Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tips & Tricks in securing your WordPress installation

525 views

Published on

My presentation slides for Tips & Tricks in securing your WordPress installation during Hackatron Asia 2014 which takes place on 6th and 7th December 2014.

This presentation is just an updated presentation of http://www.slideshare.net/gamerz/singapore-word-press-user-group-meetup-september-2014-wordpress-security

Published in: Software
  • Be the first to comment

Tips & Tricks in securing your WordPress installation

  1. 1. Security Tips & Tricks in securing your WordPress installation
  2. 2. About Me • WordPress Plugins Developer – Since 2003 – Created > 22 plugins • wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc • http://profiles.wordpress.org/gamerz • Tech Guy in Tech in Asia – Joined on 1st September 2014 Lester Chan (@gamerz) [ 2 ]
  3. 3. WordPress Is Popular • Power 22% of the web • Most blogs uses WordPress – Mashable.com – Techcrunch.com • Because it is popular, lots of attacks are being targeted at WordPress sites Lester Chan (@gamerz) [ 3 ]
  4. 4. Hack Attempts • wp-includes/users.php – $fh = fopen(ABSPATH . "core/wp-content/ plugins/.htaccess","a+"); – fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "n"); – fclose($fh); • Backdoor files Lester Chan (@gamerz) [ 4 ]
  5. 5. Security 101 • Always keep your WordPress & it’s plugins up to date. – 20th November 2014 • WordPress 4.0.1 was released to fix: – Three cross-site scripting issues that a contributor or author could use to compromise a site. – A cross-site request forgery that could be used to trick a user into changing their password. – An issue that could lead to a denial of service when passwords are checked – An extremely unlikely hash collision could allow a user’s account to be compromised Lester Chan (@gamerz) [ 5 ]
  6. 6. Passwords • Use a complex password – In general • Not just WordPress but your CPanel/FTP as well • Use a 2FA plugin – Google Authenticator • https://wordpress.org/plugins/google-authenticator/ – Authy Two Factor Authentication • https://wordpress.org/plugins/authy-two- factor-authentication/ Lester Chan (@gamerz) [ 6 ]
  7. 7. Passwords • Protect your WP-Admin with a password – Using htpasswd • http://www.htaccesstools.com/htpasswd-generator/ – Placing .htaccess in wp-admin ErrorDocument 401 default AuthName "Lester Chan's Website WordPress Admin" AuthUserFile "/home/gamerz/wp-admin/passwd" AuthType Basic require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lester Chan (@gamerz) [ 7 ]
  8. 8. HTTPS • HTTPS encrypts communication and sensitive data between the browser and wp-admin. • Prevents man in the middle attacks. – define('FORCE_SSL_LOGIN', true); – define('FORCE_SSL_ADMIN', true); Lester Chan (@gamerz) [ 8 ]
  9. 9. Files/Folder Permissions • Files & folder should be only readable & writeable only by the owner and readable by the rest • Ensure all files are CHMOD to 644 – find . -type f -exec chmod 644 {} ; • Ensure all folders are CHMOD to 755 – find . -type d -exec chmod 755 {} ; Lester Chan (@gamerz) [ 9 ]
  10. 10. WordPress Uploads • /wp-content/uploads/ – Is a common vector for attacks because it store user uploaded files – Harder to notice – Most people will just CHMOD this to 777 • Which means everyone can read & write to it – This folder should only serve static assets & not execute any scripts • http://stackoverflow.com/questions/18932756/disable-all- cgi-php-perl-for-a-directory-using-htaccess Lester Chan (@gamerz) [ 10 ]
  11. 11. Monitor Changed Files • I monitor my site changed files via email on a daily basis • Using CRON – find /home/gamerz/public_html -mtime -1 Lester Chan (@gamerz) [ 11 ]
  12. 12. Using Git • /core/ – Contains a Git checkout of https://github.com/WordPress/WordPress – git fetch --tags; git checkout 4.0.1 • /content/ – It is a Git checkout of my private repository – Contains all my active plugins and themes • Doing a git status on any folder above will also tell me what has changed Lester Chan (@gamerz) [ 12 ]
  13. 13. Backup • Backup your database regularly – Every hour if you blog more than once a day – Every day if you blog regularly – Using a plugin like WP-DBManager • https://wordpress.org/plugins/wp-dbmanager/ • Backup your /uploads/ folder – Using Git? (not ideal) – FTP to S3/Dropbox? – NAS – Gluster FS Lester Chan (@gamerz) [ 13 ]
  14. 14. VaultPress • https://vaultpress.com/ – By Automattic • Company behind WordPress.com – Paid • Lite (USD$55/year), Basic (USD$165/year), Premium (USD$440/year) – Features • Realtime full (database + files) backup • Scanning your site for dangerous files • Automatic restore of database + files Lester Chan (@gamerz) [ 14 ]
  15. 15. WordFence • http://www.wordfence.com/ • By Feedjit Inc – Paid • USD$39/year – Features • Cellphone Sign-in • Network & Geo Blocking • Site Repair • Machine Learning • Source Code Verification Lester Chan (@gamerz) [ 15 ]
  16. 16. Summary • Password Protected WP-Admin • Use Google Authenticator as 2FA login for WordPress • HTTPS for WP-Admin • Ensure all file are CHMOD to 644 and folders to 755 • Do not allow any script execution in /uploads/ folder • Monitor your site changed files • Backup your database regularly Lester Chan (@gamerz) [ 16 ]
  17. 17. Other References • http://codex.wordpress.org/Hardening_Word Press • http://codex.wordpress.org/Backing_Up_Your _WordPress_Files • http://wordpress.tv/tag/security/ Lester Chan (@gamerz) [ 17 ]
  18. 18. Questions? • Any questions? • You can also find me at – Blog: http://lesterchan.net – Twitter: @gamerz – Facebook: https://fb.com/lesterchan – Instagram: @gamerz Lester Chan (@gamerz) [ 18 ]

×