• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
WordPress Hardening
 

WordPress Hardening

on

  • 2,694 views

Any idea to make more difficult to exploit my WordPress without plugins.

Any idea to make more difficult to exploit my WordPress without plugins.
(last update: November 2012)

Statistics

Views

Total Views
2,694
Views on SlideShare
1,704
Embed Views
990

Actions

Likes
2
Downloads
0
Comments
0

11 Embeds 990

http://planet.wpitaly.it 517
http://maurizio.mavida.com 411
http://static.mavidacdn.in 29
http://feeds.feedburner.com 17
https://twitter.com 9
http://feedproxy.google.com 2
http://reader.aol.com 1
http://cloud.feedly.com 1
http://173.245.56.11 1
http://kred.com 1
http://feedreader.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WordPress Hardening WordPress Hardening Presentation Transcript

    • WORDCAMP BOLOGNA 2012
    • WORDPRESS HARDENING (V3)
    • WordCamp Bologna 2012About me  37 years old  Born in Turin (Italy)  Co-Founder mavida.com  WordPress Lover  http://maurizio.mavida.com  https://twitter.com/miziomon  http://www.linkedin.com/in/mauriziopelizzone
    • WordCamp Bologna 2012Why we need «hardening» ?
    • WordCamp Bologna 2012
    • WordCamp Bologna 2012Dangers
    • WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
    • WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
    • WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
    • WordCamp Bologna 2012
    • WordCamp Bologna 2012Somesolutions
    • WordCamp Bologna 2012Delete readme.html
    • WordCamp Bologna 2012Prevent user enumeration (?author=n)RewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
    • WordCamp Bologna 2012Hide wp_(login|admin|registrazion) 1. Block Access to login / admin 2. Prepare custom login url 3. Check key presence
    • WordCamp Bologna 2012 RewriteRule ^login /wp-login.php?key=12345g& RewriteCond %{HTTP_REFERER} !^wp-admin … RewriteCond %{QUERY_STRING} !^key=12345 RewriteRule ^app/wp-login.php http://%{SERVFull code here: https://gist.github.com/3003290
    • WordCamp Bologna 2012Deny php executionOptions All -IndexesOrder Allow,DenyDeny from all<Files ~ ".(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$"> Allow from all</Files><Files permitted-filename.php> Allow from all</Files>
    • WordCamp Bologna 2012Shrink plugins number 1. Remove inactive plugin 2. Remove useless plugin 3. Remove dangerous plugin 4. (Evaluate code integration)
    • WordCamp Bologna 2012DISALLOW PLUGIN INSTALL / UPDATE /** * edit your wp-config.php */ define(DISALLOW_FILE_EDIT, true); define(DISALLOW_FILE_MODS,true);
    • WordCamp Bologna 2012Use STRONG password Insecure Password Secure Password • giulia76 • D7u8hI928FJYusx • password • Z5BLl20T8by1524 • 123456 • TLv7p64P63V5Hr1 • qwerty • 6b83668I15qRP2I • matrix • Um2d4Ejd9T1ExPr http://strongpasswordgenerator.com/
    • WordCamp Bologna 2012CHANGE DIRECTORY STRUCTURE
    • WordCamp Bologna 2012Rename wp-content/** * edit your wp-config.php */define( WP_CONTENT_DIR, dirname( __FILE__ ) . /public );define( WP_CONTENT_URL, http:// . $_SERVER[HTTP_HOST] . /public );
    • WordCamp Bologna 2012Change Upload Directory
    • WordCamp Bologna 2012Move WordPress Core/** * edit your wp-config.php */define( WP_SITEURL, http:// . $_SERVER[SERVER_NAME] . /wordpress-core/);define( WP_HOME, http:// . $_SERVER[SERVER_NAME]);/** * edit your index.php */define(WP_USE_THEMES, true);require(./wordpress-core/wp-blog-header.php);
    • WordCamp Bologna 2012Structure Example
    • CUSTOM STRUCTURE EXAMPLE #1 WordCamp Bologna 2012
    • CUSTOM STRUCTURE EXAMPLE #2 WordCamp Bologna 2012
    • WordCamp Bologna 2012Codex References• http://codex.wordpress.org/Hardening_WordPress• http://codex.wordpress.org/Administration_Over_SSL• http://codex.wordpress.org/Editing_wp-config.php
    • WordCamp Bologna 2012BLACKHOLE
    • BLACKHOLE WordCamp Bologna 2012 http://perishablepress.com/blackhole-bad-bots/
    • WordCamp Bologna 2012RULES FOR BLACKHOLERewriteEngine OnRewriteBase /RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L]RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]
    • WordCamp Bologna 2012BLACKHOLE PLUGIN<?php/*Plugin Name: blackholePlugin URI: http://maurizio.mavida.com/Description: blackholeLicense: GPLVersion: 0.1Author: Maurizio PelizzoneAuthor URI: http://maurizio.mavida.com*/if (!is_admin()){ include($_SERVER[DOCUMENT_ROOT] . "/blackhole/blackhole.php"); }
    • WordCamp Bologna 2012FILE MONITOR
    • WordCamp Bologna 2012
    • WordCamp Bologna 2012AVOID FTP
    • WordCamp Bologna 2012?
    • Other WordCamp Bologna 2012 Thank you Maurizio Pelizzone @miziomon maurizio@mavida.com http://maurizio.mavida.com