WordPress Security Best Practices
Upcoming SlideShare
Loading in...5
×
 

WordPress Security Best Practices

on

  • 3,931 views

A comprehensive round up of all the best security methods you can use to keep your WordPress website secure from hackers.

A comprehensive round up of all the best security methods you can use to keep your WordPress website secure from hackers.

Statistics

Views

Total Views
3,931
Views on SlideShare
3,267
Embed Views
664

Actions

Likes
7
Downloads
58
Comments
0

2 Embeds 664

http://www.limecanvas.com 661
http://translate.googleusercontent.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

WordPress Security Best Practices WordPress Security Best Practices Presentation Transcript

  • There is always a current threat The worst type of threats are those you don’t know about So be prepared! You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack The Art of War - Sun Tzu ~512BC
  • Locked away in a deep dark basement No internet connection No user interaction = Pretty useless website = There is a balance to be had
  • Everything is Hackable Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car?
  • The most vulnerable part of your website is… YOU Read this book!
  • Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …
  • No personal information such as DoB e.g. bob1976  No footie clubs, car regos, pet or family names Use a random 16 (at least) character password UPPER, lower, digits, punctuation e.g. b9G#Z4YVemTN^X6S
  • Random character passwords = difficult for you to remember  = difficult for hackers to guess  Use a password service such as LastPass Local 256-bit encryption, SSL data transfer https://lastpass.com
  • Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Coming soon to WordPress 3.7 or 3.8
  • Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/
  • Understanding UNIX file permissions is key
  • In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may recommend you set /wp-content/uploads to 777 Move to another hosting company!
  • Probably your three most important sys files are: .htaccess = permalinks, etc php.ini = PHP settings wp-config.php = WordPress DB username & pass These should be locked down to CHMOD 444
  • Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $89.99 /site /year
  • Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com
  • Automatic Updates are coming to WordPress soon (prob 3.7 or 3.8). Get it now = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/ Choose to update Core, Themes and/or plugins
  • Especially “free” themes and torrents Very common to “insert” links into footer areas Code can read your wp-config.php file and email/send it elsewhere = you’re screwed Don’t use themes or plugins from Torrent sites! Always try to download from original source Read: http://wpmu.org/why-you-should-never-search-for- free-wordpress-themes-in-google-or-anywhere-else/
  • Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/
  • Not all Base64_decode function calls are evil WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes.
  • Popular image/thumbnail resizing script Bundled in many themes and plugins Responsible for many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
  • Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the correct version. https://code.google.com/p/timthumb/ Version 2.8.11 as of this slide
  • The nature of TimThumb still makes it potentially very dangerous to have on your site. Consider alternative themes or plugins. Read this: http://www.limecanvas.com/timthumb-is-evil/
  • Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates
  • If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true);
  • Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans* *premium functions
  • Brute force attacks try to repeatedly guess username & password. Block IP address after X number of login attempts within a period. Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/
  • Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null');
  • There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy http://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore!
  • Using another device to generate an authentication code e.g. Mobile phone app Verification code + login = 2 factor auth Google Authenticator http://wordpress.org/plugins/google-authenticator/
  • Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not so distant future.
  • VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/
  • Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-codes wp-content location.
  • Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner.
  • Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked.
  • Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes
  • Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress- admin-wp-admin-directory/
  • Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true);
  • Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/
  • Monitor who does what on your WordPress site. WP Security Audit Log http://wordpress.org/plugins/wp-security-audit-log/
  • Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login
  • Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3); function lc_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); }
  • Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/
  • Known as DoS or DDoS (distributed) There is nothing YOU* can do to pre-emptively stop DoS attacks. Contact your host company *Unless you own your own data centre
  • • [4] activerain.com • [5] mybroadband.co.za • [6] wired.com • [12] www.zzee.com • [12] acm.uiuc.edu • [12] danielmiessler.com • [19] wordpress.org/plugins/tac/ • [21] www.promptwebhosting.com.au • [28] www.bestwpthemez.com • [30] blog.eternalvigilance.me • [31] www.mobyware.ru • [32] www.ibmsystemsmag.com • [33] disruptive.io • [37] www.gobalakrishnan.com • [38] www.trickytechs.com • [38] www.wpbeginner.com • [39] www.limecanvas.com • [45] www.computerworld.com