Your SlideShare is downloading. ×
0
There is always a current threat
The worst type of threats are those you don’t
know about
So be prepared!
You need to unde...
Locked away in a deep dark basement
No internet connection
No user interaction
= Pretty useless website
= There is a balan...
Everything is Hackable
Best we can do is make our site less attractive
than others to hack into.
Would you attempt to brea...
The most vulnerable part of your
website is…
YOU
Read this book!
Not just WordPress
cPanel, email, FTP, SSH, MySQL, WordPress
Avoid typical “Administrator” usernames
admin, administrator,...
No personal information such as DoB
e.g. bob1976 
No footie clubs, car regos, pet or family names
Use a random 16 (at lea...
Random character passwords
= difficult for you to remember 
= difficult for hackers to guess 
Use a password service suc...
Consider forcing users to have a strong
password
Force Strong Passwords plugin.
http://wordpress.org/plugins/force-strong-...
Only allow one login per device.
Restrict logins under same username on
multiple devices (i.e. username/pass sharing)
Word...
Understanding UNIX file permissions is key
In general…
WordPress folders/directories = 755
WordPress files = 644
Some hosting companies may recommend you
set /wp-con...
Probably your three most important sys files are:
.htaccess = permalinks, etc
php.ini = PHP settings
wp-config.php = WordP...
Malware can be hidden in Themes, Plugins &
other server scripts
Sucuri detects and cleans malware on servers
De-blacklists...
Update WordPress Core, Themes and Plugins
regularly = at least weekly
ManageWP service good for multiple sites
https://man...
Automatic Updates are coming to WordPress
soon (prob 3.7 or 3.8).
Get it now = “Automatic Updater” plugin
http://wordpress...
Especially “free” themes and torrents
Very common to “insert” links into footer areas
Code can read your wp-config.php fil...
Search through files for:
Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authentic...
Not all Base64_decode function calls are evil
WordPress uses the function extensively
throughout the core.
Should be easy ...
Popular image/thumbnail resizing script
Bundled in many themes and plugins
Responsible for many WordPress security
breache...
Script was “fixed” of exploits however old
versions still lurk out there.
Search for TimThumb and check you are using
the ...
The nature of TimThumb still makes it
potentially very dangerous to have on your site.
Consider alternative themes or plug...
Won’t make your site “secure” from hacks
Will encrypt the data transmitted between
computer and server
More on SSL certifi...
If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.php
define('FORCE_SSL_ADMIN', tr...
Gives additional level of security.
WordFence plugin is recommended:
http://www.wordfence.com/
Scans for…
malware, TimThum...
Brute force attacks try to repeatedly guess
username & password.
Block IP address after X number of login
attempts within ...
Don’t give the hackers a
helping hand
Remove that info!
Add this to functions.php
add_filter(‘login_errors', '__return_nul...
There is NO EXCUSE not to back up your entire
site frequently (real-time, hourly, daily, weekly).
Back up to email http://...
Using another device to generate an
authentication code e.g. Mobile phone app
Verification code + login = 2 factor auth
Go...
Is two factor authentication
not enough for you?
Biometric authentication uses part of our own
body as the second verifica...
VoxedIn is a Smartphone app that lets you log in
to your WordPress site using voice biometrics.
http://wordpress.org/plugi...
Move the wp-content folder to a new location.
Add the following into wp-config.php before the
line: /* That's all, stop ed...
Use .htaccess to protect your wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
Nobody can ...
Use .htaccess to stop SQL Injection attacks
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*...
Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsing
Options –Indexes
Password protect wp-admin folder using cPanel
and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-pass...
Remove the WordPress dashboard Editor for
themes and plugins
Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
Default MySQL DB table prefix is wp_
Change before installing new WordPress sites.
Add to wp-config.php
$table_prefix = ‘m...
Monitor who does what on your WordPress site.
WP Security Audit Log
http://wordpress.org/plugins/wp-security-audit-log/
Using .htaccess
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:
http://www....
Add to wp-config.php:
define('WP_ADMIN_DIR', 'secret-folder');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR)...
Add to .htaccess:
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:
http://www...
Known as DoS or DDoS (distributed)
There is nothing YOU* can
do to pre-emptively stop
DoS attacks.
Contact your host compa...
• [4] activerain.com
• [5] mybroadband.co.za
• [6] wired.com
• [12] www.zzee.com
• [12] acm.uiuc.edu
• [12] danielmiessler...
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
Upcoming SlideShare
Loading in...5
×

WordPress Security Best Practices

5,563

Published on

A comprehensive round up of all the best security methods you can use to keep your WordPress website secure from hackers.

