Syed Balkhi<br />Founder of WPBeginner.com<br />CEO of Uzzz Productions<br />One Cool Person to know on the Web<br />
how to protect WordPress<br />
Worst Case Scenarios<br />
SQL Link Injection – Hackers inject spam links and files into your WordPress theme, plugin and other core files. <br />You...
Protecting WordPress from the Inside Out<br />here is a simple solution<br />
What type of WordPress User Are You?<br />OR<br />rent a house<br />no maintenance required<br />Wordpress.com blogs<br />...
Basic Things That You Should Do<br />They might seem repetitive because they are repetitive. But they are ESSENTIAL, so do...
Regular Database Backups<br />Plugin: WP-DB-Backup<br />Author:  Austin Matzko<br />http://wordpress.org/extend/plugins/wp...
Never use “admin” username<br />If the hacker knows your username, he knows half the answer. (Don’t help him)<br />Change ...
Use Security Keys<br />Security keys ensure better encryption of your logged sessions. A secret key is a hashing salt whic...
Keep your WordPress & Plugins Updated<br />Keep all your Core files, and plugins up to date. Even though sometimes there a...
Use Strong Passwords<br />Use letters (both uppercase and lowercase), numbers, and symbols and make the password at least ...
Folder/File Permission<br />Good rule of thumb to start with:<br />Folder Permission (CHMOD 755)<br />File Permission (CHM...
How to Change Permissions via FTP<br />You will need to right click on the folder and look for either properties, or file ...
Remove WP Version Number from Header<br />Hackers can see your WordPress version number by viewing the source of your webs...
Some Cool Tricks<br />Just like the one in this picture, except safer.<br />
Move wp-config.php file<br />Starting from WordPress 2.6, you can now move your wp-config.php file to one directory above ...
Force SSL Login and Admin Access<br />You can login to WordPress through the encrypted channels with SSL meaning your sess...
Limited Access to wp-admin directory via .htaccess<br />Create a .htaccess file in your wp-admin directory!<br />Add the f...
Remove Error Message from the Login Page<br />Insert the following codes in your themes functions.php file<br />add_filter...
Change WordPress Table Prefix<br />Everyone knows the default table prefix is wp_, so hackers usually try to do SQL inject...
Change WordPress Table Prefix<br /><ul><li>First change the prefix in wp-config.php file
Login to your MySQL Database using phpMyAdmin and run this SQL Query</li></ul>Rename table wp_comments to w0rdpr3ssjim_com...
Browse w0rdpr3ssjim_usermeta and change the meta key wp_capabilities and wp_user_level to w0rdpr3ssjim_capabilities and w0...
Protect against Malicious URL Requests<br />Copy and paste this code in a .php file, name it whatever you like and upload ...
Useful Security Plugins<br />Image by Pelfusion<br />
Login Lockdown<br />Login LockDown records the IP address and timestamp of every failed login attempt. Once it reaches a c...
WordPress File Monitor<br />WordPress File Monitor plugin monitors your WordPress installation for added/deleted/changed f...
WordPress Security Scan<br />This plugin scans your WordPress installation for security vulnerabilities and suggests corre...
Stealth Login<br />This plugin allows you to create custom URLs for logging in, logging out, administration and registrati...
Upcoming SlideShare
Loading in...5
×

How to Protect WordPress

14,241

Published on

How to Protect WordPress is a presentation given by Syed Balkhi of WPBeginner at WordCamp Miami. This presentation explains how to take extra security measures and protect your WordPress from the inside out.

Published in: Technology, Business
4 Comments
31 Likes
Statistics
Notes
No Downloads
Views
Total Views
14,241
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
4
Likes
31
Embeds 0
No embeds

