Your SlideShare is downloading. ×
WordPress Security Presentation from South Florida WordPress Meetup
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

WordPress Security Presentation from South Florida WordPress Meetup

4,401
views

Published on

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

Published in: Technology, Business

5 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
4,401
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
124
Comments
5
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.
  • 2. How to HackProof Your WordPress Site
    WordPress Security
    South FloridaWordPress MeetUp
  • 3. South FloridaWordPress MeetUp
    • I’m @JohnCarcutt
    • 4. SEO Manager at MediaWhiz www.MediaWhiz.com
    Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/ Mondays 5PM EST or listen on APPLE iTunes anytime
    • Long Time WordPress Evangelist
    Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC
  • 5. Tonight
    Link Injections
    Basic WordPress Security
    Security Based Plug-ins
    South FloridaWordPress MeetUp
  • 6. “Hackproof”
    This is impossible.
    Seriously… it’s IMPOSSIBLE!
    Hackers are Lazy.
    Make yourself a hard target.
    They will move on to someone else.
    South FloridaWordPress MeetUp
  • 7. Link Injection
    Hacker bots look for known exploits (SQL Injection, folder perms, etc).
    This allows them to insert spam files/links
    Your WordPress Themes, plugins, and core files are the target
    South FloridaWordPress MeetUp
  • 8. Link Injection
    Hosting account contains two separate sites
    South FloridaWordPress MeetUp
    WordPress
    WordPress MU
  • 9. Link Injection
    Hacker puts a file on WPMU install
    South FloridaWordPress MeetUp
    WordPress
    WordPress MU
  • 10. Link Injection
    WPMU file hacks WordPress install
    Installs spam links into files
    South FloridaWordPress MeetUp
    WordPress
    WordPress MU
  • 11. Link Injection
    WPMU Shows No Spam, Appears Clean
    Cleaning WP Results in Recurring Injections
    South FloridaWordPress MeetUp
    WordPress MU
    WordPress
  • 12. Link Injection
    South FloridaWordPress MeetUp
  • 13. Link Injection
    What does this do to your site?
    Part of a “Link Farm”
    Loss of Trust and Authority
    Reduced Page Rank
    Lost Rankings
    Showing up for non-relevant terms (Viagra)
    South FloridaWordPress MeetUp
  • 14. Basic WP Security
    South FloridaWordPress MeetUp
    Are you using the default “Admin” account?
  • 15. Basic WP Security
    South FloridaWordPress MeetUp
  • 16. Basic WP Security
    DON’T USE “ADMIN”
    Create a Unique User Account
    Assign it the Administrator Role
    Log Out, Log Back in with new Administrator Account
    Delete Original “Admin” Account
    South FloridaWordPress MeetUp
  • 17. Basic WP Security
    Use of “Permissions”
    Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.
    Owner, Group, Public
    Read, Write, Execute
    South FloridaWordPress MeetUp
  • 18. Basic WP Security
    Use of “Permissions”
    Good Rule of Thumb:
    Files should be set to 644
    Folders should be set to 755
    Permission levels vary depending on server configuration
    South FloridaWordPress MeetUp
  • 19. Basic WP Security
    Move the wp-config.php file
    WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root
    WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
    South FloridaWordPress MeetUp
  • 20. Basic WP Security
    Move the wp-config.php file
    This makes it nearly impossible for anyone to access your wp-config.php
    South FloridaWordPress MeetUp
    If WordPress is located here:
    public_html/wordpress/wp-config.php
    You can move your wp-config.php file to here
    public_html/wp-config.php
  • 21. Basic WP Security
    Move the wp-content Directory
    WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice
    If hackers can’t find your wp-content folder, they can’t hack it.
    South FloridaWordPress MeetUp
  • 22. Basic WP Security
    South FloridaWordPress MeetUp
    Move the wp-content Directory
    1. Move your wp-content directory
    2. Make two additions to wp-config.php
    define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
    define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
    If you have compatibility issues with plugins there are two optional settings
    define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
    define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
  • 23. Basic WP Security
