SlideShare a Scribd company logo

WordPress Security

n|u - The Open Security Community
n|u - The Open Security Community

WordPress Security by Gaurav Pant @ null Pune Meet, October, 2010

TechnologyBusiness
1 of 16
Download to read offline
WordPress Security Few Simple Steps @ Null Meet 16th Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe
Thanks! Questions?

Recommended

Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress MultisiteCraig Taylor
 
WP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common MistakesWP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common MistakesCT Moore
 
02 installation
02 installation02 installation
02 installationJadavsejal
 
Readme
ReadmeReadme
Readmesanubiswas
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
DC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsDC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsTroy Goode
 
Web Quality Assurance Automation
Web Quality Assurance AutomationWeb Quality Assurance Automation
Web Quality Assurance Automationfrankiejol
 
#Continuous delivery with #Deployit
#Continuous delivery with #Deployit#Continuous delivery with #Deployit
#Continuous delivery with #DeployitXebia IT Architects
 

Recommended

Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress MultisiteCraig Taylor
 
WP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common MistakesWP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common MistakesCT Moore
 
02 installation
02 installation02 installation
02 installationJadavsejal
 
Readme
ReadmeReadme
Readmesanubiswas
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
DC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsDC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsTroy Goode
 
Web Quality Assurance Automation
Web Quality Assurance AutomationWeb Quality Assurance Automation
Web Quality Assurance Automationfrankiejol
 
#Continuous delivery with #Deployit
#Continuous delivery with #Deployit#Continuous delivery with #Deployit
#Continuous delivery with #DeployitXebia IT Architects
 
Wordpress Command-Line
Wordpress Command-LineWordpress Command-Line
Wordpress Command-Linewpperu
 
Webpack and Web Performance Optimization
Webpack and Web Performance OptimizationWebpack and Web Performance Optimization
Webpack and Web Performance OptimizationChen-Tien Tsai
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIryanduff
 
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7X User
 
Matt doyleppt
Matt doylepptMatt doyleppt
Matt doylepptmattdoylelive
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015Shawn Hooper
 
Web Sockets - HTML5
Web Sockets - HTML5Web Sockets - HTML5
Web Sockets - HTML5Matheus Marabesi
 
Production optimization with React and Webpack
Production optimization with React and WebpackProduction optimization with React and Webpack
Production optimization with React and Webpackk88hudson
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011Dre Armeda
 
WordPress Security for SEO & More
WordPress Security for SEO & MoreWordPress Security for SEO & More
WordPress Security for SEO & MoreSean Carlos
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
4 roadside hazard management
4 roadside hazard management4 roadside hazard management
4 roadside hazard managementIndonesia Infrastructure Initiative
 
Understanding governance
Understanding governanceUnderstanding governance
Understanding governancen|u - The Open Security Community
 
SAUDADE
SAUDADESAUDADE
SAUDADEeliane_ac
 
BELA BAHIA - BRASIL
BELA BAHIA - BRASILBELA BAHIA - BRASIL
BELA BAHIA - BRASILeliane_ac
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101n|u - The Open Security Community
 
ÍNDIA
ÍNDIAÍNDIA
ÍNDIAeliane_ac
 
Personal research environment presentation
Personal research environment presentationPersonal research environment presentation
Personal research environment presentationDaniela Gachago
 
Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)Indonesia Infrastructure Initiative
 
BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)eliane_ac
 
Document
DocumentDocument
DocumentDarnell Pruitt
 
5 route network rs final id r1
5 route network rs final id r15 route network rs final id r1
5 route network rs final id r1Indonesia Infrastructure Initiative
 

More Related Content

What's hot

Wordpress Command-Line
Wordpress Command-LineWordpress Command-Line
Wordpress Command-Linewpperu
 
Webpack and Web Performance Optimization
Webpack and Web Performance OptimizationWebpack and Web Performance Optimization
Webpack and Web Performance OptimizationChen-Tien Tsai
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIryanduff
 
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7X User
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015Shawn Hooper
 
Production optimization with React and Webpack
Production optimization with React and WebpackProduction optimization with React and Webpack
Production optimization with React and Webpackk88hudson
 

What's hot (8)

Wordpress Command-Line
Wordpress Command-LineWordpress Command-Line
Wordpress Command-Line
 
