WordPress security for everyone

http://lynt.cz
WordPress security for everyone
Vláďa Smitka
vladimir.smitka@lynt.cz
@smitka
Lynt services s.r.o.

http://lynt.cz
Content
• Some facts
• Common attack types
• Recovery after infection
• Security chain
• Security plugins
27. 5. 2015 2
„WordPress = Plugins“

http://lynt.cz27. 5. 2015 3
The most serious vulnerability
Question: „What is the most serious WP vulnerability?“
Answer: „Outdated Slider Revolution.“
http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
verze 4.1.4 are vulnerable
• Probably the most stolen plugin
• Included in many premium themes (sometimes no chance to update)
• No auto-update in older versions
• Easy to detect

http://lynt.cz27. 5. 2015 4
5 + 2 security tips
Update
Backup
Use a security plugin
Be careful
Delete unnecessary stuff, don‘t provide sensitive information
Update!
UPDATE!!!

http://lynt.cz
WordCamp HACK campaign
• I found more than 400 vulnerable Czech WP
sites in an hour
• I was finding common (and just patched)
vulnerabilities in 3 popular plugins
• I informed creators/owners by mail and
invited them to the WordCamp
27. 5. 2015 5

http://lynt.cz
Who?
27. 5. 2015 6
Bots „Anonymous“ hackers
Motivated hackers Script kiddies
PhotobyLisa,CCBY-SA2.0

http://lynt.cz
How?
27. 5. 2015 7
Vulnerable plugins and themes
Brute force on administration
Comment Spam (+pingbacks)
Password and cookie tapping
„Neighbour“ sites
on shared hosting
Indirect ways– phishing, malware
(keylogger, saved FTP password)Vulnerabilities in WP core

http://lynt.cz
Why and What?
27. 5. 2015 8
• „Alien“ code
– Spammy links, adverts, redirection
– Malware downloading
– DDoS to other targets
• Info stealing
– E.g. Personal information
of your customers
• Out of service
– web/server shutdown (DOS)

http://lynt.cz
Facts
27. 5. 2015 9
http://www.akamai.com/stateoftheinternet/
43% of attacks have origin in China
Do I need Chinese traffic?
How about to block the whole China?
Block USA?
Rather not (search engines, CDN,…)
Block everything except the Czech Republic?
Definitely not - IP geolocation isn‘t 100% accurate.
Corporate users sometimes connect from a different country (proxy).
How about vacation in foreign country?

http://lynt.cz
How to block China? – homework
27. 5. 2015 11
List of IP address: http://www.ip2location.com/blockvisitorsbycountry.aspx
• Iptables
– Don‘t use generated configuration from previous link –
thousands of rules for every packet
– iptables -A INPUT -m tcp -m state --state NEW -j
CHINA_WALL
– Advanced: optimization – more chains for different octets
• .htaccess/nginx
• mod_geoIP
• Plugins (e.g. Premium Wordfence)
• HW box (WAF appliance, Smarter firewall)
• Another possibility – redirect to CAPTCHA
instead of blocking
//mod_geoIP in Apache
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
Deny from env=BlockCountry
//mod_geoIP in .htaccess
RewriteCond %{ENV:GEOIP_COUNTRY_CODE}
^(CN|RU)$
RewriteRule ^(.*)$ - [F,L]

http://lynt.cz
NEW WEB
27. 5. 2015 12
NEWS:
1.4.2003 our new
web is running!

