Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Bastian Grimm, Managing Partner - Grimm DigitalHardening WordPressat WP Luvfest: “Maximising WordPress for Search”http://g...
About me2@basgrSEO Trainings, Seminars & Strategy ConsultingWordPress Security, Consulting & DevelopmentBerlin-based Full-...
http://gdig.de/sascon13
#1 Setup WordPress properlyUse unique keys and salts to addrandom elements for encryption!https://api.wordpress.org/secret...
#2 Protect your wp-config.php<files wp-config.php>order deny,allowdeny from all</files>This needs to go into your WP roots...
#3 Remove the default „admin“Setup new user as admin; logout.Login w/ new admin; delete old one.Make sure to use a STRONGp...
Credits: http://bit.ly/T8wMwOMake absolutely sure you onlyuse plug-ins from trusted authors!
#4 Lock-out multiple failed loginshttp://wordpress.org/extend/plugins/limit-login-attempts/Limit Login Attempts
#5 Protect your Login (and wp-admin)Don’t just put an .htaccessto your /wp-admin/ forbasic passwd. protection.It’s pure “h...
Or: Lockdown using a Secret URL?http://wordpress.org/plugins/stealth-login-page/Stealth Login Page
#6 Even better: Two-factor VerificationInfo: http://gdig.de/1t - Download: http://gdig.de/1u
#6 Even better: Two-factor Verificationhttp://wordpress.org/plugins/google-authenticator/Google Authenticator
#6 Even better: Two-factor VerificationProvide your login credentialsand get auth-code from yourmobile phones‘ G-Auth-App.
#7 SSL Logins & Administrationdefine(FORCE_SSL_LOGIN, true);define(FORCE_SSL_ADMIN, true);Set FORCE_SSL_LOGIN to “true” to...
#8 Never EVER do this!These sites aremore than worse…
A quick peak into some theme files…16LOL! „family friendly“links – my a*s…
A quick peak into some theme files…17functions.php: This themewon‘t be working withoutthose links…
#9 Always use TAC to do a pre-check!http://builtbackwards.com/projects/tac/Theme AuthenticityChecker (TAC)
It gets worse: base64 encoded footer19Are you really sure you wantto see that footer.php file?
Right… NICE FOOTER!20
PLEASE… stay awayfrom “free” WordPressthemes – they’re notfree, really!
#10 Remove Version & Login Messageadd_filter(login_errors,create_function($a, "return null;"));function my_remove_version(...
#11 Block malicious URL requestshttp://wordpress.org/plugins/block-bad-queries/BBQ: Block Bad Queries
Or one for all: Harden your SettingsSecure WordPresshttp://wordpress.org/extend/plugins/secure-wordpress/Most important: R...
#12 Update your blogs regularly! WP Updates Notifier to get emailson out-dated components (core,themes & plug-ins) for al...
#13 Keep your installation clean26Remove all inactiveplug-ins as well as themes!
#14 Scan your Theme dailyhttp://wordpress.org/extend/plugins/antivirus/WP AntiVirus
Or try this one to scan for Exploitshttp://wordpress.org/plugins/exploit-scanner/Exploit ScannerCaution: Use a good portio...
#15 Move the “wp-content” folderdefine(WP_CONTENT_DIR, $_SERVER[DOCUMENT_ROOT]./blog/my-wp-content);define(WP_CONTENT_URL,...
#16 Fix File & Folder Permissionshttp://wordpress.org/extend/plugins/wp-security-scan/WP-Security ScanVery important: chmo...
#17 Disable File Editingdefine(DISALLOW_FILE_EDIT, true);Set DISALLOW_FILE_EDIT to “true” todisable editing files from das...
#18 Delete Files & Disable ListingsDelete those files manually; also get rid of“readme.html” in your WP root.This needs to...
If you’d change “lastmodified” to “.php.bak” thiswould then… ok, enough!
#19 Backup Database & FilesBackWPuphttp://wordpress.org/extend/plugins/backwpup/
13.10.2011 35OMCap 2011 - Online Marketing Konferenz BerlinAnd that’s it! …
#20 Some more WordPress Knowledgehttp://gdig.de/slides
Bastian Grimm, Managing Partner - Grimm DigitalThanks! Questions?mail@grimm-digital.comtwitter.com/basgrlinkedin.com/in/ba...
Upcoming SlideShare
Loading in …5
×

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

13,810 views

Published on

My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)

