• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How to Protect WordPress
 

How to Protect WordPress

on

  • 14,993 views

How to Protect WordPress is a presentation given by Syed Balkhi of WPBeginner at WordCamp Miami. This presentation explains how to take extra security measures and protect your WordPress from the ...

How to Protect WordPress is a presentation given by Syed Balkhi of WPBeginner at WordCamp Miami. This presentation explains how to take extra security measures and protect your WordPress from the inside out.

Statistics

Views

Total Views
14,993
Views on SlideShare
12,262
Embed Views
2,731

Actions

Likes
27
Downloads
0
Comments
4

15 Embeds 2,731

http://www.wpbeginner.com 2516
http://www.balkhis.com 60
http://www.danirecweb.com 58
http://www.slideshare.net 31
http://blog.jaffamonkey.com 31
http://translate.googleusercontent.com 11
http://www.christinatierney.com 6
http://www.techgig.com 6
http://us-w1.rockmelt.com 3
http://facebook.slideshare.com 2
http://feeds.feedburner.com 2
https://twitter.com 2
https://pramati1.pcmk-2.pramati.com 1
http://twitter.com 1
http://whitenotes.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

14 of 4 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Any way we can get a copy and paste-able version of the code to put in a php file in our plugin directories? Thank you!
    Are you sure you want to
    Your message goes here
    Processing…
  • Thanks Balkhi, Its a great presentation.
    Are you sure you want to
    Your message goes here
    Processing…
  • Thanks Balkhi, Its a great presentation.
    Are you sure you want to
    Your message goes here
    Processing…
  • Really good stuff; useful and important.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How to Protect WordPress How to Protect WordPress Presentation Transcript