http://lynt.cz
User Development Priorities
27. 5. 2015 13
Beauty
Must have, right?
Speed
After launch
Security
After incident

http://lynt.cz
What happens if…
• Web is hacked?
• Loss of sensitive data, loss of trust, out of service,
penalization
• Web is incredibly slow?
• Visitors are annoyed, search engines don‘t want
to index your site
• There is no cool slider?
• Nothing?
27. 5. 2015 14

http://lynt.cz
Real priorities
according to business impacts
27. 5. 2015 15
Security
Speed
Beauty

http://lynt.cz
Demo time!
27. 5. 2015 16

http://lynt.cz
Slider Revolution - LFI
• Version 4.1.4 and lower
• Enable to download any source file
• Cause: Ajax call registration for all users
(privileged/non privileged)
• /wp-admin/admin-
ajax.php?action=revslider_show_image&img=../
wp-config.php
• Details (CZ): http://lynt.cz/blog/zranitelnost-ve-
wordpress-pluginu-slider-revolution-4-1-4
27. 5. 2015 17

http://lynt.cz
FancyBox for Wordpress - XSS
• Enable to include an alien javascript into all pages
• Cause: using admin_init hook without appropriate
privileges check (it is activated by all requests to the
administration – admin-ajax.php, admin-post.php)
• /wp-admin/admin-ajax.php?page=fancybox-for-
wordpress +
variable mfbfw[padding]=</script><script>evil
code</script>
wordpress-pluginu-fancybox-for-wordpress-3-0-2
27. 5. 2015 18

http://lynt.cz
Mail Poet – Upload PHP
• Enable to upload PHP file and execute
• Cause: Misuse of admin_init again + use of
$_REQUEST in the first patch
post.php?page=wysija_campaigns&action=them
eupload + variable my-theme = evil zip file
wordpress-pluginu-mail-poet-2-6-8
27. 5. 2015 19

http://lynt.cz
Wordpress Video Gallery - SQLi
• Version 2.7
• SQL injection – enable to get any data from database
• Cause: Insufficient user inputs sanitization
ajax.php?action=rss&type=video&vid=-1 UNION
SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,
22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,3
9 FROM wp_users ;--
wordpress-pluginu-wordpress-video-gallery-2-7
27. 5. 2015 20

http://lynt.cz
Wordpress 3.9.2 - XSS
„Wordpress version 3.9.2 is safe.“
Vladimír Smitka, 4th WP community conference, December 2014
27. 5. 2015 21
„Secure today != secure tomorrow.“
Vladimír Smitka, 4th WP community conference, December 2014
• Allowed HTML tags bypass in comments
• [<blockquote cite="]">[" onmouseover="alert('evil!');
" style="background-color:red;position:absolute;top:0;
left:0;height:100%;width:100%;"][<a href="]>hi there

http://lynt.cz
What might reduce impacts?
• Turn off PHP processing in
/wp-content/uploads
.htaccess in this folder:
php_flag engine off
27. 5. 2015 22
Different option:
<FilesMatch .php$>
Order allow,deny
Deny from all
</FilesMatch>
• Updates
• To block requests including „wp-config.php“
global .htaccess:
RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule ^(.*)$ - [F,L]

http://lynt.cz
How do I know that I also use a vulnerable plugin?
• Read all news
• Plugin Vulnerabilities
• https://wordpress.org/plugins/plugin-vulnerabilities/
27. 5. 2015 23

http://lynt.cz
How does the attacker know that you
use a vulnerable plugin?
• He performs reconnaissance
• WPScan – very popular tool to do it
27. 5. 2015 24

http://lynt.cz
I was hacked!
27. 5. 2015 25

http://lynt.cz
Recovery after infection
• Restoring from a clean backup
– Delete everything and upload pure data from backup
• Reinstall + disinfection by hand
– FAR
• If all php files were infected by the same evil code
– SQL dump examination
• Try to find <iframe, <script, x-shockwave-flash, eval,
base64_decode, gzip_, preg_replace
• Try to identify the evil ones
• Malware removal isn‘t the final solution!
27. 5. 2015 26

http://lynt.cz
FAR
27. 5. 2015 27

http://lynt.cz
Checklist
• Disinfection, imitate the cause (update)
• Change FTP password
• Change DB password
• Change user passwords
• New salts: https://api.wordpress.org/secret-
key/1.1/salt/
– WP before 3.1.:
define('AUTH_SALT', 'put your unique phrase here');
• Check files by a security plugin (Wordfence,
Sucuri Scanner)
27. 5. 2015 28

http://lynt.cz
Backup
„Backup is the alpha and omega of Computing“
27. 5. 2015 29
By hand
Sometimes I copy everything somewhere. Not ideal but better than nothing.
By server
Unattented - ideal situation (ask your webhoster).
By plugin
Also a good solution, it can provide some benefits.