No notes for slide

How to Protect WordPress

  1. 1. Syed Balkhi<br />Founder of WPBeginner.com<br />CEO of Uzzz Productions<br />One Cool Person to know on the Web<br />
  2. 2. how to protect WordPress<br />
  3. 3. Worst Case Scenarios<br />
  4. 4. SQL Link Injection – Hackers inject spam links and files into your WordPress theme, plugin and other core files. <br />You won’t even know because all links will be hidden using CSS (display:none).<br />Your site will be dropped from Google, you will lose your rankings, traffic, and revenue from that site.<br />You Lose Your Entire Site<br />Hacker hacks the site, delete your entire database, and then you are left with nothing…(Robert Scoble).<br />
  5. 5. Protecting WordPress from the Inside Out<br />here is a simple solution<br />
  6. 6.
  7. 7. What type of WordPress User Are You?<br />OR<br />rent a house<br />no maintenance required<br />Wordpress.com blogs<br />own a house<br />maintenance is your job<br />Wordpress.org blogs<br />
  8. 8. Basic Things That You Should Do<br />They might seem repetitive because they are repetitive. But they are ESSENTIAL, so do it.<br />
  9. 9. Regular Database Backups<br />Plugin: WP-DB-Backup<br />Author: Austin Matzko<br />http://wordpress.org/extend/plugins/wp-db-backup/<br />You can schedule backups daily, weekly, hourly, and have it sent to your email.<br />Absolutely critical to have backups because you will have situations where you will need to restore your site. You never know when you will need it, so keep regular backups. I know many people who lost their blog due to a hacker attack and they had to restore everything using RSS Feeds. It is not FUN!! Get GMAIL and setup your daily backups to a specific email account.<br />
  10. 10. Never use “admin” username<br />If the hacker knows your username, he knows half the answer. (Don’t help him)<br />Change the username in MySQL database by running this query:<br />update wp_users set user_login=‘yourusername’ where user_login=‘admin’;<br />OR<br />Create a new username (Make it very unique).<br />Assign Administrator roles to this new user.<br />Logout from your admin account.<br />Log back in as a the new username and then delete the “admin” username.<br />
  11. 11. Use Security Keys<br />Security keys ensure better encryption of your logged sessions. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password. <br />To add security keys, open your wp-config.php<br />Visit this URL to get Security Keys: https://api.wordpress.org/secret-key/1.1/<br />Find these lines:<br />define(&apos;AUTH_KEY&apos;, &apos;put your unique phrase here&apos;);<br />define(&apos;SECURE_AUTH_KEY&apos;, &apos;put your unique phrase here&apos;);<br />define(&apos;LOGGED_IN_KEY&apos;, &apos;put your unique phrase here&apos;);<br />define(&apos;NONCE_KEY&apos;, &apos;put your unique phrase here&apos;);<br />And replace them with your new key:<br />define(&apos;AUTH_KEY&apos;, &apos;|ry:$5-`e}z:+^+6{-e;;SbrPq``|s$z=X&&gt;ZbNnBmGOZ*L36e^,O[{]&TSU)~hC&apos;); define(&apos;SECURE_AUTH_KEY&apos;, &apos;GbZfHMi-0NuC7tc|,TQzV%2-9@0S?)APw[EW5$D&gt;)|8m;9^5AO![@.eDg0-I&gt;wWV&apos;); define(&apos;LOGGED_IN_KEY&apos;, &apos;QC^|p$*r]U$Zo[^hCL1}v|H@B^Z+EqYoT#[9YJ47D[x5B0to6,w&gt;+-[[64H^xee`&apos;); define(&apos;NONCE_KEY&apos;, &apos;hy;DQ_kV ),}4IRYC.PykF2_K`&2Y**Z8TnGMz=:_AP*kx|Hz~5miOia{,A-xm4(&apos;); <br />
  12. 12. Keep your WordPress & Plugins Updated<br />Keep all your Core files, and plugins up to date. Even though sometimes there are quick releases, but those are only for security reasons. <br />Don’t be lazy and update your site, it only requires One CLICK to upgrade the WordPress installation or plugins. <br />After each security patch release, WordPress explains to the users, why that release was made and they mention the loophole which is open to everyone (HACKERS). They can use that information and your laziness to their advantage and hack your site. <br />Are you afraid that your plugins would not work? Well that problem is also solved now that there is a compatibility meter in WordPress plugin database. <br />
  13. 13. Use Strong Passwords<br />Use letters (both uppercase and lowercase), numbers, and symbols and make the password at least 10 characters long and it should take a super smart computer at least 59 years.<br />Chart from: http://www.blogussion.com/blogging-tips/580-million-years-hacker/<br />
