WordPress Security Best Practices


Published on

A comprehensive round up of all the best security methods you can use to keep your WordPress website secure from hackers.

Published in: Technology, Business
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security Best Practices

  1. 1. There is always a current threat The worst type of threats are those you don’t know about So be prepared! You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack The Art of War - Sun Tzu ~512BC
  2. 2. Locked away in a deep dark basement No internet connection No user interaction = Pretty useless website = There is a balance to be had
  3. 3. Everything is Hackable Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car?
  4. 4. The most vulnerable part of your website is… YOU Read this book!
  5. 5. Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …
  6. 6. No personal information such as DoB e.g. bob1976  No footie clubs, car regos, pet or family names Use a random 16 (at least) character password UPPER, lower, digits, punctuation e.g. b9G#Z4YVemTN^X6S
  7. 7. Random character passwords = difficult for you to remember  = difficult for hackers to guess  Use a password service such as LastPass Local 256-bit encryption, SSL data transfer https://lastpass.com
  8. 8. Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Coming soon to WordPress 3.7 or 3.8
  9. 9. Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/
  10. 10. Understanding UNIX file permissions is key
  11. 11. In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may recommend you set /wp-content/uploads to 777 Move to another hosting company!
  12. 12. Probably your three most important sys files are: .htaccess = permalinks, etc php.ini = PHP settings wp-config.php = WordPress DB username & pass These should be locked down to CHMOD 444
  13. 13. Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $89.99 /site /year
  14. 14. Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com
  15. 15. Automatic Updates are coming to WordPress soon (prob 3.7 or 3.8). Get it now = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/ Choose to update Core, Themes and/or plugins
  16. 16. Especially “free” themes and torrents Very common to “insert” links into footer areas Code can read your wp-config.php file and email/send it elsewhere = you’re screwed Don’t use themes or plugins from Torrent sites! Always try to download from original source Read: http://wpmu.org/why-you-should-never-search-for- free-wordpress-themes-in-google-or-anywhere-else/
  17. 17. Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/
  18. 18. Not all Base64_decode function calls are evil WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes.
  19. 19. Popular image/thumbnail resizing script Bundled in many themes and plugins Responsible for many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
  20. 20. Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the correct version. https://code.google.com/p/timthumb/ Version 2.8.11 as of this slide
  21. 21. The nature of TimThumb still makes it potentially very dangerous to have on your site. Consider alternative themes or plugins. Read this: http://www.limecanvas.com/timthumb-is-evil/
  22. 22. Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates
  23. 23. If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true);
  24. 24. Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans* *premium functions
  25. 25. Brute force attacks try to repeatedly guess username & password. Block IP address after X number of login attempts within a period. Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/
  26. 26. Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null');
  27. 27. There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy http://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore!
  28. 28. Using another device to generate an authentication code e.g. Mobile phone app Verification code + login = 2 factor auth Google Authenticator http://wordpress.org/plugins/google-authenticator/
  29. 29. Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not so distant future.
  30. 30. VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/
  31. 31. Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-codes wp-content location.
  32. 32. Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner.
  33. 33. Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked.
  34. 34. Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes
  35. 35. Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress- admin-wp-admin-directory/
  36. 36. Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true);
  37. 37. Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/
  38. 38. Monitor who does what on your WordPress site. WP Security Audit Log http://wordpress.org/plugins/wp-security-audit-log/
  39. 39. Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login
  40. 40. Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3); function lc_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); }
  41. 41. Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/
  42. 42. Known as DoS or DDoS (distributed) There is nothing YOU* can do to pre-emptively stop DoS attacks. Contact your host company *Unless you own your own data centre
  43. 43. • [4] activerain.com • [5] mybroadband.co.za • [6] wired.com • [12] www.zzee.com • [12] acm.uiuc.edu • [12] danielmiessler.com • [19] wordpress.org/plugins/tac/ • [21] www.promptwebhosting.com.au • [28] www.bestwpthemez.com • [30] blog.eternalvigilance.me • [31] www.mobyware.ru • [32] www.ibmsystemsmag.com • [33] disruptive.io • [37] www.gobalakrishnan.com • [38] www.trickytechs.com • [38] www.wpbeginner.com • [39] www.limecanvas.com • [45] www.computerworld.com