http://lynt.cz
Backup plugins
• BackWPup
– Only backup – no automatic recovery
– Backup to more places
– You can trigger backup by external request
• UpdraftPlus
– Backup & recovery
– Only one place (but there is Pro version available)
• BackupBuddy
– Not free
– Complete solution (migration, per file recovery, …)
27. 5. 2015 30

http://lynt.cz
How to backup via plugin
• External storage is better
• If local storage:
– Check if backups aren‘t accessible from web browser
– Check if folder with backups is excluded from backup
(backup loop)
• Backup scheduling
– WP-Cron – almost in all plugins, it is triggered only if there
is some traffic (you can check settings via Crontrol plugin)
– External trigger – preferred way (server‘s cron, minicron,
cron service e.g. http://www.webcron.org/,
https://www.setcronjob.com, https://www.easycron.com)
• Email notification after backup
27. 5. 2015 31

http://lynt.cz
Defend ourselves!
27. 5. 2015 32

http://lynt.cz
Power!
27. 5. 2015 33
Jeremy Clarkson

http://lynt.cz
How to improve security by
performance?
• WP Super Cache
– prevent (D)DoS attacks which consume all resources
– dynamic pages to static
• Autoptimize
– hides „revealing“ js and css
– reduces HTTP requests
• Side effects: faster site, happier visitors, tastier
SEO
27. 5. 2015 34

http://lynt.cz
Security Chain
27. 5. 2015 35
HTTP Server
(Apache/Nginx)
PHP
Internet
log
What can affect security?

http://lynt.cz
Cloud
27. 5. 2015 36
HTTP Server
(Apache/Nginx)
PHP
Internet
Cloud security services (WAF)– attack is
blocked before it reaches server
Block bad behaving IP, common exploits,
DDoS,…
Incapsula, Sucuri, CloudFlare
log

http://lynt.cz
Webhoster
27. 5. 2015 37
HTTP Server
(Apache/Nginx)
PHP
Internet
Security appliance/firewall – some
provides another security level, some not.
Reduce DDoS impact, block some kind of
network attacks, etc.
log

http://lynt.cz
Server
27. 5. 2015 38
HTTP Server
(Apache/Nginx)
PHP
Internet
Firewall, WAF, configuration – block some
network attacks, IP addresses (whole
ranges, countries)
WAF – block exploits (XSS, SQLi,…) –
mod_security, naxsi.
Restrict file permissions, detect file changes.
Backups log

http://lynt.cz
Server – homework
• Detecting changes in PHP files during last 24 hours:
find /srv/htdocs/my_web/ -name '*.php' -type f -mtime -1 > output ; mail
-s „Today changes" "vladimir.smitka@lynt.cz" < output
27. 5. 2015 39
root directory 755
wp-includes/ 755
.htaccess 644
wp-admin/index.php 644
wp-admin/js/ 755
wp-content/themes/ 755
wp-content/plugins/ 755
wp-admin/ 755
wp-content/ 755
wp-config.php 644
Permissions by All In One WP Security:Another country IP list:
http://www.iwik.org/ipcountry/
Basic mod_security settings for WP:
http://blog.erben.sk/2015/02/11/p
rotecting-wordpress-with-mod-
security/

http://lynt.cz
HTTP Server & PHP
27. 5. 2015 40
HTTP Server
(Apache/Nginx)
PHP
Internet
HTTP server & PHP configuration – site
isolation on shared hosting, filter suspicious
URLs, restricting access, HTTPS enforcing,
block countries (mod_geoip), logging
log

http://lynt.cz
Log analytics
27. 5. 2015 41
HTTP Server
(Apache/Nginx)
PHP
Internet
Realtime log analytics – if someting strange
happens you can perform actions. One log
record isn‘t a clue.
Logstash, ElasticSearch, Kibana
log

http://lynt.cz
Realtime log analytics - example
27. 5. 2015 42
Something wrong?