Published in: Technology, Business
2 Comments
9 Likes
Statistics
Notes
No Downloads
Views
Total Views
5,563
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
94
Comments
2
Likes
9
Embeds 0
No embeds

No notes for slide

Transcript of "WordPress Security Best Practices"

  1. 1. There is always a current threat The worst type of threats are those you don’t know about So be prepared! You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack The Art of War - Sun Tzu ~512BC
  2. 2. Locked away in a deep dark basement No internet connection No user interaction = Pretty useless website = There is a balance to be had
  3. 3. Everything is Hackable Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car?
  4. 4. The most vulnerable part of your website is… YOU Read this book!
  5. 5. Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …
  6. 6. No personal information such as DoB e.g. bob1976  No footie clubs, car regos, pet or family names Use a random 16 (at least) character password UPPER, lower, digits, punctuation e.g. b9G#Z4YVemTN^X6S
  7. 7. Random character passwords = difficult for you to remember  = difficult for hackers to guess  Use a password service such as LastPass Local 256-bit encryption, SSL data transfer https://lastpass.com
  8. 8. Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Coming soon to WordPress 3.7 or 3.8
  9. 9. Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/
  10. 10. Understanding UNIX file permissions is key
  11. 11. In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may recommend you set /wp-content/uploads to 777 Move to another hosting company!
  12. 12. Probably your three most important sys files are: .htaccess = permalinks, etc php.ini = PHP settings wp-config.php = WordPress DB username & pass These should be locked down to CHMOD 444
  13. 13. Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $89.99 /site /year
  14. 14. Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com
  15. 15. Automatic Updates are coming to WordPress soon (prob 3.7 or 3.8). Get it now = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/ Choose to update Core, Themes and/or plugins
  16. 16. Especially “free” themes and torrents Very common to “insert” links into footer areas Code can read your wp-config.php file and email/send it elsewhere = you’re screwed Don’t use themes or plugins from Torrent sites! Always try to download from original source Read: http://wpmu.org/why-you-should-never-search-for- free-wordpress-themes-in-google-or-anywhere-else/
  17. 17. Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/
  18. 18. Not all Base64_decode function calls are evil WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes.
  19. 19. Popular image/thumbnail resizing script Bundled in many themes and plugins Responsible for many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
  20. 20. Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the correct version. https://code.google.com/p/timthumb/ Version 2.8.11 as of this slide
  21. 21. The nature of TimThumb still makes it potentially very dangerous to have on your site. Consider alternative themes or plugins. Read this: http://www.limecanvas.com/timthumb-is-evil/
  22. 22. Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates
  23. 23. If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true);
  24. 24. Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans* *premium functions
  25. 25. Brute force attacks try to repeatedly guess username & password. Block IP address after X number of login attempts within a period. Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/
  26. 26. Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null');
  27. 27. There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy http://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore!
  28. 28. Using another device to generate an authentication code e.g. Mobile phone app Verification code + login = 2 factor auth Google Authenticator http://wordpress.org/plugins/google-authenticator/
  29. 29. Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not so distant future.
  30. 30. VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/
  31. 31. Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-codes wp-content location.
  32. 32. Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner.
  33. 33. Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked.
  34. 34. Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes
  35. 35. Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress- admin-wp-admin-directory/
  36. 36. Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true);
  37. 37. Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/
  38. 38. Monitor who does what on your WordPress site. WP Security Audit Log http://wordpress.org/plugins/wp-security-audit-log/
  39. 39. Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login
  40. 40. Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3); function lc_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); }
  41. 41. Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/
  42. 42. Known as DoS or DDoS (distributed) There is nothing YOU* can do to pre-emptively stop DoS attacks. Contact your host company *Unless you own your own data centre
  43. 43. • [4] activerain.com • [5] mybroadband.co.za • [6] wired.com • [12] www.zzee.com • [12] acm.uiuc.edu • [12] danielmiessler.com • [19] wordpress.org/plugins/tac/ • [21] www.promptwebhosting.com.au • [28] www.bestwpthemez.com • [30] blog.eternalvigilance.me • [31] www.mobyware.ru • [32] www.ibmsystemsmag.com • [33] disruptive.io • [37] www.gobalakrishnan.com • [38] www.trickytechs.com • [38] www.wpbeginner.com • [39] www.limecanvas.com • [45] www.computerworld.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×