Webpack and Web Performance Optimization
Webpack and Web Performance OptimizationWebpack and Web Performance Optimization
Webpack and Web Performance Optimization
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
 
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
 
Matt doyleppt
Matt doylepptMatt doyleppt
Matt doyleppt
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015
 
Web Sockets - HTML5
Web Sockets - HTML5Web Sockets - HTML5
Web Sockets - HTML5
 
Production optimization with React and Webpack
Production optimization with React and WebpackProduction optimization with React and Webpack
Production optimization with React and Webpack
 

Viewers also liked

WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011Dre Armeda
 
WordPress Security for SEO & More
WordPress Security for SEO & MoreWordPress Security for SEO & More
WordPress Security for SEO & MoreSean Carlos
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
BELA BAHIA - BRASIL
BELA BAHIA - BRASILBELA BAHIA - BRASIL
BELA BAHIA - BRASILeliane_ac
 
Personal research environment presentation
Personal research environment presentationPersonal research environment presentation
Personal research environment presentationDaniela Gachago
 
BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)eliane_ac
 
Digital library workshop
Digital library workshopDigital library workshop
Digital library workshopDaniela Gachago
 

Viewers also liked (19)

WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
 
WordPress Security for SEO & More
WordPress Security for SEO & MoreWordPress Security for SEO & More
WordPress Security for SEO & More
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
4 roadside hazard management
4 roadside hazard management4 roadside hazard management
4 roadside hazard management
 
Understanding governance
Understanding governanceUnderstanding governance
Understanding governance
 
SAUDADE
SAUDADESAUDADE
SAUDADE
 
BELA BAHIA - BRASIL
BELA BAHIA - BRASILBELA BAHIA - BRASIL
BELA BAHIA - BRASIL
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101
 
ÍNDIA
ÍNDIAÍNDIA
ÍNDIA
 
Personal research environment presentation
Personal research environment presentationPersonal research environment presentation
Personal research environment presentation
 
Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)
 
BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)
 
Document
DocumentDocument
Document
 
5 route network rs final id r1
5 route network rs final id r15 route network rs final id r1
5 route network rs final id r1
 
Ess 01 & ess-02 closing meeting
Ess 01 & ess-02 closing meetingEss 01 & ess-02 closing meeting
Ess 01 & ess-02 closing meeting
 
Aero dataworkshop 2d-module-00_v1.0_en
Aero dataworkshop 2d-module-00_v1.0_enAero dataworkshop 2d-module-00_v1.0_en
Aero dataworkshop 2d-module-00_v1.0_en
 
Digital library workshop
Digital library workshopDigital library workshop
Digital library workshop
 
4 roadside hazard management
4 roadside hazard management4 roadside hazard management
4 roadside hazard management
 
Tea time
Tea time Tea time
Tea time
 

Similar to WordPress Security

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallSteve Taylor
 
A new way to develop with WordPress!
A new way to develop with WordPress!A new way to develop with WordPress!
A new way to develop with WordPress!David Sanchez
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.WP Engine
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
How to set up a Wordpress Blog
How to set up a Wordpress BlogHow to set up a Wordpress Blog
How to set up a Wordpress Blogkichu
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTYWilliam Chong
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
WordPress Plugin Development 201
WordPress Plugin Development 201WordPress Plugin Development 201
WordPress Plugin Development 201ylefebvre
 
It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’Brendan Sera-Shriar
 

Similar to WordPress Security (20)

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
1. MySql plugins
1. MySql plugins1. MySql plugins
1. MySql plugins
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute Install
 
A new way to develop with WordPress!
A new way to develop with WordPress!A new way to develop with WordPress!
A new way to develop with WordPress!
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
 
How to set up a Wordpress Blog
How to set up a Wordpress BlogHow to set up a Wordpress Blog
How to set up a Wordpress Blog
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
What is (not) WordPress
What is (not) WordPressWhat is (not) WordPress
What is (not) WordPress
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
WordPress Plugin Development 201
WordPress Plugin Development 201WordPress Plugin Development 201
WordPress Plugin Development 201
 
It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

WordPress Security

  • 1. WordPress Security Few Simple Steps @ Null Meet 16th Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
  • 2. Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
  • 3. WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
  • 4. WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
  • 5. Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
  • 6. Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
  • 7. Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
  • 8. Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
  • 9. Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
  • 10. Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
  • 11. Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
  • 12. Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
  • 13. Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
  • 14. Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
  • 15. BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe