• Save
Protecting WordPress from the Inside Out
Upcoming SlideShare
Loading in...5
×
 

Protecting WordPress from the Inside Out

on

  • 17,254 views

WordPress is pretty secure and they release updates periodically to fix loopholes. In order to stay safe you should always make sure to upgrade to the latest version of the software whenever they are ...

WordPress is pretty secure and they release updates periodically to fix loopholes. In order to stay safe you should always make sure to upgrade to the latest version of the software whenever they are available.

However there are several more ways in which you can protect your WordPress installation from getting misused or hacked. In this session, we are going to look at some of the most useful tips, tricks, and plugins to add an extra level of security to your WordPress site.

Statistics

Views

Total Views
17,254
Views on SlideShare
15,916
Embed Views
1,338

Actions

Likes
67
Downloads
0
Comments
9

36 Embeds 1,338

http://www.balkhis.com 850
http://marcosblog.com 227
http://wordpress.leseglede.net 77
http://tech-rookie.blogspot.fr 63
http://www.slideshare.net 31
http://www.techgig.com 13
http://www.jortk.nl 12
http://ms1.wpengine.com 11
http://www.abservice.ch 10
http://www.linkedin.com 6
https://www-wave-opensocial.googleusercontent.com 4
http://translate.googleusercontent.com 4
http://ca274.beekeeperdev.com 4
http://static.slidesharecdn.com 2
http://www.dreamhousewebsolutions.com 2
https://www.linkedin.com 2
http://pinterest.com 1
http://apps.webdoc.com 1
http://howtowebdesign.my-biz.co.za 1
http://s.deeeki.com 1
http://tech-rookie.blogspot.com.au 1
http://www.iweb34.com 1
http://feeds2.feedburner.com 1
https://1667178325-wave-opensocial.googleusercontent.com 1
https://1848428918-wave-opensocial.googleusercontent.com 1
https://837853433-wave-opensocial.googleusercontent.com 1
https://1004334427-wave-opensocial.googleusercontent.com 1
https://1282608379-wave-opensocial.googleusercontent.com 1
https://691010486-wave-opensocial.googleusercontent.com 1
file:// 1
https://442758549-wave-opensocial.googleusercontent.com 1
https://2046576074-wave-opensocial.googleusercontent.com 1
https://1869705369-wave-opensocial.googleusercontent.com 1
https://1054439874-wave-opensocial.googleusercontent.com 1
http://paper.li 1
http://localhost 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • good slide. thanks
    Are you sure you want to
    Your message goes here
    Processing…
  • When setting up WP installs I tend to use 20 char random ID's generated from random.org (http://random.org/strings/)
    So, for example, the admin UID becomes something like: admin_0YcWgjYpelWKPJP59DGI

    I tend to do the same for passwords, DB prefixes (although not all 20 chars) and so on & keep track of them in something like Evernote or Google Docs. I've found it's the most consistent way of being random ;)

    Great slide btw, cheers for sharing.
    Are you sure you want to
    Your message goes here
    Processing…
  • Good stuff. Been wondering about this.
    Are you sure you want to
    Your message goes here
    Processing…
  • Awesome presentation about WP Security
    Are you sure you want to
    Your message goes here
    Processing…
  • Beveilliging van WordPress
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Protecting WordPress from the Inside Out Protecting WordPress from the Inside Out Presentation Transcript

