Quanto è sicuro il tuo wordpress?

11,949 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
11,949
On SlideShare
0
From Embeds
0
Number of Embeds
9,944
Actions
Shares
0
Downloads
17
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Quanto è sicuro il tuo wordpress?

  1. 1. WORDCAMP BOLOGNA 2012
  2. 2. WORDPRESS HARDENING (V3)
  3. 3. WordCamp Bologna 2012About me 37 years old Born in Turin (Italy) Co-Founder mavida.com WordPress Lover http://maurizio.mavida.com https://twitter.com/miziomon http://www.linkedin.com/in/mauriziopelizzone
  4. 4. WordCamp Bologna 2012Why we need «hardening» ?
  5. 5. WordCamp Bologna 2012
  6. 6. WordCamp Bologna 2012Dangers
  7. 7. WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
  8. 8. WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
  9. 9. WordCamp Bologna 20121. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
  10. 10. WordCamp Bologna 2012
  11. 11. WordCamp Bologna 2012Somesolutions
  12. 12. WordCamp Bologna 2012Delete readme.html
  13. 13. WordCamp Bologna 2012Prevent user enumeration (?author=n)RewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
  14. 14. WordCamp Bologna 2012Hide wp_(login|admin|registrazion) 1. Block Access to login / admin 2. Prepare custom login url 3. Check key presence
  15. 15. WordCamp Bologna 2012 RewriteRule ^login /wp-login.php?key=12345g&redirect_to=… [L] RewriteCond %{HTTP_REFERER} !^wp-admin … RewriteCond %{QUERY_STRING} !^key=12345 RewriteRule ^app/wp-login.php http://%{SERVER_NAME}/? [R,L]Full code here: https://gist.github.com/3003290
  16. 16. WordCamp Bologna 2012Deny php executionOptions All -IndexesOrder Allow,DenyDeny from all<Files ~ ".(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$"> Allow from all</Files><Files permitted-filename.php> Allow from all</Files>
  17. 17. WordCamp Bologna 2012Shrink plugins number 1. Remove inactive plugin 2. Remove useless plugin 3. Remove dangerous plugin 4. (Evaluate code integration)
  18. 18. WordCamp Bologna 2012DISALLOW PLUGIN INSTALL / UPDATE /** * edit your wp-config.php */ define(DISALLOW_FILE_EDIT, true); define(DISALLOW_FILE_MODS,true);
  19. 19. WordCamp Bologna 2012Use STRONG password Insecure Password Secure Password • giulia76 • D7u8hI928FJYusx • password • Z5BLl20T8by1524 • 123456 • TLv7p64P63V5Hr1 • qwerty • 6b83668I15qRP2I • matrix • Um2d4Ejd9T1ExPr http://strongpasswordgenerator.com/
  20. 20. WordCamp Bologna 2012CHANGE DIRECTORY STRUCTURE
  21. 21. WordCamp Bologna 2012Rename wp-content/** * edit your wp-config.php */define( WP_CONTENT_DIR, dirname( __FILE__ ) . /public );define( WP_CONTENT_URL, http:// . $_SERVER[HTTP_HOST] . /public );
  22. 22. WordCamp Bologna 2012Change Upload Directory
  23. 23. WordCamp Bologna 2012Move WordPress Core/** * edit your wp-config.php */define( WP_SITEURL, http:// . $_SERVER[SERVER_NAME] . /wordpress-core/);define( WP_HOME, http:// . $_SERVER[SERVER_NAME]);/** * edit your index.php */define(WP_USE_THEMES, true);require(./wordpress-core/wp-blog-header.php);
  24. 24. WordCamp Bologna 2012Structure Example
  25. 25. CUSTOM STRUCTURE EXAMPLE #1 WordCamp Bologna 2012
  26. 26. CUSTOM STRUCTURE EXAMPLE #2 WordCamp Bologna 2012
  27. 27. WordCamp Bologna 2012Codex References• http://codex.wordpress.org/Hardening_WordPress• http://codex.wordpress.org/Administration_Over_SSL• http://codex.wordpress.org/Editing_wp-config.php
  28. 28. WordCamp Bologna 2012BLACKHOLE
  29. 29. BLACKHOLE WordCamp Bologna 2012 http://perishablepress.com/blackhole-bad-bots/
  30. 30. WordCamp Bologna 2012RULES FOR BLACKHOLERewriteEngine OnRewriteBase /RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L]RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]
  31. 31. WordCamp Bologna 2012BLACKHOLE PLUGIN<?php/*Plugin Name: blackholePlugin URI: http://maurizio.mavida.com/Description: blackholeLicense: GPLVersion: 0.1Author: Maurizio PelizzoneAuthor URI: http://maurizio.mavida.com*/if (!is_admin()){ include($_SERVER[DOCUMENT_ROOT] . "/blackhole/blackhole.php"); }
  32. 32. WordCamp Bologna 2012FILE MONITOR
  33. 33. WordCamp Bologna 2012
  34. 34. WordCamp Bologna 2012AVOID FTP
  35. 35. WordCamp Bologna 2012?
  36. 36. Other WordCamp Bologna 2012 Thank you Maurizio Pelizzone @miziomon maurizio@mavida.com http://maurizio.mavida.com

×