http://lynt.cz
Countermeasure
27. 5. 2015 43
HTTP Server
(Apache/Nginx)
PHP
Internet
Actions – block after many 404 logged
(scanning), many failed logins, …
Ban in firewall, notify
Fail2Ban
log

http://lynt.cz
Fail2Ban – homework
27. 5. 2015 44
• Fail2Ban can replace some functions of security plugins – brute force/404 detection
• filter.d/wp-auth.conf
# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
#
# Block IPs trying to auth wp wordpress
#
# Matches e.g.
# 178.63.72.184 - - [16/Oct/2014:11:40:50 +0200] "POST /wp-login.php HTTP/1.0" 200 1531 "-" "-"
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
• jail.conf
[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=wp-auth, port="http,https", protocol=tcp]
sendmail-whois[name=WPauth, dest=vladimir.smitka@lynt.cz, sendername="Fail2Ban"]
logpath = /var/log/wordpress/access.*.log
• Be careful with logrotate - /usr/bin/fail2ban-client reload wp-auth
• To log failed WP logins:
https://wordpress.org/plugins/wp-fail2ban/

http://lynt.cz
WordPress settings
27. 5. 2015 45
HTTP Server
(Apache/Nginx)
PHP
Internet
Good WP setting – everything is updated,
well written plugins, usage of a security
plugin (blocks access to administration,
scanning attempts, dangerous URLs,
monitors files for changes, searches for
malaware, hides some sensitive data)
iThemes Security, All in One WP security &
Firewall, WordFence
log

http://lynt.cz
Security plugin
27. 5. 2015 46

http://lynt.cz
WordFence
• Active protection
• Bot detection, traffic limiting (HTTP 503)
• Live traffic
• Scan – files, common infections, blacklists
• Notify about updates
• Cache
• + Naturally:
– File changes detection
– Brute force protection
– 404 limitation
– Blocking spam in comments
27. 5. 2015 47

http://lynt.cz
WordFence – after installation
27. 5. 2015 48
Level 2: failed login limits, more notifications
Level 3: traffic limiting
Level 4: more traffic limiting, block invalid user names

http://lynt.cz
WordFence – Live Traffic
27. 5. 2015 49

http://lynt.cz
WordFence – changes detection
27. 5. 2015 50

http://lynt.cz
WordFence – traffic limitation
27. 5. 2015 51

http://lynt.cz
WordFence – login security
27. 5. 2015 52
Tip: block username discovery via .htaccess:
RewriteCond %{QUERY_STRING} author=
RewriteRule ^(.*)$ http://screw.you? [L,R=301]

http://lynt.cz
WordFence – other options
27. 5. 2015 53

http://lynt.cz
WordFence – other options
27. 5. 2015 54

http://lynt.cz
WordFence Premium – Country blocking
27. 5. 2015 55

http://lynt.cz
WordFence Premium – other
27. 5. 2015 56
• Better spam protection
• Early warning during scan
2 factor autentification via SMS:
Your Wordfence code is ABCDEF. – password + space + code
Better solution: WP Google Authenticator
Scan scheduling – more frequent scan, triggered externally

http://lynt.cz
Security plugin
27. 5. 2015 57

http://lynt.cz
iThemes security
• Prevention
• Hides administration, changes DB prefix
• Evil URL filter
• + Naturally:
– Brute force protection, 404 limitation
– File changes detection
– Comment spam reduction
27. 5. 2015 58

http://lynt.cz
iThemes Security – after installation
27. 5. 2015 59
One-Click – failed login limit, strong password enforcing, hides some sensitive information