    • Syed Balkhi
      Founder of WPBeginner.com
      CEO of Uzzz Productions
      One Cool Person to know on the Web
    • how to protect WordPress
    • Worst Case Scenarios
    • SQL Link Injection – Hackers inject spam links and files into your WordPress theme, plugin and other core files.
      You won’t even know because all links will be hidden using CSS (display:none).
      Your site will be dropped from Google, you will lose your rankings, traffic, and revenue from that site.
      You Lose Your Entire Site
      Hacker hacks the site, delete your entire database, and then you are left with nothing…(Robert Scoble).
    • Protecting WordPress from the Inside Out
      here is a simple solution
    • What type of WordPress User Are You?
      OR
      rent a house
      no maintenance required
      Wordpress.com blogs
      own a house
      maintenance is your job
      Wordpress.org blogs
    • Basic Things That You Should Do
      They might seem repetitive because they are repetitive. But they are ESSENTIAL, so do it.
    • Regular Database Backups
      Plugin: WP-DB-Backup
      Author: Austin Matzko
      http://wordpress.org/extend/plugins/wp-db-backup/
      You can schedule backups daily, weekly, hourly, and have it sent to your email.
      Absolutely critical to have backups because you will have situations where you will need to restore your site. You never know when you will need it, so keep regular backups. I know many people who lost their blog due to a hacker attack and they had to restore everything using RSS Feeds. It is not FUN!! Get GMAIL and setup your daily backups to a specific email account.
    • Never use “admin” username
      If the hacker knows your username, he knows half the answer. (Don’t help him)
      Change the username in MySQL database by running this query:
      update wp_users set user_login=‘yourusername’ where user_login=‘admin’;
      OR
      Create a new username (Make it very unique).
      Assign Administrator roles to this new user.
      Logout from your admin account.
      Log back in as a the new username and then delete the “admin” username.
    • Use Security Keys
      Security keys ensure better encryption of your logged sessions. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password.
      To add security keys, open your wp-config.php
      Visit this URL to get Security Keys: https://api.wordpress.org/secret-key/1.1/
      Find these lines:
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
      And replace them with your new key:
      define('AUTH_KEY', '|ry:$5-`e}z:+^+6{-e;;SbrPq``|s$z=X&>ZbNnBmGOZ*L36e^,O[{]&TSU)~hC'); define('SECURE_AUTH_KEY', 'GbZfHMi-0NuC7tc|,TQzV%2-9@0S?)APw[EW5$D>)|8m;9^5AO![@.eDg0-I>wWV'); define('LOGGED_IN_KEY', 'QC^|p$*r]U$Zo[^hCL1}v|H@B^Z+EqYoT#[9YJ47D[x5B0to6,w>+-[[64H^xee`'); define('NONCE_KEY', 'hy;DQ_kV ),}4IRYC.PykF2_K`&2Y**Z8TnGMz=:_AP*kx|Hz~5miOia{,A-xm4(');
    • Keep your WordPress & Plugins Updated
      Keep all your Core files, and plugins up to date. Even though sometimes there are quick releases, but those are only for security reasons.
      Don’t be lazy and update your site, it only requires One CLICK to upgrade the WordPress installation or plugins.
      After each security patch release, WordPress explains to the users, why that release was made and they mention the loophole which is open to everyone (HACKERS). They can use that information and your laziness to their advantage and hack your site.
      Are you afraid that your plugins would not work? Well that problem is also solved now that there is a compatibility meter in WordPress plugin database.
    • Use Strong Passwords
      Use letters (both uppercase and lowercase), numbers, and symbols and make the password at least 10 characters long and it should take a super smart computer at least 59 years.
      Chart from: http://www.blogussion.com/blogging-tips/580-million-years-hacker/
    • Folder/File Permission
      Good rule of thumb to start with:
      Folder Permission (CHMOD 755)
      File Permission (CHMOD 644)
      If these does not work for some plugins or hinders you from uploading a file, then increase the permissions such as 775 or 777.
      It varies on the server configuration. On Host Gator servers plugins will not give you a hard time about changing permissions but on more secured servers like Media Temple you will have to change file and folder permissions for some plugins to work.
    • How to Change Permissions via FTP
      You will need to right click on the folder and look for either properties, or file permission (it varies for each software).
    • Remove WP Version Number from Header
      Hackers can see your WordPress version number by viewing the source of your website. They can identify the sites that are not upgraded and are still vulnerable.
      To remove the version number, open your functions.php in your themes folder:
      function wordpress_remove_version() {return '';}add_filter('the_generator', ‘wordpress_remove_version');
      This will remove the WordPress Version number from not just your site’s header, but it will also remove it from your WordPress RSS Feeds Header (Thanks to Mark Jaquith for bringing this to my attention).
      Remember you won’t have to do this, if you simply upgrade to the latest version.
    • Some Cool Tricks
      Just like the one in this picture, except safer.
    • Move wp-config.php file
      Starting from WordPress 2.6, you can now move your wp-config.php file to one directory above the current location.
      If your wp-config.php file is located at:
      /public_html/wordpress/wp-config.php
      Then you can move it to:
      /public_html/wp-config.php
      WordPress automatically checks the parent directory if wp-config.php is not found in the root directory.
    • Force SSL Login and Admin Access
      You can login to WordPress through the encrypted channels with SSL meaning your session URLs will have https://. You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate.
      Open your wp-config.php file and add this code to force SSL (https) with logins:
      define('FORCE_SSL_LOGIN', true);
      Open your wp-config.php file and add this code to force SSL (https) on all admin pages & logins:
      define('FORCE_SSL_ADMIN', true);
