Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordCamp Finland 2015 - WordPress Security


Published on

Slides for the presentation in WordCamp Finland 2015 about WordPress Security.

Published in: Software
  • Follow the link, new dating source: ♥♥♥ ♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

WordCamp Finland 2015 - WordPress Security

  1. 1. WordPress Security How to not get hacked WordCamp Finland - Tiia Rantanen
  2. 2. What is security? - no unauthorized modification of information without detection - information must be available when required - information must be accurate and trustworthy - verified transactions Source: Wikipedia
  3. 3. Possible threats - injection - cross site scripting (XSS) - security misconfiguration - sensitive data exposure - missing function level access control - cross site request forgery (CSRF) - using components with known vulnerabilities and also.. - brute force Some according to WordPress White Paper & OWASP
  4. 4. What can I do? ..on the server-side - correct user permissions (directory 755, files 644) - limit access and change the url to wp-admin - track file changes (version control, git) - use public/private keys for server login - enable firewall - monitor your server (New Relic, Boundary, Cloud Flare, OSSEC) - update
  5. 5. What can I do? ..on the server-side - use SSL - deny direct PHP execution in directories (with caution) - block access to directories and files (wp-config, xmlrpc, author archives, wp-config, readme, license etc.) - block PHP files in uploads - Remove or change unwanted headers (Server, X- Powered-By)
  6. 6. wp-config file - obscurity - change database table prefix - disallow file edit (WordPress code editor) - authentication keys - disallow plugin, update and theme installations - move to core parent (up one folder)
  7. 7. theme functions - remove unnecessary wp head information - remove the generator-meta tag - hide the version number in enqueued js files - disable xmlrpc - overwrite login errors - disable unnecessary feeds - remove x-pingback from header - remove version revealing html comments from plugins if possible
  8. 8. WordPress admin - force strong passwords - user privileges - don’t use ‘admin’-username - security enhancing plugins with logging
  9. 9. Security plugins - iThemes Security - Wordfence - Bulletproof Security - Sucuri Security - Google Authenticator (for two-factor authentication) ...and lots more, For backups - VaultPress - BackUp Buddy
  10. 10. Is my WordPress safe? - WPScan - Audit the source code - Update - Monitor - Read WordPress Core and plugin related news (,,
  11. 11. No matter what you do, you can still get hacked Always backup your files
  12. 12. I got hacked :( - if you have backups, use them - if you use version control or some other tool that checks altered files, use that - if none of the above, you’re in for a lot of work going through the modified dates - always find out why you were hacked - make sure your WordPress is safe by taking the precautions mentioned
  13. 13. Thank you for listening! Any questions?