  14. 14. Folder/File Permission<br />Good rule of thumb to start with:<br />Folder Permission (CHMOD 755)<br />File Permission (CHMOD 644)<br />If these does not work for some plugins or hinders you from uploading a file, then increase the permissions such as 775 or 777.<br />It varies on the server configuration. On Host Gator servers plugins will not give you a hard time about changing permissions but on more secured servers like Media Temple you will have to change file and folder permissions for some plugins to work.<br />
  15. 15. How to Change Permissions via FTP<br />You will need to right click on the folder and look for either properties, or file permission (it varies for each software).<br />
  16. 16. Remove WP Version Number from Header<br />Hackers can see your WordPress version number by viewing the source of your website. They can identify the sites that are not upgraded and are still vulnerable. <br />To remove the version number, open your functions.php in your themes folder:<br />function wordpress_remove_version() {return &apos;&apos;;}add_filter(&apos;the_generator&apos;, ‘wordpress_remove_version&apos;);<br />This will remove the WordPress Version number from not just your site’s header, but it will also remove it from your WordPress RSS Feeds Header (Thanks to Mark Jaquith for bringing this to my attention).<br />Remember you won’t have to do this, if you simply upgrade to the latest version.<br />
  17. 17. Some Cool Tricks<br />Just like the one in this picture, except safer.<br />
  18. 18. Move wp-config.php file<br />Starting from WordPress 2.6, you can now move your wp-config.php file to one directory above the current location.<br />If your wp-config.php file is located at:<br />/public_html/wordpress/wp-config.php<br />Then you can move it to:<br />/public_html/wp-config.php<br />WordPress automatically checks the parent directory if wp-config.php is not found in the root directory. <br />
  19. 19. Force SSL Login and Admin Access<br />You can login to WordPress through the encrypted channels with SSL meaning your session URLs will have https://. You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate.<br />Open your wp-config.php file and add this code to force SSL (https) with logins:<br />define(&apos;FORCE_SSL_LOGIN&apos;, true);<br />Open your wp-config.php file and add this code to force SSL (https) on all admin pages & logins:<br />define(&apos;FORCE_SSL_ADMIN&apos;, true);<br />*I recommend using the second option because in this method, password and cookies from both logins and admin access are never sent in clear. Some people prefer the first one only because SSL is some what slower than sites with no SSL on the backend (Not if you have good servers).<br />If you don’t have SSL certificate, use this plugin called Semisecure Login. (JS Required)<br />http://wordpress.org/extend/plugins/semisecure-login-reimagined/<br />
  20. 20. Limited Access to wp-admin directory via .htaccess<br />Create a .htaccess file in your wp-admin directory!<br />Add the following codes and upload the site:<br />AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName “WordPress Admin Access Control”AuthType Basicorder deny,allowdeny from all# whitelistSyed’s IP addressallow from xx.xx.xx.xxx# whitelistWordCampMiami IP addressallow from xx.xx.xx.xxx# whitelistWordCampMiami Hotel IP addressallow from xx.xx.xx.xxx<br />Only users with IP addresses mentioned in this file will be able to see the wp-admin folder, no one else.<br />
  21. 21. Remove Error Message from the Login Page<br />Insert the following codes in your themes functions.php file<br />add_filter(‘login_errors’,create_function(‘$a’, “return null;”));<br />Secure WordPress Plugin can do this as well - http://wordpress.org/extend/plugins/secure-wordpress/<br />Don’t help the hacker, make him work for it.<br />
  22. 22. Change WordPress Table Prefix<br />Everyone knows the default table prefix is wp_, so hackers usually try to do SQL injection in the tables with wp_ prefix. But if they do not know the table prefix, it is harder for them.<br />Before installing WordPress, edit your wp-config.php file and change the Table prefix to something unique instead of wp_<br />$table_prefix = ‘w0rdpr3ssjim_&apos;;<br />If you didn’t do this when installing, and you want to do it now, it requires a few extra steps.<br />
  23. 23. Change WordPress Table Prefix<br /><ul><li>First change the prefix in wp-config.php file