Published in: Technology, Business

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

  1. 1. Bastian Grimm, Managing Partner - Grimm DigitalHardening WordPressat WP Luvfest: “Maximising WordPress for Search”http://gdig.de/sascon13Manchester, June 2013
  2. 2. About me2@basgrSEO Trainings, Seminars & Strategy ConsultingWordPress Security, Consulting & DevelopmentBerlin-based Full-Service Performance Marketing Agency
  3. 3. http://gdig.de/sascon13
  4. 4. #1 Setup WordPress properlyUse unique keys and salts to addrandom elements for encryption!https://api.wordpress.org/secret-key/1.1/salt/Use a cryptic prefix to preventautomated scripts and SQL injections.$table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
  5. 5. #2 Protect your wp-config.php<files wp-config.php>order deny,allowdeny from all</files>This needs to go into your WP roots’.htaccess file to prevent external accessDid you know this? Even better…move wp-config.php outside of„www“. Also do chmod 400/440
  6. 6. #3 Remove the default „admin“Setup new user as admin; logout.Login w/ new admin; delete old one.Make sure to use a STRONGpassword, pleeaaasssseeee!http://www.random.org/passwords/
  7. 7. Credits: http://bit.ly/T8wMwOMake absolutely sure you onlyuse plug-ins from trusted authors!
  8. 8. #4 Lock-out multiple failed loginshttp://wordpress.org/extend/plugins/limit-login-attempts/Limit Login Attempts
  9. 9. #5 Protect your Login (and wp-admin)Don’t just put an .htaccessto your /wp-admin/ forbasic passwd. protection.It’s pure “hazzle”…Recommended: Try the “Lockdown WPAdmin” plug-in to protect PHP files in wp-admin as well as the login itself.http://wordpress.org/extend/plugins/lockdown-wp-admin/
  10. 10. Or: Lockdown using a Secret URL?http://wordpress.org/plugins/stealth-login-page/Stealth Login Page
  11. 11. #6 Even better: Two-factor VerificationInfo: http://gdig.de/1t - Download: http://gdig.de/1u
  12. 12. #6 Even better: Two-factor Verificationhttp://wordpress.org/plugins/google-authenticator/Google Authenticator
  13. 13. #6 Even better: Two-factor VerificationProvide your login credentialsand get auth-code from yourmobile phones‘ G-Auth-App.
  14. 14. #7 SSL Logins & Administrationdefine(FORCE_SSL_LOGIN, true);define(FORCE_SSL_ADMIN, true);Set FORCE_SSL_LOGIN to “true” toforce all logins to happen over SSL.(still allows non-SSL admin sessions)Use FORCE_SSL_ADMIN to force alllogins and all admin sessions tohappen over SSL (can be slow…)
  15. 15. #8 Never EVER do this!These sites aremore than worse…
  16. 16. A quick peak into some theme files…16LOL! „family friendly“links – my a*s…
  17. 17. A quick peak into some theme files…17functions.php: This themewon‘t be working withoutthose links…
  18. 18. #9 Always use TAC to do a pre-check!http://builtbackwards.com/projects/tac/Theme AuthenticityChecker (TAC)
  19. 19. It gets worse: base64 encoded footer19Are you really sure you wantto see that footer.php file?
  20. 20. Right… NICE FOOTER!20
  21. 21. PLEASE… stay awayfrom “free” WordPressthemes – they’re notfree, really!
  22. 22. #10 Remove Version & Login Messageadd_filter(login_errors,create_function($a, "return null;"));function my_remove_version() { return ; }add_filter(the_generator, my_remove_version);Remove error message from your login-page. You don’t want to give away if eitheruser and / or password was (in-) correct.You need to do it this way since removing“wp_generator” will NOT get rid of theversion number in your RSS feed(s).
  23. 23. #11 Block malicious URL requestshttp://wordpress.org/plugins/block-bad-queries/BBQ: Block Bad Queries
  24. 24. Or one for all: Harden your SettingsSecure WordPresshttp://wordpress.org/extend/plugins/secure-wordpress/Most important: Remove versionnumber from ALL components &block malicious URL requests.
  25. 25. #12 Update your blogs regularly! WP Updates Notifier to get emailson out-dated components (core,themes & plug-ins) for all blogs:– http://wordpress.org/extend/plugins/wp-updates-notifier/ ManageWP can do one-click massupdates (core, themes, plug-insagain) for all your blogs:– http://managewp.com/features
  26. 26. #13 Keep your installation clean26Remove all inactiveplug-ins as well as themes!
  27. 27. #14 Scan your Theme dailyhttp://wordpress.org/extend/plugins/antivirus/WP AntiVirus
  28. 28. Or try this one to scan for Exploitshttp://wordpress.org/plugins/exploit-scanner/Exploit ScannerCaution: Use a good portion ofcommon sense when reviewing!
  29. 29. #15 Move the “wp-content” folderdefine(WP_CONTENT_DIR, $_SERVER[DOCUMENT_ROOT]./blog/my-wp-content);define(WP_CONTENT_URL, http://domain.com/blog/my-wp-content);WP_CONTENT_DIR points to “new”the full local path (no trailing slash)WP_CONTENT_URL points to “new”full URI (no trailing slash either)
  30. 30. #16 Fix File & Folder Permissionshttp://wordpress.org/extend/plugins/wp-security-scan/WP-Security ScanVery important: chmod yourwp-config.php to be read-only!
  31. 31. #17 Disable File Editingdefine(DISALLOW_FILE_EDIT, true);Set DISALLOW_FILE_EDIT to “true” todisable editing files from dashboard.By default, admins are allowed to edit PHP files. Settingthe above is equivalent to removing theedit_themes, edit_plugins and edit_files capabilitiesof all users.
  32. 32. #18 Delete Files & Disable ListingsDelete those files manually; also get rid of“readme.html” in your WP root.This needs to go into your WP roots’.htaccess file disable all directory listings.Options -Indexeshttp://httpd.apache.org/docs/2.4/mod/core.html#options
  33. 33. If you’d change “lastmodified” to “.php.bak” thiswould then… ok, enough!
  34. 34. #19 Backup Database & FilesBackWPuphttp://wordpress.org/extend/plugins/backwpup/
  35. 35. 13.10.2011 35OMCap 2011 - Online Marketing Konferenz BerlinAnd that’s it! …
  36. 36. #20 Some more WordPress Knowledgehttp://gdig.de/slides
  37. 37. Bastian Grimm, Managing Partner - Grimm DigitalThanks! Questions?mail@grimm-digital.comtwitter.com/basgrlinkedin.com/in/bastiangrimmfacebook.com/grimm.digitalhttp://gdig.de/sascon13

×