http://lynt.cz
iThemes Security – API Key
27. 5. 2015 60

http://lynt.cz
iThemes Security - dashboard
27. 5. 2015 61

http://lynt.cz
iThemes security - configuration
• Global Settings
– Write to Files - Allow iThemes Security to write to wp-
config.php and .htaccess – if disabled, I can copy config
from dashboard to relevant files by hand
– Lockout White List – set my IP to prevent lockout
– Log Type - Database Only (small sites, available from
administration), File Only (large sites, it can be used in
fail2ban)
– Path to Log Files – set path outside web if possible
• 404 detection
– Enable 404 detection – block scanning for vulnerably
27. 5. 2015 62
RED = important settings

http://lynt.cz
• Away Mode – e.g. to disable administration
outside working hours
• Banned Users
– Default Blacklist - Enable HackRepair.com's
blacklist feature – add known bad behaving user-
agents to .htaccess
– Enable ban Users - banned IP and user-agents by
hand (it is also connected to the Enable Blacklist
Repeat Offender in Global settings)
27. 5. 2015 63

http://lynt.cz
• Brute Force Protection
– Get your iThemes Brute Force Protection API Key –
access to global IP blacklist by iThemes.com
– Enable iThemes Brute Force Network Protection – to
use global blacklist
– Enable local brute force protection – block attempts
to guess passwords (table _itsec_lockouts in DB)
– Automatically ban "admin" user - Immediately ban a
host that attempts to login using the "admin"
username – good honeypot trick 
27. 5. 2015 64

http://lynt.cz
• Database Backups
– Backup Method - Email Only, Save local only – if it is possible to save backup files to public
inaccessible folder (Backup Location)
– Schedule Database Backups - Enable Scheduled Database Backups – automatic backup/by
hand on the Backups tab
– Notice: it is really only DB backup
• File Change Detection
– File Change Detection - Enable File Change detection
– Split File Scanning - Split file checking into chunks – consumes less RAM, generates more
mails
– Files and Folders List – exclude folder contains cache when you use a caching plugin
• Hide Login Area
– Hide Backend- Enable the hide backend feature – redirect /wp-admin to different URL
– Login Slug – new address, e.g. admin5547
– Enable Theme Compatibility - Enable theme compatibility – turn on if redirection caused
problems with some plugins
27. 5. 2015 65

http://lynt.cz
• Malware Scanning
– Enable Malware scanning - API key fromVirusTotal.com – you
can check your homepage against about 60 blacklists (Sucuri
SiteCheck, Google Safebrowsing,...)
• Secure Socket Layers (SSL)
– Enforce https to access in the administration – try if https is
really available before enabling this option
• Strong Passwords
– Strong Passwords - Enable strong password enforcement – new
passwords must be strong
– Select Role for Strong Passwords – Set to „Editor“ at least (he
can put JS in comments)
27. 5. 2015 66

http://lynt.cz
• System Tweaks
– System Files - protect System Files – disallow access to sensitive files
(readme.html, .htaccess, readme.txt)
– Suspicious Query Strings - Filter Suspicious Query Strings in the URL –
prevents simple SQL injections (be careful with nginx , see next slides)
– Long URL Strings - Filter Long URL Strings – block very long URLs (over
255 chars) and URLs containing „eval“, „base64“ and „union select“
(like Block Bad Queries (BBQ) plugin)
+ you should also add rule to block URLs containing „wp-config.php“
– Non-English Characters - Filter Non-English Characters –not good for
Czech environment
– File Writing Permissions – set right permissions for .htaccess and wp-
config.php – it is better to do so by hand
– Uploads - Disable PHP in Uploads
27. 5. 2015 67

http://lynt.cz
• System Tweaks
– Generator Meta Tag + Display Random Version – hide WP version
– Windows Live Writer Header & EditURI Header – they are used rarely
– Comment Spam – check comment origin (your web or
wordpress.com), block comments from clients without user-agent
– File Editor – similar to define('DISALLOW_FILE_EDIT', true ); in wp-
config.php
– XML-RPC - "Completely Disable XMLRPC" disables all XML-RPC
requests e.g. Trackbacks (if you want to use trackbacks securely, try
https://wordpress.org/plugins/simple-trackback-validation-with-
topsy-blocker/)
– Login Error Messages – hide „wrong password“ notice
– Force Unique Nickname – prevent users to take the same login and
„real“ name
– Disable Extra User Archives – hide users without (e.g. admins)
27. 5. 2015 68