    RemoveWordPress Version fromthe Header
    South FloridaWordPress MeetUp
    Viewing source on most WP sites will reveal the version they are running
    <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
    This helps hackers find vulnerable WP blogs running older versions
    To remove find the code below in your header.php file of your theme and remove it
    <meta name="generator" content="WordPress <?phpbloginfo('version'); ?>" />
    <!-- leave this for stats please -->
  • 24. Basic WP Security
    RemoveWordPress Version fromthe Header
    South FloridaWordPress MeetUp
    The wp_head function also includes the WP version in your header
    To remove drop this line of code in your themes functions.php file
    remove_action('wp_head', 'wp_generator');
    Themes and plugins might also display versions in your header.
  • 25. Basic WP Security
    Use Secure Passwords
    Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc
    South FloridaWordPress MeetUp
    BAD PASSWORD: johnrocks
    GOOD PASSWORD: S-gnop2D[6@8
    WordPress will tell you
    when you have it right
  • 26. Basic WP Security
    South FloridaWordPress MeetUp
    Are you using the same password in multiple places?
  • 27. Basic WP Security
    South FloridaWordPress MeetUp
  • 28. Basic WP Security
    Change WordPress Table Prefix
    Edit wp-config.php before installing WordPress
    Change the prefix wp_ to something unique
    South FloridaWordPress MeetUp
    /**
    * WordPress Database Table prefix.
    *
    * You can have multiple installations in one database if you give each a unique
    * prefix. Only numbers, letters, and underscores please!
    */
    $table_prefix = ‘zztop_';
    All database tables will now have a unique prefix (iezztop_posts)
  • 29. Basic WP Security
    Other Advanced Security Techniques
    Force SSL Login for Administrators
    Lockdown Admin via .htaccess
    Use Secret Keys with Passwords
    South FloridaWordPress MeetUp
  • 30. Basic WP Security
    Recommended Security Plugins
    WP Security Scan
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/wp-security-scan/
  • 31. Basic WP Security
    Recommended Security Plugins
    WP Exploit Scanner
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/exploit-scanner/
  • 32. Basic WP Security
    Recommended Security Plugins
    WP Exploit Scanner
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/exploit-scanner/
  • 33. Basic WP Security
    Recommended Security Plugins
    WordPress File Monitor
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/wordpress-file-monitor/
  • 34. Basic WP Security
    Recommended Security Plugins
    Login Lockdown
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/login-lockdown/
  • 35. Basic WP Security
    WordPress Security Resources
    South FloridaWordPress MeetUp
    • Security Related Codex Articles
    • 36. http://codex.wordpress.org/Hardening_WordPress
    • 37. http://codex.wordpress.org/Changing_File_Permissions
    • 38. http://codex.wordpress.org/Editing_wp-config.php
    • 39. http://codex.wordpress.org/htaccess_for_subdirectories
    • 40. Blog Security Articles
    • 41. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
    • 42. http://www.growmap.com/wordpress-exploits/
    • 43. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
    • 44. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
    • 45. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
    • 46. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
    • 47. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
  • Basic WP Security
    WordPress Security Resources
    South FloridaWordPress MeetUp
    • Security Related Codex Articles
    • 48. http://codex.wordpress.org/Hardening_WordPress
    • 49. http://codex.wordpress.org/Changing_File_Permissions
    • 50. http://codex.wordpress.org/Editing_wp-config.php
    • 51. http://codex.wordpress.org/htaccess_for_subdirectories
    • 52. Blog Security Articles
    • 53. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
    • 54. http://www.growmap.com/wordpress-exploits/
    • 55. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
    • 56. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
    • 57. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
    • 58. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
    • 59. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
  • South FloridaWordPress MeetUp
    • I’m @JohnCarcutt
    Questions?
    Credit Where Credit is due …
    Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC