Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Your WordPress Installation

847 views

Published on

My presentation slides for Securing Your WordPress Installation during WordPress Meetup September 2014 organised by Singapore WordPress User Group.

Published in: Software
  • Be the first to comment

Securing Your WordPress Installation

  1. 1. Security How to Secure Your WordPress
  2. 2. About Me • WordPress Plugins Developer – Since 2003 – Created > 22 plugins • wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc • http://profiles.wordpress.org/gamerz • Tech Guy in Tech in Asia – Just started on 1st September 2014 – Tech in Asia is still hiring & you can join my team • techinasia.com/join • PHP & iOS Developer Lester Chan (@gamerz) [ 2 ]
  3. 3. WordPress Is Popular • Power 22% of the web • Most blogs uses WordPress – Mashable.com – Techcrunch.com • Because it is popular, lots of attacks are being targeted at WordPress sites Lester Chan (@gamerz) [ 3 ]
  4. 4. Hack Attempts • wp-includes/users.php – $fh = fopen(ABSPATH . "core/wp-content/ plugins/.htaccess","a+"); – fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "n"); – fclose($fh); • Backdoor files Lester Chan (@gamerz) [ 4 ]
  5. 5. Security 101 • Always keep your WordPress & it’s plugins up to date. – 4th September 2014 • WordPress 4.0 – 6th August 2014 • WordPress 3.9.2 was released to fix: – Fixes a possible but unlikely code execution when processing widgets – Prevents information disclosure via XML entity attacks in the external GetID3 library – Adds protections against brute attacks against CSRF tokens – Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators. Lester Chan (@gamerz) [ 5 ]
  6. 6. Passwords • Use a complex password – In general • Not just WordPress but your CPanel/FTP as well • Use a 2FA plugin – Google Authenticator • https://wordpress.org/plugins/google-authenticator/ – Authy Two Factor Authentication • https://wordpress.org/plugins/authy-two- factor-authentication/ Lester Chan (@gamerz) [ 6 ]
  7. 7. Passwords • Protect your WP-Admin with a password – Using htpasswd • http://www.htaccesstools.com/htpasswd-generator/ – Placing .htaccess in wp-admin ErrorDocument 401 default AuthName "Lester Chan's Website WordPress Admin" AuthUserFile "/home/gamerz/wp-admin/passwd" AuthType Basic require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lester Chan (@gamerz) [ 7 ]
  8. 8. HTTPS • HTTPS encrypts communication and sensitive data between the browser and wp-admin. • Prevents man in the middle attacks. – define('FORCE_SSL_LOGIN', true); – define('FORCE_SSL_ADMIN', true); Lester Chan (@gamerz) [ 8 ]
  9. 9. Files/Folder Permissions • Files & folder should be only readable & writeable only by the owner and readable by the rest • Ensure all files are CHMOD to 644 – find . -type f -exec chmod 644 {} ; • Ensure all folders are CHMOD to 755 – find . -type d -exec chmod 755 {} ; Lester Chan (@gamerz) [ 9 ]
  10. 10. WordPress Uploads • /wp-content/uploads/ – Is a common vector for attacks because it store user uploaded files – Harder to notice – Most people will just CHMOD this to 777 • Which means everyone can read & write to it – This folder should only serve static assets & not execute any scripts • http://stackoverflow.com/questions/18932756/disable-all- cgi-php-perl-for-a-directory-using-htaccess Lester Chan (@gamerz) [ 10 ]
  11. 11. Monitor Changed Files • I monitor my site changed files via email on a daily basis • Using CRON – find /home/gamerz/public_html -mtime -1 Lester Chan (@gamerz) [ 11 ]
  12. 12. Using Git • /core/ – Contains a Git checkout of https://github.com/WordPress/WordPress – git fetch --tags; git checkout 4.0 • /content/ – It is a Git checkout of my private repository – Contains all my active plugins and themes • Doing a git status on any folder above will also tell me what has changed Lester Chan (@gamerz) [ 12 ]
  13. 13. Backup • Backup your database regularly – Every hour if you blog more than once a day – Every day if you blog regularly – Using a plugin like WP-DBManager • https://wordpress.org/plugins/wp-dbmanager/ • Backup your /uploads/ folder – Using Git? (not ideal) – FTP to S3/Dropbox? – NAS – Gluster FS Lester Chan (@gamerz) [ 13 ]
  14. 14. VaultPress • https://vaultpress.com/ – By Automattic • Company behind WordPress.com – Paid • Lite (USD$55/year), Basic (USD$165/year), Premium (USD$440/year) – Features • Realtime full (database + files) backup • Scanning your site for dangerous files • Automatic restore of database + files Lester Chan (@gamerz) [ 14 ]
  15. 15. Summary • Password Protected WP-Admin • Use Google Authenticator as 2FA login for WordPress • HTTPS for WP-Admin • Ensure all file are CHMOD to 644 and folders to 755 • Do not allow any script execution in /uploads/ folder • Monitor your site changed files • Backup your database regularly Lester Chan (@gamerz) [ 15 ]
  16. 16. Other References • http://codex.wordpress.org/Hardening_Word Press • http://codex.wordpress.org/Backing_Up_Your _WordPress_Files • http://wordpress.tv/tag/security/ Lester Chan (@gamerz) [ 16 ]
  17. 17. Questions? • Any questions? • You can also find me at – Blog: http://lesterchan.net – Twitter: @gamerz – Facebook: https://fb.com/lesterchan – Instagram: @gamerz Lester Chan (@gamerz) [ 17 ]

×