• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

WordPress Security

on

  • 1,328 views

WordPress Security by Gaurav Pant @ null Pune Meet, October, 2010

WordPress Security by Gaurav Pant @ null Pune Meet, October, 2010

Statistics

Views

Total Views
1,328
Views on SlideShare
1,268
Embed Views
60

Actions

Likes
2
Downloads
19
Comments
0

4 Embeds 60

http://null.co.in 56
http://nullpresentations.blogspot.com 2
https://inoreader.com 1
http://buildcmswebsite.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WordPress Security WordPress Security Presentation Transcript

    • WordPress Security Few Simple Steps th @ Null Meet 16 Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
    • Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
    • WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
    • WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
    • Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
    • Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
    • Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
    • Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
    • Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
    • Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
    • Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
    • Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
    • Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
    • Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
    • BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe
    • Thanks! Questions?