeetUp
      Viewing source on most WP sites will reveal the version they are running
      <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
      This helps hackers find vulnerable WP blogs running older versions
      To remove find the code below in your header.php file of your theme and remove it
      <meta name="generator" content="WordPress <?phpbloginfo('version'); ?>" />
      <!-- leave this for stats please -->
    • Basic WP Security
      RemoveWordPress Version fromthe Header
      South FloridaWordPress MeetUp
      The wp_head function also includes the WP version in your header
      To remove drop this line of code in your themes functions.php file
      remove_action('wp_head', 'wp_generator');
      Themes and plugins might also display versions in your header.
    • Basic WP Security
      Use Secure Passwords
      Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc
      South FloridaWordPress MeetUp
      BAD PASSWORD: johnrocks
      GOOD PASSWORD: S-gnop2D[6@8
      WordPress will tell you
      when you have it right
    • Basic WP Security
      South FloridaWordPress MeetUp
      Are you using the same password in multiple places?
    • Basic WP Security
      South FloridaWordPress MeetUp
    • Basic WP Security
      Change WordPress Table Prefix
      Edit wp-config.php before installing WordPress
      Change the prefix wp_ to something unique
      South FloridaWordPress MeetUp
      /**
      * WordPress Database Table prefix.
      *
      * You can have multiple installations in one database if you give each a unique
      * prefix. Only numbers, letters, and underscores please!
      */
      $table_prefix = ‘zztop_';
      All database tables will now have a unique prefix (iezztop_posts)
    • Basic WP Security
      Other Advanced Security Techniques
      Force SSL Login for Administrators
      Lockdown Admin via .htaccess
      Use Secret Keys with Passwords
      South FloridaWordPress MeetUp
    • Basic WP Security
      Recommended Security Plugins
      WP Security Scan
      South FloridaWordPress MeetUp
      http://wordpress.org/extend/plugins/wp-security-scan/
    • Basic WP Security
      Recommended Security Plugins
      WP Exploit Scanner
      South FloridaWordPress MeetUp
      http://wordpress.org/extend/plugins/exploit-scanner/
    • Basic WP Security
      Recommended Security Plugins
      WP Exploit Scanner
      South FloridaWordPress MeetUp
      http://wordpress.org/extend/plugins/exploit-scanner/
    • Basic WP Security
      Recommended Security Plugins
      WordPress File Monitor
      South FloridaWordPress MeetUp
      http://wordpress.org/extend/plugins/wordpress-file-monitor/
    • Basic WP Security
      Recommended Security Plugins
      Login Lockdown
      South FloridaWordPress MeetUp
      http://wordpress.org/extend/plugins/login-lockdown/
    • Basic WP Security
      WordPress Security Resources
      South FloridaWordPress MeetUp
      • Security Related Codex Articles
      • http://codex.wordpress.org/Hardening_WordPress
      • http://codex.wordpress.org/Changing_File_Permissions
      • http://codex.wordpress.org/Editing_wp-config.php
      • http://codex.wordpress.org/htaccess_for_subdirectories
      • Blog Security Articles
      • http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
      • http://www.growmap.com/wordpress-exploits/
      • http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
      • http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
      • http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
      • http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
      • http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
    • Basic WP Security
      WordPress Security Resources
      South FloridaWordPress MeetUp
      • Security Related Codex Articles
      • http://codex.wordpress.org/Hardening_WordPress
      • http://codex.wordpress.org/Changing_File_Permissions
      • http://codex.wordpress.org/Editing_wp-config.php
      • http://codex.wordpress.org/htaccess_for_subdirectories
      • Blog Security Articles
      • http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
      • http://www.growmap.com/wordpress-exploits/
      • http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
      • http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
      • http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
      • http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
      • http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
    • South FloridaWordPress MeetUp
      • I’m @JohnCarcutt
      Questions?
      Credit Where Credit is due …
      Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC