WordPress Security
Few Simple Steps
@ Null Meet 16th
Oct 2010
Pune
Gaurav Pant
http://www.gauravpant.com
gauravggs@gmail.c...
Agenda
● What is wordpress
● Installation
● Few basic steps for security
● Social aspects
WordPress
● weBlog Engine
● Written in PHP(mostly)
● Used for websites
● Approx 80% weblogs run on wordpress
● 20% on vers...
WP installation
● Is Simple
● Need a web server with Apache, MySQL and
PHP
● Download WP from wordpress.org
● Create/Reque...
Basic Security Steps
● FIX you Table Prefix
– Change Table prefix (this can be generally
done during install)
– edit your ...
Basic Security Steps...
● Securing the directories and files
– wordpress root / perms: writable by user acc.
– .htaccess w...
Basic Security Steps...
● Renaming 'admin' account:
● Run the query:
– update TablePrefix_users set
user_login='newusernam...
Basic Security Steps...
● Securing the /wp-admin/ area
● Move you wordpress installation to different dir
● Standard loc:
...
Basic Security Steps...
● Version info can be dangerous
● Disable version info
● Also from
● code meta tags
● Edit functio...
Basic Security Steps...
● Disable dir index view
● Simple way:
– just add a blank index.html to all directories
(which do ...
Basic Security Steps...
● Moving wordpress:
● Edit wordpress url from wordpress panel
● copy index.php and .htaccess to ro...
Basic Security Steps...
● Hardening /wp-admin/ with .htaccess
● Create a .htaccess in wp-admin dir
● AuthUserFile /home/de...
Basic Security Steps...
● USE SSL for admin/logins
● can be added to wp-config.php
● define('FORCE_SSL_LOGIN',true)
● defi...
Basic Security Steps.
● Very BASIC but important:
● Don't be lazy –
– Update WP to latest version
– Change Passwords REGUL...
BLOGS...
● If its on the blog its no more personal
● If you put it on blog have good enough
material to defend it
● Do not...
Thanks!
Questions?
Upcoming SlideShare
Loading in …5
×

WordPress Security

1,240 views
1,170 views

Published on

WordPress Security by Gaurav Pant @ null Pune Meet, October, 2010

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,240
On SlideShare
0
From Embeds
0
Number of Embeds
65
Actions
Shares
0
Downloads
22
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

WordPress Security

  1. 1. WordPress Security Few Simple Steps @ Null Meet 16th Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
  2. 2. Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
  3. 3. WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
  4. 4. WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
  5. 5. Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
  6. 6. Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
  7. 7. Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
  8. 8. Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
  9. 9. Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
  10. 10. Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
  11. 11. Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
  12. 12. Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
  13. 13. Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
  14. 14. Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
  15. 15. BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe
  16. 16. Thanks! Questions?

×