  24. 24. Login to your MySQL Database using phpMyAdmin and run this SQL Query</li></ul>Rename table wp_comments to w0rdpr3ssjim_comments;Rename table wp_links to w0rdpr3ssjim_links;Rename table wp_options to w0rdpr3ssjim_options;Rename table wp_postmeta to w0rdpr3ssjim_postmeta;Rename table wp_posts to w0rdpr3ssjim_posts;Rename table wp_terms to w0rdpr3ssjim_terms;Rename table wp_term_relationships to w0rdpr3ssjim_term_relationships;Rename table wp_term_taxonomy to w0rdpr3ssjim_term_taxonomy;Rename table wp_usermeta to w0rdpr3ssjim_usermeta;Rename table wp_users to w0rdpr3ssjim_users;<br /><ul><li>Browse w0rdpr3ssjim_options table and change option_id 94, wp_user_roles to w0rdpr3ssjim_user_roles.
  25. 25. Browse w0rdpr3ssjim_usermeta and change the meta key wp_capabilities and wp_user_level to w0rdpr3ssjim_capabilities and w0rdpr3ssjim_user_level</li></ul>http://wpcanada.ca/2009/11/21/how-to-change-wordpress-table-prefix/<br />
  26. 26. Protect against Malicious URL Requests<br />Copy and paste this code in a .php file, name it whatever you like and upload in your plugins directory /wp-content/plugins<br />&lt;?php /* Plugin Name: Block Bad Queries */ <br />global $user_ID; if($user_ID) { if(!current_user_can(&apos;level_10&apos;)) { if (strlen($_SERVER[&apos;REQUEST_URI&apos;]) &gt; 255 || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;eval(&quot;) || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;CONCAT&quot;) || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;UNION+SELECT&quot;) || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;base64&quot;)) { @header(&quot;HTTP/1.1 414 Request-URI Too Long&quot;); @header(&quot;Status: 414 Request-URI Too Long&quot;); @header(&quot;Connection: Close&quot;); @exit; } } }<br />?&gt;<br />This script will check for long strings as well as base64 code which was in the last attack and the eval( code which could be a threat in the future. Once active, this plugin will silently and effectively close any connections for these sorts of injection-type attacks.<br />All credit goes to Jeff Starr from Perishable Press<br />http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/<br />
  27. 27. Useful Security Plugins<br />Image by Pelfusion<br />
  28. 28. Login Lockdown<br />Login LockDown records the IP address and timestamp of every failed login attempt. Once it reaches a certain number of failed attempts, it blocks the login access from that IP address for one hour (Default). You can change how many attempts, and times in settings.<br />http://wordpress.org/extend/plugins/login-lockdown/<br />
  29. 29. WordPress File Monitor<br />WordPress File Monitor plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.<br />This is a life saver plugin because if there was a SQL injection in your site which was hidden with CSS, you probably will not find out for a good amount of time. With this plugin, you will know instantly.<br />http://wordpress.org/extend/plugins/wordpress-file-monitor/<br />
  30. 30. WordPress Security Scan<br />This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. A good plugin to install to make sure that you have everything in place.<br />In WP Plugin Directory, some people are saying that this plugin does not work with the latest version. But it works for me, so I am one of the 6 out of 10 that says it works.<br />http://wordpress.org/extend/plugins/wp-security-scan/<br />
  31. 31. Stealth Login<br />This plugin allows you to create custom URLs for logging in, logging out, administration and registration for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly.<br />Even if someone did manage to crack/guess your WordPress password with this plugin, they would not know where to login to your admin panel.<br />http://wordpress.org/extend/plugins/stealth-login/<br />
  32. 32. Resources<br />http://codex.wordpress.org/Backing_Up_Your_Database<br />http://codex.wordpress.org/Changing_File_Permissions<br />http://codex.wordpress.org/Hardening_WordPress<br />http://codex.wordpress.org/Editing_wp-config.php<br />http://codex.wordpress.org/htaccess_for_subdirectories<br />http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/<br />http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/<br />http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/<br />
  33. 33. Who am I? How to reach me?<br />Syed Balkhi<br />Founder of WPBeginner.com<br />CEO of Uzzz Productions (uzzz.net)<br />Contact: <br />Email: admin@wpbeginner.com<br />Twitter: @wpbeginner(Follow Me)<br />Facebook: http://facebook.com/wpbeginner<br />Buzz: http://google.com/profiles/wordpressbeginner<br />

×