WordPress Security Tips


Published on

WordPress Security Tips By Catch Internet:
This slide will cover WordPress Hosting Servers, Example of Link Injection Hacks, How to Secure your WordPress site basics and WordPress Security Plugins

Published in: Technology, Business
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security Tips

  1. 1. WordPress Mini Word Camp 7Basic WordPress Security Tips By Catch Internet Pvt. Ltd.
  2. 2. WordPress Security• WordPress popularity and usage bringsin new threat• WordPress basic security is necessaryfor all the users• Most hackers in the internet are lookingfor the easy way
  3. 3. Purpose of the PresentationIs to Scare the crap out of you! Image by http://blog.mysanantonio.com
  4. 4. Purpose of the PresentationAnd then make everyone feel better
  5. 5. What We Will Cover• WordPress Hosting Servers• Example of Link Injection Hacks• How to Secure your WordPress sitebasics• WordPress Security Plugins
  6. 6. Do I Really Need To Secure WP• There is nothing valuable on my site• I only have limited visitors on my site• I thought I already was secured• Who is going to hack my site• I already turned off the comments forsecurity
  7. 7. Yes You Have to Secure Your WP Check your Hosting: Well Known, Customer Service, Secure, Review Check, Linux Based, Control Panel, BackupServer Minimum Requirements• PHP 5.2.4 or greater•MySQL 5.0 or greater• The mod_rewrite Apache module
  8. 8. Recommended Hosting•Bluehost•MediaTemple•WestHost•DreamHost• WordPress VIP, Choppa, VPS(Premium Servers)
  9. 9. Hidden Link Injection Hacks• Upload/ Plugin/ Themes (TimThumb)/CoreWordpress/Multi WordPress• Uses css to hide it in style. Display:none;• Mostly used for get your SEO Ranking• Mostly initiated by basicpills.com and many otherdomains located at• Another easy hacks
  10. 10. Hidden Link Injection Hacks•These are some of the links you will see in an infected site:<a href="http://basicpills .com/">online prescription drugs without a prescription..<a href="http://generic-ed-pharmacy . com/">Buy Generic Viagra Onlin.<a href="http://getrxpills . com/buy/levitra.html”>levitra 10 mg..•Mostly these spam links are all related to pharmacy productsleading you to one of the following domains:antibioticsordrer.com, antibiotics-shop.com, basicpills.com,buynolvadexcheap.com, cheappillsonline.net, dacompliasale.comdlevitraonline.com, dzithromaxsbuy.com, generic-ed-pharmacy.com,getrxpills.com, kamagrasorder.com, onlineacompliacheap.com,onlinecialischeap.net, onlinelevitracheap.com, onlinelevitracheap.net,onlineviagracheap.com, onlineviagracheap.net, peampicillinonline.com,rx-prices.com, sclomidbuy.com, sdoxycyclinebuy.com, sviagrarbuy.com,vicialisabuy.com, wpropecianonline.com
  11. 11. How to Secure your WP Site basics• Keep your Core WordPress, Theme, PluginsUpdated.• No Admin user account• Use Secure Username and Password(http://goodpassword.com/)• Folder Permission: Rule of Thumb, file 644,folder 755
  12. 12. How to Secure your WP Site basics•Remove WordPress Version from Header//Removing wp versiongeneratorremove_action(wp_head,wp_generator);•Use a Secret Key in wp-config.phphttps://api.wordpress.org/secret-key/1.1/salt/•Change WP Table Prefix in wp-config.php$table_prefix = yourtable_12;
  13. 13. How to Secure your WP Site basics•Directories should not be left open forpublic browsing.htaccessOptions All –Indexes•Nobody should be allowed to search yourentire server.Do not use this search code in your searchform <?php echo $_SERVER [PHP_SELF]; ?> anduse this instead <?phpbloginfo (‘home’); ?>
  14. 14. How to Secure your WP Site basics•Block WP-folder from being indexed bySearch Engine.Best way to block, add the following code inyour robots.txt fileDisallow: /wp-*• Prevent Unnecessary Info From BeingDisplayedAdd the following filter in function.phpadd_filter(login_errors,create_function($a, "return null;"));
  15. 15. How to Secure your WP Site basics•Protect WordPress Admin:Use .htaccess and allow only specific IP address(http://whatismyip.com)AuthUserFile/dev/nullAuthGroupFile/dev/nullAuthName “Access Control”AuthType Basic<LIMIT GET>order deny, allowdeny from all#IP address to Whitelistallow from xxx.xxx.xxx.xxxallow from xxx.xxx.xxx.xxx</LIMIT>
  16. 16. How to Secure your WP Site basics• Restrict File Access to wp-contentWordPress doesn’t access the PHP files in theplugins and theme directory via HHTP.The Only request from web browser are forimages, havascripts and css.In .htaccess file in wp-contentOder Allow, DenyDeny From all <Files ~ ".(css|jpe?g|png|gif|js)$">Allow from all</files>
  17. 17. How to Secure your WP Site basics• Protect from Script InjectionsProtect from script injections and any attempt tomodify the PHP GLOBALS and_REQUESTvariables.In .htaccess file in wp-contentOptions +FollowSymLinksRewriteEngine OnRewriteCond %{QUERY_STRING} (|%3E) [NC,OR]RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})RewriteRule ^(.*)$ index.php [F,L]
  18. 18. How to Secure your WP Site basics• Fight Back Against Content ScrapersProtect you site against hot-linking and contentscrapersAdd the following code in your .htaccess fileRewriteEngine On#Replace ?mysite.com/ with your blog urlRewriteCond %{HTTP_REFERER} !^http://(.+.)?mysite.com/ [NC]RewriteCond %{HTTP_REFERER} !^$#Replace /images/nohotlink.jpg with your "dont hotlink" image urlRewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
  19. 19. How to Secure your WP Site basics• Protect your wp-config.php fileDuring the server problem, wp-config.php mightbe shown• To Make it secure by adding the followingcode in .htaccess at root<FilesMatch ^wp-config.php$>deny from all</FilesMatch>• Backup Your Database and FilesSchedule backup your Database and File. You can use the followingplugins:•VaultPress•BAckupBuddy
  20. 20. WordPress Security Plugins
  21. 21. WordPress Security Plugins Signup in websitedefender.com
  22. 22. WordPress Security Plugins
  23. 23. WordPress Security Plugins
  24. 24. WordPress Security Plugins
  25. 25. WordPress Security Basics Thanks youFor more visit our siteCatchintenet.comhttp://catchinternet.com/blog/wordpress-security-tips/My personal BlogSakinshrestha.comhttp://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/http://sakinshrestha.com/wordpress/wordpress-security-tips/