Wordpress Security

2,375 views
2,050 views

Published on

I presented this on Wordpressians Meetup [Dhaka] on 28th June, 2014

Topics Include:
# A Basic Understanding
# Direct Approach
# Indirect Approach
# Insane Approach
# Plugin URLs
# Tutorial URLs

Published in: Technology, Business
6 Comments
18 Likes
Statistics
Notes
No Downloads
Views
Total views
2,375
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
6
Likes
18
Embeds 0
No embeds

No notes for slide

Wordpress Security

  1. 1. WORDPRESS SECURITY How to secure your WordPress website
  2. 2. RUPOK CHOWDHURY PROTIK Co-Founder, Head of WebDev, CoderCats 
 @rupok fb.com/rupokify rupokify@gmail.com www.rupok.net
  3. 3. WAYS Direct Approach Indirect Approach
  4. 4. DIRECT APPROACH
  5. 5. BEST WAY 100% Guaranteed
  6. 6. DELETE IT !
  7. 7. REQUEST? A really really cute face may help!
  8. 8. Don’t hack my site, please!
  9. 9. INDIRECT APPROACH
  10. 10. A BASIC UNDERSTANDING
  11. 11. FOUR “W”, ONE “H” Who .Why .When .Where . How
  12. 12. WHO Anonymous .Your Friend .A Random Guy
  13. 13. WHY Fun . Revenge . Profit . Political
  14. 14. WHEN Least Expected .You are not Ready .The door is open
  15. 15. (EVERY)WHERE Shared Hosting .VPS . Dedicated Server .Your Laptop
  16. 16. HOW
  17. 17. DEFACEMENT Website defacement is an attack on a website that changes the visual appearance of the site or a webpage* *Wikipedia
  18. 18. SPAM LINKS base64_decode(‘aHR0cDovL3d3dy5jb2RlcmNhdHMubmV0L2VhdHNpdGUucGhw’); ! http://www.codercats.net/eatsite.php
  19. 19. PHP SHELL PHP Shell is a shell wrapped in a PHP script. It’s a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote web server* *http://phpshell.sourceforge.net/
  20. 20. OTHERS Backdoors . SQL Injections . Malicious Redirects . Form Abuse . Compromised Web Servers
  21. 21. WHAT CAN WE DO?
  22. 22. AVOID NULLED
 THEMES & PLUGINS Why are they giving you for free?
  23. 23. DELETE “ADMIN”ACCOUNT UPDATE wp_users SET user_login=‘batman’WHERE user_login=‘admin’; ! Hackers need only two piece of information - “username” & “password” Don’t give them half. Try to avoid showing your username in posts
  24. 24. USE SECRET KEYS https://api.wordpress.org/secret-key/1.1/salt/
  25. 25. UPDATE EVERYTHING Keep “EVERYTHING” updated. Literally EVERYTHING.
  26. 26. MODIFY FILE PERMISSION Files 644 Folders 755 .htaccess 444 wp-config.php 444
  27. 27. MOVE UP WP-CONFIG.PHP WordPress automatically checks the parent directory if wp- config.php file is not found in your root directory ! public_html/wordpress/wp-config.php public_html/wp-config.php
  28. 28. PROTECT WP-CONFIG.PHP Write the following code in your .htaccess file ! <files wp-config.php> order allow, deny deny from all </files>
  29. 29. LOCAL SECURITY KeyLogger, Malwares ! Don’t use FTP Try to use sFTP or SSH
  30. 30. CONTROL LOGIN ATTEMPTS Don’t let them try for eternity https://wordpress.org/plugins/login-lockdown/
  31. 31. SECURITY PLUGINS BulletProof Security, Secure WordPress, Exploit Scanner, Malware Scanner (sucuri.net)
  32. 32. USE STRONG PASSWORD Eight Characters .Two Uppercase Letters .Two Symbols Avoid your Name, BirthYear, Birthday,Age, Phone Number etc.
  33. 33. Creating A Password ! - cabbage - Sorry, the password must be more than 8 characters. ! - boiled cabbage - Sorry, the password must contain 1 numerical character, ! - 1 boiled cabbage - Sorry, the password cannot have blank spaces. ! - 50fuckingboiledcabbages - Sorry, the password must contain at least one upper case character. ! - 50FUCKINGboiledcabbages - Sorry, the password cannot use more than one upper case character consecutively. ! - 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately - Sorry, the password cannot contain punctuation. ! - NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately - Sorry, that password is already in use!
  34. 34. DATABASETABLE PREFIX Change from “wp_” to “wp_anything_” or wpanything_” anything may contain a-z, 0-9
  35. 35. SSL CERTIFICATE Try to use SSL Certificate ! define(‘FORCE_SSL_ADMIN’, true); define(‘FORCE_SSL_LOGIN’, true);
  36. 36. MOVE WP-CONTENT FOLDER Before wp-settings.php is called in wp-config.php ! define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' ); define( 'WP_CONTENT_URL',‘http://www.codercats.net/blog/content/wp-content' );
  37. 37. PROTECT WP-ADMIN Password Protect wp-admin folder using .htaccess + .htpasswd ! http://www.wpbeginner.com/wp-tutorials/how-to-password- protect-your-wordpress-admin-wp-admin-directory/
  38. 38. DISABLE DASHBOARD EDIT define(‘DISALLOW_FILE_EDIT’, true);
  39. 39. CHANGE LOGIN URL RewriteRule ^login$ http://www.rupok.net/wp-login.php [NC, L] ! Now I can login at www.rupok.net/login
  40. 40. INSANE PLANS
  41. 41. GOOGLE AUTHENTICATOR The Google Authenticator plugin for WordPress gives you two- factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. ! http://wordpress.org/plugins/google-authenticator/
  42. 42. VOICE BIOMETRICS VoxedIn is a Smartphone app and web toolkit that lets your users log in to your site using voice biometrics ! http://wordpress.org/plugins/voxedin/
  43. 43. SPECIALTHANKS Jesse Pollak . Brad Williams . Lime Canvas
  44. 44. QUESTIONS ?

×