http://lynt.cz
iThemes security – advanced
• Advanced
– Admin user – tool to change admin login name
• Better way is to create new admin user
• Login as him and delete old admin user (there will be a form
to move content under the new user)
– Change content directory – rename wp-content, may
caused some troubles and brings only little benefit
(you can see renamed folder in HTML source)
– Change database prefix – tool to change default
prefix table wp_ to something else (to prevent some
kinds of automatized attacks)
27. 5. 2015 69

http://lynt.cz
iThemes security – homework
Suspicious Query Strings in Nginx:
set $susquery 0;
if ($args ~* "wp-config.php") { set $susquery 1; } # + block query do download wp-config.php
if ($args ~* "../") { set $susquery 1; }
if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
if ($args !~ "^loggedout=true"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($args !~ "^action=jetpack-sso"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($args !~ "^action=rp"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($susquery = 1) { return 403; }
27. 5. 2015 70
Block query do download wp-config.php in .htaccess:
RewriteCond %{QUERY_STRING} wp-config.php [NC,OR]

http://lynt.cz
iThemes security – homework
Better version hiding:
functions.php / plugin in mu-plugins:
function remove_wp_version()
{ return ; }
add_filter('the_generator', remove_wp_version');
27. 5. 2015 71
Off topic: MU-plugins (Must Use Plugins)
There is a special folder: /wp-content/mu-plugins
Skripts/plugins in this folders are interpreted everytime, you cannot disable them in
administration. It is useful for some security settings, e.g. automatic updates of plugins and
themes:
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

http://lynt.cz
Users
27. 5. 2015 72
HTTP Server
(Apache/Nginx)
PHP
Internet
User and admin behavior – strong
passwords, connect from trusted
networks only, backup, antivirus
software, certificate checking,
phishing-proof
log

http://lynt.cz
Tips for WP admins
• Use HTTPS in administration
– https://wordpress.org/plugins/wordpress-https/
– VPN is also a good choice
• Backup regularly – both: files and database
• Don‘t test plugins in production environment
• Remove unnecessary stuff (users, themes, plugins, content)
• Set up appropriate permissions to your users
• Use tools for bulk management if you administer more WP
sites (InfiniteWP, ManageWP), for a smaller number of sites
use WP Updates Notifier plugin
• Maintain list of all used plugins and themes
• If somebody tells you: „don‘t update this “, ask „Why?“,
there is usually no serious reason! (if somebody did some
changes in original files, ask him for a patch file)
27. 5. 2015 73

http://lynt.cz
Tips for everyone
• Use strong passwords (use password manager
e.g. Keepass)
• Be careful of bad certificates
• Use good and updated antivirus software
• Don‘t use unknown Wi-Fi
• Delete all saved unprotected Wi-Fi networks
from your cellphone/tablet/laptop
• Don‘t believe everything that comes by mail
27. 5. 2015 74

http://lynt.cz
Useful sites
• https://www.owasp.org/
• https://wpvulndb.com/
• http://blog.sucuri.net/
• http://packetstormsecurity.com/
• http://www.rankwp.com/
27. 5. 2015 75

http://lynt.cz
Homework due tomorrow
□ Check for vulnerable plugins
□ Check hashes in wp-config.php
□ Make a backup
□ Remove unnecessary plugins
□ Remove unnecessary themes (keep one
default template and parent theme if used)
□ Lower user rights, if they don‘t need them
□ Update everything possible
27. 5. 2015 76

http://lynt.cz
And that's all, folks 
27. 5. 2015 77
Update, backup, use security plugin, be careful
Also check my research about WP in the Czech Republic!

WordPress security for everyone

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to WordPress security for everyone

Similar to WordPress security for everyone (20)

More from Vladimír Smitka

More from Vladimír Smitka (20)

Recently uploaded

Recently uploaded (20)

WordPress security for everyone

Editor's Notes