      *I recommend using the second option because in this method, password and cookies from both logins and admin access are never sent in clear. Some people prefer the first one only because SSL is some what slower than sites with no SSL on the backend (Not if you have good servers).
      If you don’t have SSL certificate, use this plugin called Semisecure Login. (JS Required)
      http://wordpress.org/extend/plugins/semisecure-login-reimagined/
    • Limited Access to wp-admin directory via .htaccess
      Create a .htaccess file in your wp-admin directory!
      Add the following codes and upload the site:
      AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName “WordPress Admin Access Control”AuthType Basicorder deny,allowdeny from all# whitelistSyed’s IP addressallow from xx.xx.xx.xxx# whitelistWordCampMiami IP addressallow from xx.xx.xx.xxx# whitelistWordCampMiami Hotel IP addressallow from xx.xx.xx.xxx
      Only users with IP addresses mentioned in this file will be able to see the wp-admin folder, no one else.
    • Remove Error Message from the Login Page
      Insert the following codes in your themes functions.php file
      add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
      Secure WordPress Plugin can do this as well - http://wordpress.org/extend/plugins/secure-wordpress/
      Don’t help the hacker, make him work for it.
    • Change WordPress Table Prefix
      Everyone knows the default table prefix is wp_, so hackers usually try to do SQL injection in the tables with wp_ prefix. But if they do not know the table prefix, it is harder for them.
      Before installing WordPress, edit your wp-config.php file and change the Table prefix to something unique instead of wp_
      $table_prefix = ‘w0rdpr3ssjim_';
      If you didn’t do this when installing, and you want to do it now, it requires a few extra steps.
    • Change WordPress Table Prefix
      • First change the prefix in wp-config.php file
      • Login to your MySQL Database using phpMyAdmin and run this SQL Query
      Rename table wp_comments to w0rdpr3ssjim_comments;Rename table wp_links to w0rdpr3ssjim_links;Rename table wp_options to w0rdpr3ssjim_options;Rename table wp_postmeta to w0rdpr3ssjim_postmeta;Rename table wp_posts to w0rdpr3ssjim_posts;Rename table wp_terms to w0rdpr3ssjim_terms;Rename table wp_term_relationships to w0rdpr3ssjim_term_relationships;Rename table wp_term_taxonomy to w0rdpr3ssjim_term_taxonomy;Rename table wp_usermeta to w0rdpr3ssjim_usermeta;Rename table wp_users to w0rdpr3ssjim_users;
      • Browse w0rdpr3ssjim_options table and change option_id 94, wp_user_roles to w0rdpr3ssjim_user_roles.
      • Browse w0rdpr3ssjim_usermeta and change the meta key wp_capabilities and wp_user_level to w0rdpr3ssjim_capabilities and w0rdpr3ssjim_user_level
      http://wpcanada.ca/2009/11/21/how-to-change-wordpress-table-prefix/
    • Protect against Malicious URL Requests
      Copy and paste this code in a .php file, name it whatever you like and upload in your plugins directory /wp-content/plugins
      <?php /* Plugin Name: Block Bad Queries */
      global $user_ID; if($user_ID) { if(!current_user_can('level_10')) { if (strlen($_SERVER['REQUEST_URI']) > 255 || strpos($_SERVER['REQUEST_URI'], "eval(") || strpos($_SERVER['REQUEST_URI'], "CONCAT") || strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") || strpos($_SERVER['REQUEST_URI'], "base64")) { @header("HTTP/1.1 414 Request-URI Too Long"); @header("Status: 414 Request-URI Too Long"); @header("Connection: Close"); @exit; } } }
      ?>
      This script will check for long strings as well as base64 code which was in the last attack and the eval( code which could be a threat in the future. Once active, this plugin will silently and effectively close any connections for these sorts of injection-type attacks.
      All credit goes to Jeff Starr from Perishable Press
      http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
    • Useful Security Plugins
      Image by Pelfusion
    • Login Lockdown
      Login LockDown records the IP address and timestamp of every failed login attempt. Once it reaches a certain number of failed attempts, it blocks the login access from that IP address for one hour (Default). You can change how many attempts, and times in settings.
      http://wordpress.org/extend/plugins/login-lockdown/
    • WordPress File Monitor
      WordPress File Monitor plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
      This is a life saver plugin because if there was a SQL injection in your site which was hidden with CSS, you probably will not find out for a good amount of time. With this plugin, you will know instantly.
      http://wordpress.org/extend/plugins/wordpress-file-monitor/
    • WordPress Security Scan
      This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. A good plugin to install to make sure that you have everything in place.
      In WP Plugin Directory, some people are saying that this plugin does not work with the latest version. But it works for me, so I am one of the 6 out of 10 that says it works.
      http://wordpress.org/extend/plugins/wp-security-scan/
    • Stealth Login
      This plugin allows you to create custom URLs for logging in, logging out, administration and registration for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly.
      Even if someone did manage to crack/guess your WordPress password with this plugin, they would not know where to login to your admin panel.
      http://wordpress.org/extend/plugins/stealth-login/
    • Resources
      http://codex.wordpress.org/Backing_Up_Your_Database
      http://codex.wordpress.org/Changing_File_Permissions
      http://codex.wordpress.org/Hardening_WordPress
      http://codex.wordpress.org/Editing_wp-config.php
      http://codex.wordpress.org/htaccess_for_subdirectories
      http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/
      http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
      http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
    • Who am I? How to reach me?
      Syed Balkhi
      Founder of WPBeginner.com
      CEO of Uzzz Productions (uzzz.net)
      Contact:
      Email: admin@wpbeginner.com
      Twitter: @wpbeginner(Follow Me)
      Facebook: http://facebook.com/wpbeginner
      Buzz: http://google.com/profiles/wordpressbeginner