SECURING WORDPRESS            Presented by           Jeff K. Hoffman   VP of R&D, MyLeadSystemPRO   http://facebook.com/je...
WHY DO HACKERS HACK?• Easy   SEO• Malware   Distribution• Entertainment   & Peer Recognition
HOW DO HACKERS HACK?• Bots    - like the Google Bot, but Evil.  • Widely     available, frequently updated.• Viral   spread
BEFORE YOU BEGIN• Backup     your site!• Implement      one tip and test, then another and test, etc.• If   it’s over your...
SECURE YOUR SERVER• Your   blog is only as secure as your Web Host.• Ifa hacker gets into your hosting account (via FTP, S...
PERMISSIONS• In   general...  • Files   should be 644.  • Folders    should be 755.• /wp-content/uploads/       should be ...
PERMISSIONSfind /path/to/wordpress/ -type f -exec chmod 644 {} ;find /path/to/wordpress/ -type d -exec chmod 755 {} ;chmod -...
PERMISSIONS
DEFY CONVENTION• Change   admin username • Never    post as admin!• Move   wp-config.php• Change   database table prefix** •...
USE SECRET KEYS                                                  Edit wp-config.php.../**#@+ * Authentication Unique Keys a...
CLEAN UP• After WordPress   is installed, delete /wp-admin/install.php• Delete   unused/inactive plugins & themes
UPDATE OFTEN• Always   use the latest version of... • WordPress • Theme • Plugins
MAKE DAILY BACKUPS• BuyBackupBuddy.com      ($75/year)• VaultPress.com   ($180/year)• NOTE: Backups    of a hacked site ar...
STRONG PASSWORD• StrongPasswordGenerator.com• 1Password
AVOID DETECTION• Remove WordPress    Footprints • Don’t   use the Meta sidebar widget • http://wordpress.org/extend/plugin...
MINIMIZE PLUGINS• Every   plugin you install increases risk• Popular, widely   used plugins are less risky• Example: TimTh...
SECURE /WP-ADMIN*• http://www.cpanel.net/media/tutorials/passwdprotect.htm• Add   to .htaccess...     <FilesMatch ".(css|j...
SECURE /WP-ADMIN• SSL   • http://codex.wordpress.org/Administration_Over_SSL
SECURE /WP-INCLUDES*• Add      this to .htaccess... # Block the include-only files. RewriteEngine On RewriteBase / RewriteR...
BLOCK ATTACKS• WordPress   Firewall 2• Login   Lockdown
MONITORING• Google Webmaster Tools• WordPress   File Monitor
Q&A• http://mlspfanclub.com
Upcoming SlideShare
Loading in...5
×

Securing WordPress by Jeff Hoffman

992

Published on

Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
992
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Securing WordPress by Jeff Hoffman

    1. 1. SECURING WORDPRESS Presented by Jeff K. Hoffman VP of R&D, MyLeadSystemPRO http://facebook.com/jeff.k.hoffman
    2. 2. WHY DO HACKERS HACK?• Easy SEO• Malware Distribution• Entertainment & Peer Recognition
    3. 3. HOW DO HACKERS HACK?• Bots - like the Google Bot, but Evil. • Widely available, frequently updated.• Viral spread
    4. 4. BEFORE YOU BEGIN• Backup your site!• Implement one tip and test, then another and test, etc.• If it’s over your head, just skip it (or, hire help.)
    5. 5. SECURE YOUR SERVER• Your blog is only as secure as your Web Host.• Ifa hacker gets into your hosting account (via FTP, SSH, etc.), they win before they even worry about hacking WordPress.• Use strong passwords. (StrongPasswordGenerator.com)• Ask your Web Host how to best secure your account.
    6. 6. PERMISSIONS• In general... • Files should be 644. • Folders should be 755.• /wp-content/uploads/ should be 775.• /wp-content/themes/ should be 775 for Theme Editor.
    7. 7. PERMISSIONSfind /path/to/wordpress/ -type f -exec chmod 644 {} ;find /path/to/wordpress/ -type d -exec chmod 755 {} ;chmod -R 775 /path/to/wordpress/wp-content/uploadschmod -R 775 /path/to/wordpress/wp-content/themes
    8. 8. PERMISSIONS
    9. 9. DEFY CONVENTION• Change admin username • Never post as admin!• Move wp-config.php• Change database table prefix** • In wp-config.php • In your database
    10. 10. USE SECRET KEYS Edit wp-config.php.../**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */define(AUTH_KEY, put your unique phrase here);define(SECURE_AUTH_KEY, put your unique phrase here);define(LOGGED_IN_KEY, put your unique phrase here);define(NONCE_KEY, put your unique phrase here);define(AUTH_SALT, put your unique phrase here);define(SECURE_AUTH_SALT, put your unique phrase here);define(LOGGED_IN_SALT, put your unique phrase here);define(NONCE_SALT, put your unique phrase here);
    11. 11. CLEAN UP• After WordPress is installed, delete /wp-admin/install.php• Delete unused/inactive plugins & themes
    12. 12. UPDATE OFTEN• Always use the latest version of... • WordPress • Theme • Plugins
    13. 13. MAKE DAILY BACKUPS• BuyBackupBuddy.com ($75/year)• VaultPress.com ($180/year)• NOTE: Backups of a hacked site are ONLY useful for forensics!
    14. 14. STRONG PASSWORD• StrongPasswordGenerator.com• 1Password
    15. 15. AVOID DETECTION• Remove WordPress Footprints • Don’t use the Meta sidebar widget • http://wordpress.org/extend/plugins/secure-wordpress/
    16. 16. MINIMIZE PLUGINS• Every plugin you install increases risk• Popular, widely used plugins are less risky• Example: TimThumb
    17. 17. SECURE /WP-ADMIN*• http://www.cpanel.net/media/tutorials/passwdprotect.htm• Add to .htaccess... <FilesMatch ".(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>
    18. 18. SECURE /WP-ADMIN• SSL • http://codex.wordpress.org/Administration_Over_SSL
    19. 19. SECURE /WP-INCLUDES*• Add this to .htaccess... # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
    20. 20. BLOCK ATTACKS• WordPress Firewall 2• Login Lockdown
    21. 21. MONITORING• Google Webmaster Tools• WordPress File Monitor
    22. 22. Q&A• http://mlspfanclub.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×