WordPress Security Hardening


Published on

Presentation given at WordCamp

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WordPress Security Hardening

  1. 1. Security & Hardening Timothy Wood (@codearachnid) [email_address]
  2. 2. <ul><li>Areas of compromise: </li></ul><ul><ul><li>File (server) system hardening </li></ul></ul><ul><ul><li>Application software hardening </li></ul></ul><ul><ul><li>... and YOU! </li></ul></ul>Security & Hardening - Introduction http://www.flickr.com/photos/nbachiyski/1463351154/
  3. 3. <ul><li>.htaccess is your friend </li></ul><ul><ul><li>Lock down folders </li></ul></ul><ul><ul><li>Lock IPs from admin </li></ul></ul><ul><li>Secure your database </li></ul><ul><ul><li>Never (EVER) use root - good user security (http://bit.ly/17vo6y) </li></ul></ul><ul><ul><li>Change up the defaults </li></ul></ul><ul><li>  </li></ul><ul><li>  Server scans & security to prevent and monitor </li></ul><ul><ul><li>File change monitoring (http://snipit.me/u/11) </li></ul></ul><ul><ul><li>Routine backups are your friend </li></ul></ul><ul><ul><li>Lock down the server like with any other site </li></ul></ul>Security & Hardening - System Hardening
  4. 4. <ul><li>Start with good resources </li></ul><ul><ul><li>Read reviews of other users </li></ul></ul><ul><ul><li>Never be the first adopter for production level </li></ul></ul><ul><ul><li>Write your own tools/plugins </li></ul></ul><ul><li>  </li></ul><ul><li>Keep software up to date (core, plugins, themes, etc.) </li></ul><ul><ul><li>Review changelogs on 3rd party code </li></ul></ul><ul><ul><li>Monitor &quot;hidden&quot; files (.htaccess) for unapproved changes </li></ul></ul><ul><ul><li>Routine blog scans http://bit.ly/JK5dw </li></ul></ul><ul><li>Need to know only </li></ul><ul><ul><li>Remove tell tale signs (meta, footer links, etc.) </li></ul></ul><ul><ul><li>Change up the wp-content folder </li></ul></ul>Security & Hardening - Application Hardening
  5. 5. <ul><ul><li>Rename and Upload the WordPress Folder </li></ul></ul><ul><ul><ul><li>Disable links to the administration area </li></ul></ul></ul><ul><ul><li>Extend the file wp-config.php </li></ul></ul><ul><ul><li>Move & protect the wp-config.php file </li></ul></ul><ul><ul><li>Delete the admin User Account </li></ul></ul><ul><ul><li>Choose strong passwords  </li></ul></ul><ul><ul><li>Protect the wp-admin Directory  </li></ul></ul><ul><ul><li>Suppress Error Feedback on the Log-In Page </li></ul></ul><ul><ul><li>Restrict Erroneous Log-In Attempts </li></ul></ul>Security & Hardening - App. Admin Hardening FYI source of this slide can be found http://bit.ly/MA32j
  6. 6. <ul><ul><li>Login pages should be encrypted </li></ul></ul><ul><ul><li>Data validation should be done server-side </li></ul></ul><ul><ul><li>Manage your site via encrypted connection </li></ul></ul><ul><ul><li>Connect from a secured network </li></ul></ul><ul><ul><li>Don't share login credentials </li></ul></ul><ul><ul><li>Maintain a secure workplace </li></ul></ul><ul><ul><ul><li>Physical </li></ul></ul></ul><ul><ul><ul><li>Software </li></ul></ul></ul><ul><ul><li>Use multiple layers of redundancy for protection </li></ul></ul>Security & Hardening - Application Hardening
  7. 7. <ul><ul><li>This presentation - http://bit.ly/1FGGa </li></ul></ul><ul><ul><li>WordPress Security Whitepaper - http://is.gd/nbjQ </li></ul></ul><ul><ul><li>Lorelle on WordPress - http://is.gd/2v9K </li></ul></ul><ul><ul><li>WordPress File Monitor - http://snipit.me/u/11 </li></ul></ul><ul><ul><li>20 WordPress Security Plug-ins And Tips To keep Hackers Away- http://bit.ly/fim37 </li></ul></ul>Security & Hardening - Credits http://www.flickr.com/photos/donncha/134015140/