• Save
Wordpress Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Wordpress Security

  • 1,378 views
Uploaded on

I presented this on Wordpressians Meetup [Dhaka] on 28th June, 2014 ...

I presented this on Wordpressians Meetup [Dhaka] on 28th June, 2014

Topics Include:
# A Basic Understanding
# Direct Approach
# Indirect Approach
# Insane Approach
# Plugin URLs
# Tutorial URLs

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,378
On Slideshare
1,374
From Embeds
4
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
4
Likes
13

Embeds 4

https://twitter.com 4

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. WORDPRESS SECURITY How to secure your WordPress website
  • 2. RUPOK CHOWDHURY PROTIK Co-Founder, Head of WebDev, CoderCats 
 @rupok fb.com/rupokify rupokify@gmail.com www.rupok.net
  • 3. WAYS Direct Approach Indirect Approach
  • 4. DIRECT APPROACH
  • 5. BEST WAY 100% Guaranteed
  • 6. DELETE IT !
  • 7. REQUEST? A really really cute face may help!
  • 8. Don’t hack my site, please!
  • 9. INDIRECT APPROACH
  • 10. A BASIC UNDERSTANDING
  • 11. FOUR “W”, ONE “H” Who .Why .When .Where . How
  • 12. WHO Anonymous .Your Friend .A Random Guy
  • 13. WHY Fun . Revenge . Profit . Political
  • 14. WHEN Least Expected .You are not Ready .The door is open
  • 15. (EVERY)WHERE Shared Hosting .VPS . Dedicated Server .Your Laptop
  • 16. HOW
  • 17. DEFACEMENT Website defacement is an attack on a website that changes the visual appearance of the site or a webpage* *Wikipedia
  • 18. SPAM LINKS base64_decode(‘aHR0cDovL3d3dy5jb2RlcmNhdHMubmV0L2VhdHNpdGUucGhw’); ! http://www.codercats.net/eatsite.php
  • 19. PHP SHELL PHP Shell is a shell wrapped in a PHP script. It’s a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote web server* *http://phpshell.sourceforge.net/
  • 20. OTHERS Backdoors . SQL Injections . Malicious Redirects . Form Abuse . Compromised Web Servers
  • 21. WHAT CAN WE DO?
  • 22. AVOID NULLED
 THEMES & PLUGINS Why are they giving you for free?
  • 23. DELETE “ADMIN”ACCOUNT UPDATE wp_users SET user_login=‘batman’WHERE user_login=‘admin’; ! Hackers need only two piece of information - “username” & “password” Don’t give them half. Try to avoid showing your username in posts
  • 24. USE SECRET KEYS https://api.wordpress.org/secret-key/1.1/salt/
  • 25. UPDATE EVERYTHING Keep “EVERYTHING” updated. Literally EVERYTHING.
  • 26. MODIFY FILE PERMISSION Files 644 Folders 755 .htaccess 444 wp-config.php 444
  • 27. MOVE UP WP-CONFIG.PHP WordPress automatically checks the parent directory if wp- config.php file is not found in your root directory ! public_html/wordpress/wp-config.php public_html/wp-config.php
  • 28. PROTECT WP-CONFIG.PHP Write the following code in your .htaccess file ! <files wp-config.php> order allow, deny deny from all </files>
  • 29. LOCAL SECURITY KeyLogger, Malwares ! Don’t use FTP Try to use sFTP or SSH
  • 30. CONTROL LOGIN ATTEMPTS Don’t let them try for eternity https://wordpress.org/plugins/login-lockdown/
  • 31. SECURITY PLUGINS BulletProof Security, Secure WordPress, Exploit Scanner, Malware Scanner (sucuri.net)
  • 32. USE STRONG PASSWORD Eight Characters .Two Uppercase Letters .Two Symbols Avoid your Name, BirthYear, Birthday,Age, Phone Number etc.
  • 33. Creating A Password ! - cabbage - Sorry, the password must be more than 8 characters. ! - boiled cabbage - Sorry, the password must contain 1 numerical character, ! - 1 boiled cabbage - Sorry, the password cannot have blank spaces. ! - 50fuckingboiledcabbages - Sorry, the password must contain at least one upper case character. ! - 50FUCKINGboiledcabbages - Sorry, the password cannot use more than one upper case character consecutively. ! - 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately - Sorry, the password cannot contain punctuation. ! - NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately - Sorry, that password is already in use!
  • 34. DATABASETABLE PREFIX Change from “wp_” to “wp_anything_” or wpanything_” anything may contain a-z, 0-9
  • 35. SSL CERTIFICATE Try to use SSL Certificate ! define(‘FORCE_SSL_ADMIN’, true); define(‘FORCE_SSL_LOGIN’, true);
  • 36. MOVE WP-CONTENT FOLDER Before wp-settings.php is called in wp-config.php ! define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' ); define( 'WP_CONTENT_URL',‘http://www.codercats.net/blog/content/wp-content' );
  • 37. PROTECT WP-ADMIN Password Protect wp-admin folder using .htaccess + .htpasswd ! http://www.wpbeginner.com/wp-tutorials/how-to-password- protect-your-wordpress-admin-wp-admin-directory/
  • 38. DISABLE DASHBOARD EDIT define(‘DISALLOW_FILE_EDIT’, true);
  • 39. CHANGE LOGIN URL RewriteRule ^login$ http://www.rupok.net/wp-login.php [NC, L] ! Now I can login at www.rupok.net/login
  • 40. INSANE PLANS
  • 41. GOOGLE AUTHENTICATOR The Google Authenticator plugin for WordPress gives you two- factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. ! http://wordpress.org/plugins/google-authenticator/
  • 42. VOICE BIOMETRICS VoxedIn is a Smartphone app and web toolkit that lets your users log in to your site using voice biometrics ! http://wordpress.org/plugins/voxedin/
  • 43. SPECIALTHANKS Jesse Pollak . Brad Williams . Lime Canvas
  • 44. QUESTIONS ?