  • Protecting WordPress from the Inside Out
    By: Syed Balkhi
    WPBeginner.com
  • Who am I?
    Syed Balkhi
    Founder of WPBeginner.com
    CEO of Balkhis.com
    Contact:
    Email: admin@wpbeginner.com
    Twitter: @wpbeginner
  • Goals of This Presentation
    Increase awareness about WordPress Security
    Share useful tips and plugins to improve WordPress Security.
    Have everyone leave with a smile on their face.
  • WordPress.com vs. Self Hosted WordPress
    If you have a blog with WordPress.com then you do not have to worry about WordPress Security.
    If you have a Self-Hosted Blog then you should pay extra attention.
  • Why should you pay attention?
    SQL Link Injection – Hackers inject spam links and files into you WordPress theme, plugin and other core files.
    You won’t even know because all links will be hidden using CSS.
    Your site will be dropped from Google, you will lose your rankings, traffic, and revenue from that site.
  • Basic Things That You Should Do
    It doesn’t just seem repetitive, it is repetitive. But it is ESSENTIAL, so do it.
  • Regular Database Backups
    Plugin: WP-DB-Backup
    Author: Austin Matzko
    http://wordpress.org/extend/plugins/wp-db-backup/
    You can schedule backups daily, weekly, hourly, and have it sent to your email.
    Absolutely critical to have backups because you will have situations where you will need to restore your site. You never know when you will need it, so keep regular backups. I know many people who lost their blog due to a hacker attack and they had to restore everything using RSS Feeds. It is not FUN!!
  • Never use “admin” username
    If the hacker knows your username, he knows half the answer. (Don’t help him)
    Change the username in MySQL database by running this query:
    update wp_users set user_login=‘yourusername’ where user_login=‘admin’;
    OR
    Create a new username (Make it very unique).
    Assign Administrator roles to this new user.
    Logout from your admin account.
    Log back in as a the new username and then delete the “admin” username.
  • Use Security Keys
    Security keys ensure better encryption of your logged sessions. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password.
    To add security keys, open your wp-config.php
    Visit this URL to get Security Keys: https://api.wordpress.org/secret-key/1.1/
    Find these lines:
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    And replace them with your new key:
    define('AUTH_KEY', '|ry:$5-`e}z:+^+6{-e;;SbrPq``|s$z=X&>ZbNnBmGOZ*L36e^,O[{]&TSU)~hC'); define('SECURE_AUTH_KEY', 'GbZfHMi-0NuC7tc|,TQzV%2-9@0S?)APw[EW5$D>)|8m;9^5AO![@.eDg0-I>wWV'); define('LOGGED_IN_KEY', 'QC^|p$*r]U$Zo[^hCL1}v|H@B^Z+EqYoT#[9YJ47D[x5B0to6,w>+-[[64H^xee`'); define('NONCE_KEY', 'hy;DQ_kV ),}4IRYC.PykF2_K`&2Y**Z8TnGMz=:_AP*kx|Hz~5miOia{,A-xm4(');
  • Keep your WordPress & Plugins Updated
    Keep all your Core files, and plugins up to date. Even though sometimes there are quick releases, but those are only for security reasons.
    Don’t be lazy and update your site, it only requires One CLICK to upgrade the WordPress installation or plugins.
    After each security patch release, WordPress explains to the users, why that release was made and they mention the loophole which is open to everyone (HACKERS). They can use that information and your laziness to their advantage and hack your site.
    Are you afraid that your plugins would not work? Well that problem is also solved now that there is a compatibility meter in WordPress plugin database.
  • Use Strong Passwords
    Use letters (both uppercase and lowercase), numbers, and symbols and make the password at least 10 characters long and it should take a super smart computer at least 59 years.
    Chart from: http://www.blogussion.com/blogging-tips/580-million-years-hacker/
  • Folder/File Permission
    Good rule of thumb to start with:
    Folder Permission (CHMOD 755)
    File Permission (CHMOD 644)
    If these does not work for some plugins or hinders you from uploading a file, then increase the permissions such as 775 or 777.
    It varies on the server configuration. On Host Gator servers plugins will not give you a hard time about changing permissions but on more secured servers like Media Temple you will have to change file and folder permissions for some plugins to work.
  • How to Change Permissions via FTP
    You will need to right click on the folder and look for either properties, or file permission (it varies for each software).
  • Remove WordPress Version Number from Header
    Hackers can see your WordPress version number by viewing the source of your website. They can identify the sites that are not upgraded and are still vulnerable.
    To remove the version number, open your header.php in your themes folder:
    <meta name=“generator” content=“WordPress <?phpbloginfo(‘version’); ?>” />
    If you have wp_head function in your header.php then you should also add this function in your functions.php in your theme folder.
    remove_action(‘wp_head’, ‘wp_generator’);
  • Some Cool Tricks
    Just like the one in this picture, except safer.
  • Move wp-config.php file
    Starting from WordPress 2.6, you can now move your wp-config.php file to one directory above the current location.
    If your wp-config.php file is located at:
    /public_html/wordpress/wp-config.php
    Then you can move it to:
    /public_html/wp-config.php
    WordPress automatically checks the parent directory if wp-config.php is not found in the root directory.
  • Force SSL Login and Admin Access
    You can login to WordPress through the encrypted channels with SSL meaning your session URLs will have https://. You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate.
    Open your wp-config.php file and add this code to force SSL (https) with logins:
    define('FORCE_SSL_LOGIN', true);
    Open your wp-config.php file and add this code to force SSL (https) on all admin pages & logins:
    define('FORCE_SSL_ADMIN', true);
