Hardening WordPress - SAScon Manchester 2013 (WordPress Security)


Published on

My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)

Published in: Technology, Business

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

  1. 1. Bastian Grimm, Managing Partner - Grimm DigitalHardening WordPressat WP Luvfest: “Maximising WordPress for Search”http://gdig.de/sascon13Manchester, June 2013
  2. 2. About me2@basgrSEO Trainings, Seminars & Strategy ConsultingWordPress Security, Consulting & DevelopmentBerlin-based Full-Service Performance Marketing Agency
  3. 3. http://gdig.de/sascon13
  4. 4. #1 Setup WordPress properlyUse unique keys and salts to addrandom elements for encryption!https://api.wordpress.org/secret-key/1.1/salt/Use a cryptic prefix to preventautomated scripts and SQL injections.$table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
  5. 5. #2 Protect your wp-config.php<files wp-config.php>order deny,allowdeny from all</files>This needs to go into your WP roots’.htaccess file to prevent external accessDid you know this? Even better…move wp-config.php outside of„www“. Also do chmod 400/440
  6. 6. #3 Remove the default „admin“Setup new user as admin; logout.Login w/ new admin; delete old one.Make sure to use a STRONGpassword, pleeaaasssseeee!http://www.random.org/passwords/
  7. 7. Credits: http://bit.ly/T8wMwOMake absolutely sure you onlyuse plug-ins from trusted authors!
  8. 8. #4 Lock-out multiple failed loginshttp://wordpress.org/extend/plugins/limit-login-attempts/Limit Login Attempts
  9. 9. #5 Protect your Login (and wp-admin)Don’t just put an .htaccessto your /wp-admin/ forbasic passwd. protection.It’s pure “hazzle”…Recommended: Try the “Lockdown WPAdmin” plug-in to protect PHP files in wp-admin as well as the login itself.http://wordpress.org/extend/plugins/lockdown-wp-admin/
  10. 10. Or: Lockdown using a Secret URL?http://wordpress.org/plugins/stealth-login-page/Stealth Login Page
  11. 11. #6 Even better: Two-factor VerificationInfo: http://gdig.de/1t - Download: http://gdig.de/1u
  12. 12. #6 Even better: Two-factor Verificationhttp://wordpress.org/plugins/google-authenticator/Google Authenticator
  13. 13. #6 Even better: Two-factor VerificationProvide your login credentialsand get auth-code from yourmobile phones‘ G-Auth-App.
  14. 14. #7 SSL Logins & Administrationdefine(FORCE_SSL_LOGIN, true);define(FORCE_SSL_ADMIN, true);Set FORCE_SSL_LOGIN to “true” toforce all logins to happen over SSL.(still allows non-SSL admin sessions)Use FORCE_SSL_ADMIN to force alllogins and all admin sessions tohappen over SSL (can be slow…)
  15. 15. #8 Never EVER do this!These sites aremore than worse…
  16. 16. A quick peak into some theme files…16LOL! „family friendly“links – my a*s…
  17. 17. A quick peak into some theme files…17functions.php: This themewon‘t be working withoutthose links…
  18. 18. #9 Always use TAC to do a pre-check!http://builtbackwards.com/projects/tac/Theme AuthenticityChecker (TAC)
  19. 19. It gets worse: base64 encoded footer19Are you really sure you wantto see that footer.php file?
  20. 20. Right… NICE FOOTER!20
  21. 21. PLEASE… stay awayfrom “free” WordPressthemes – they’re notfree, really!
  22. 22. #10 Remove Version & Login Messageadd_filter(login_errors,create_function($a, "return null;"));function my_remove_version() { return ; }add_filter(the_generator, my_remove_version);Remove error message from your login-page. You don’t want to give away if eitheruser and / or password was (in-) correct.You need to do it this way since removing“wp_generator” will NOT get rid of theversion number in your RSS feed(s).
  23. 23. #11 Block malicious URL requestshttp://wordpress.org/plugins/block-bad-queries/BBQ: Block Bad Queries
  24. 24. Or one for all: Harden your SettingsSecure WordPresshttp://wordpress.org/extend/plugins/secure-wordpress/Most important: Remove versionnumber from ALL components &block malicious URL requests.
  25. 25. #12 Update your blogs regularly! WP Updates Notifier to get emailson out-dated components (core,themes & plug-ins) for all blogs:– http://wordpress.org/extend/plugins/wp-updates-notifier/ ManageWP can do one-click massupdates (core, themes, plug-insagain) for all your blogs:– http://managewp.com/features
  26. 26. #13 Keep your installation clean26Remove all inactiveplug-ins as well as themes!
  27. 27. #14 Scan your Theme dailyhttp://wordpress.org/extend/plugins/antivirus/WP AntiVirus
  28. 28. Or try this one to scan for Exploitshttp://wordpress.org/plugins/exploit-scanner/Exploit ScannerCaution: Use a good portion ofcommon sense when reviewing!
  29. 29. #15 Move the “wp-content” folderdefine(WP_CONTENT_DIR, $_SERVER[DOCUMENT_ROOT]./blog/my-wp-content);define(WP_CONTENT_URL, http://domain.com/blog/my-wp-content);WP_CONTENT_DIR points to “new”the full local path (no trailing slash)WP_CONTENT_URL points to “new”full URI (no trailing slash either)
  30. 30. #16 Fix File & Folder Permissionshttp://wordpress.org/extend/plugins/wp-security-scan/WP-Security ScanVery important: chmod yourwp-config.php to be read-only!
  31. 31. #17 Disable File Editingdefine(DISALLOW_FILE_EDIT, true);Set DISALLOW_FILE_EDIT to “true” todisable editing files from dashboard.By default, admins are allowed to edit PHP files. Settingthe above is equivalent to removing theedit_themes, edit_plugins and edit_files capabilitiesof all users.
  32. 32. #18 Delete Files & Disable ListingsDelete those files manually; also get rid of“readme.html” in your WP root.This needs to go into your WP roots’.htaccess file disable all directory listings.Options -Indexeshttp://httpd.apache.org/docs/2.4/mod/core.html#options
  33. 33. If you’d change “lastmodified” to “.php.bak” thiswould then… ok, enough!
  34. 34. #19 Backup Database & FilesBackWPuphttp://wordpress.org/extend/plugins/backwpup/
  35. 35. 13.10.2011 35OMCap 2011 - Online Marketing Konferenz BerlinAnd that’s it! …
  36. 36. #20 Some more WordPress Knowledgehttp://gdig.de/slides
  37. 37. Bastian Grimm, Managing Partner - Grimm DigitalThanks! Questions?mail@grimm-digital.comtwitter.com/basgrlinkedin.com/in/bastiangrimmfacebook.com/grimm.digitalhttp://gdig.de/sascon13