    *I recommend using the second option because in this method, password and cookies from both logins and admin access are never sent in clear. Some people prefer the first one only because SSL is some what slower than sites with no SSL on the backend (Not if you have good servers).
    If you don’t have SSL certificate, use this plugin called Semisecure Login. (JS Required)
    http://wordpress.org/extend/plugins/semisecure-login-reimagined/
  • Limited Access to wp-admin directory via .htaccess
    Create a .htaccess file in your wp-admin directory!
    Add the following codes and upload the site:
    AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName “WordPress Admin Access Control”AuthType Basicorder deny,allowdeny from all# whitelistSyed’s IP addressallow from xx.xx.xx.xxx# whitelistWordCamp Atlanta IP addressallow from xx.xx.xx.xxx# whitelistWordCamp Atlanta Hotel IP addressallow from xx.xx.xx.xxx
    Only users with IP addresses mentioned in this file will be able to see the wp-admin folder, no one else.
  • Remove Error Message from the Login Page
    Insert the following codes in your themes functions.php file
    add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
    Secure WordPress Plugin can do this as well - http://wordpress.org/extend/plugins/secure-wordpress/
    Don’t help the hacker, make him work for it.
  • Change WordPress Table Prefix
    Everyone knows the default table prefix is wp_, so hackers usually try to do SQL injection in the tables with wp_ prefix. But if they do not know the table prefix, it is harder for them.
    Before installing WordPress, edit your wp-config.php file and change the Table prefix to something unique instead of wp_
    $table_prefix = ‘w0rdpr3ssjim_';
    If you didn’t do that upon install and you want to do it now, it requires a few extra steps.
  • Change WordPress Table Prefix
    • First change the prefix in wp-config.php file
    • Login to your MySQL Database using phpMyAdmin and run this SQL Query
    Rename table wp_comments to w0rdpr3ssjim_comments;Rename table wp_links to w0rdpr3ssjim_links;Rename table wp_options to w0rdpr3ssjim_options;Rename table wp_postmeta to w0rdpr3ssjim_postmeta;Rename table wp_posts to w0rdpr3ssjim_posts;Rename table wp_terms to w0rdpr3ssjim_terms;Rename table wp_term_relationships to w0rdpr3ssjim_term_relationships;Rename table wp_term_taxonomy to w0rdpr3ssjim_term_taxonomy;Rename table wp_usermeta to w0rdpr3ssjim_usermeta;Rename table wp_users to w0rdpr3ssjim_users;
    • Browse w0rdpr3ssjim_options table and change option_id 94, wp_user_roles to w0rdpr3ssjim_user_roles.
    • Browse w0rdpr3ssjim_usermeta and change the meta key wp_capabilities and wp_user_level to w0rdpr3ssjim_capabilities and w0rdpr3ssjim_user_level
    http://wpcanada.ca/2009/11/21/how-to-change-wordpress-table-prefix/
  • Protect against Malicious URL Requests
    Copy and paste this code in a .php file, name it whatever you like and upload in your plugins directory /wp-content/plugins
    <?php /* Plugin Name: Block Bad Queries */
    global $user_ID; if($user_ID) { if(!current_user_can('level_10')) { if (strlen($_SERVER['REQUEST_URI']) > 255 || strpos($_SERVER['REQUEST_URI'], "eval(") || strpos($_SERVER['REQUEST_URI'], "CONCAT") || strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") || strpos($_SERVER['REQUEST_URI'], "base64")) { @header("HTTP/1.1 414 Request-URI Too Long"); @header("Status: 414 Request-URI Too Long"); @header("Connection: Close"); @exit; } } }
    ?>
    This script will check for long strings as well as base64 code which was in the last attack and the eval( code which could be a threat in the future. Once active, this plugin will silently and effectively close any connections for these sorts of injection-type attacks.
    All credit goes to Jeff Starr from Perishable Press
    http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
  • Useful Security Plugins
    Image by Pelfusion
  • Login Lockdown
    Login LockDown records the IP address and timestamp of every failed login attempt. Once it reaches a certain number of failed attempts, it blocks the login access from that IP address for one hour (Default). You can change how many attempts, and times in settings.
    http://wordpress.org/extend/plugins/login-lockdown/
  • WordPress File Monitor
    WordPress File Monitor plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
    This is a life saver plugin because if there was a SQL injection in your site which was hidden with CSS, you probably will not find out for a good amount of time. With this plugin, you will know instantly.
    http://wordpress.org/extend/plugins/wordpress-file-monitor/
  • WordPress Security Scan
    This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. A good plugin to install to make sure that you have everything in place.
    In WP Plugin Directory, some people are saying that this plugin does not work with the latest version. But it works for me, so I am one of the 6 out of 10 that says it works.
    http://wordpress.org/extend/plugins/wp-security-scan/
  • Stealth Login
    This plugin allows you to create custom URLs for logging in, logging out, administration and registration for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly.
    Even if someone did manage to crack/guess your WordPress password with this plugin, they would not know where to login to your admin panel.
    http://wordpress.org/extend/plugins/stealth-login/
  • Resources
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Changing_File_Permissions
    http://codex.wordpress.org/Hardening_WordPress
    http://codex.wordpress.org/Editing_wp-config.php
    http://codex.wordpress.org/htaccess_for_subdirectories
    http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/
    http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
    http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
  • Who am I?
    Syed Balkhi
    Founder of WPBeginner.com
    CEO of Balkhis.com
    Contact:
    Email: admin@wpbeginner.com
    Twitter: @wpbeginner