Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WCEU 2016 - 10 tips to sleep better at night

870 views

Published on

WordPress Hardening is an underestimated problem and many projects - after golive - are left in the lurch without love…
Here some simple «life saves» improvements that are achievable (arcivebol) with very little effort and can really make the difference

Published in: Software
  • Be the first to comment

WCEU 2016 - 10 tips to sleep better at night

  1. 1. WordCamp Europe 2016 June 24-26, Vienna, Austria
  2. 2. Ten tips in ten minutes @miziomon #wceu
  3. 3. Ten tips to sleep better at night @miziomon #wceu
  4. 4. DOWNLOAD LINK FOR THIS PRESENTATION http://bit.do/10tips10minutes @miziomon #wceuhttp://bit.do/10tips10minutes
  5. 5. About me Maurizio Pelizzone Born in the 70’s Partner @ mavida.com PHP Developer WordPress Solutions Architect Co-Organizer @ WordCamp Torino Active Member @ WordPress Meetup torino WordPress proud user maurizio@mavida.com http://www.mavida.com http://maurizio.mavida.com https://twitter.com/miziomon http://www.slideshare.net/miziomon http://www.linkedin.com/in/mauriziopelizzone @miziomon #wceuhttp://bit.do/10tips10minutes
  6. 6. What is «hardening» ? @miziomon #wceuhttp://bit.do/10tips10minutes
  7. 7. hardening is the process of securing a system by reducing its surface of vulnerability @miziomon #wceuhttp://bit.do/10tips10minutes
  8. 8. Why do we need «hardening» ? @miziomon #wceuhttp://bit.do/10tips10minutes
  9. 9. All systems are vulnerable Fully Secure Systems Don’t Exist @miziomon #wceuhttp://bit.do/10tips10minutes
  10. 10. http://w3techs.com/technologies/overview/content_management/all @miziomon #wceu Usage of content management systems for websites http://bit.do/10tips10minutes
  11. 11. Dangers @miziomon #wceuhttp://bit.do/10tips10minutes
  12. 12. Human errors a.k.a. things we forget to do… 1/5 @miziomon #wceuhttp://bit.do/10tips10minutes
  13. 13. Exploitation 2/5 @miziomon #wceuhttp://bit.do/10tips10minutes
  14. 14. Social engineering 3/5 @miziomon #wceuhttp://bit.do/10tips10minutes
  15. 15. Brute force attack 4/5 @miziomon #wceuhttp://bit.do/10tips10minutes
  16. 16. Write and execution permission 5/5 @miziomon #wceuhttp://bit.do/10tips10minutes
  17. 17. the solution @miziomon #wceuhttp://bit.do/10tips10minutes
  18. 18. my approach @miziomon #wceuhttp://bit.do/10tips10minutes
  19. 19. we are not all security experts, but anyone can reduce some vulnerability @miziomon #wceuhttp://bit.do/10tips10minutes
  20. 20. Keeping your Site Updated @miziomon #wceuhttp://bit.do/10tips10minutes
  21. 21. TEST YOUR BACKUP 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  22. 22. @miziomon #wceuhttp://bit.do/10tips10minutes
  23. 23. PREVENT USER ENUMERATION 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  24. 24. www.yourwebsite.com/?author=1 www.yourwebsite.com/?author=2 www.yourwebsite.com/?author=3 @miziomon #wceuhttp://bit.do/10tips10minutes
  25. 25. RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L] @miziomon #wceuhttp://bit.do/10tips10minutes
  26. 26. USER PERMISSION 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  27. 27. @miziomon #wceuhttp://bit.do/10tips10minutes
  28. 28. @miziomon #wceuhttp://bit.do/10tips10minutes
  29. 29. HIDE YOUR LOGIN 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  30. 30. RewriteRule ^mylogin$ wp-login.php?key=123&redirect_to=http://%{SERVER_NAME}/wp- admin/index.php [L] RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/login RewriteCond %{QUERY_STRING} !^key=123 RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/? [R,L] @miziomon #wceuhttp://bit.do/10tips10minutes
  31. 31. <files xmlrpc.php> Order allow,deny Deny from all </files> @miziomon #wceuhttp://bit.do/10tips10minutes
  32. 32. DON’T SHOW ERRORS (and all unnecessary information) 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  33. 33. // login errors / message add_filter('login_errors', '__return_false'); add_filter('login_messages', '__return_false'); @miziomon #wceuhttp://bit.do/10tips10minutes
  34. 34. // remove version information remove_action('wp_head', 'wp_generator'); @miziomon #wceuhttp://bit.do/10tips10minutes
  35. 35. <files readme.html> Order allow,deny Deny from all </files> @miziomon #wceuhttp://bit.do/10tips10minutes
  36. 36. DENY PHP EXECUTION 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  37. 37. Order Allow,Deny Deny from all <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files> @miziomon #wceuhttp://bit.do/10tips10minutes
  38. 38. TRASHABLE PLUGINS 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  39. 39. How to shrink plugins number 1. Remove inactive plugins 2. Remove useless plugins 3. Integrate a plugin functionality inside the your (child) themes @miziomon #wceuhttp://bit.do/10tips10minutes
  40. 40. How to disallow plugins installation and updates? @miziomon #wceuhttp://bit.do/10tips10minutes
  41. 41. //Disable the Plugin and Theme Editor define('DISALLOW_FILE_EDIT', true); // Disable Plugin and Theme Update and Installation define('DISALLOW_FILE_MODS',true); @miziomon #wceuhttp://bit.do/10tips10minutes
  42. 42. USE SECURE PASSWORD 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  43. 43. Insecure Password • matt1984 • password • 123456 • qwerty • matrix Secure Password • D7u8hI928FJYusx • Z5BLl20T8by1524 • TLv7p64P63V5Hr1 • 6b83668I15qRP2I • Um2d4Ejd9T1ExPr http://strongpasswordgenerator.com/ @miziomon #wceuhttp://bit.do/10tips10minutes
  44. 44. TIPS FOR MEMORIZABLE AND UNFORGETABLE PASSWORD my son likes playing with his red ball mSlPwHrB (I’m) Addicted to WordPress @ddict3d.2.WordPr3ss Phrase + Numbers + Symbol @miziomon #wceuhttp://bit.do/10tips10minutes
  45. 45. CUSTOM DIRECTORY 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  46. 46. - WP-ADMIN - WP-INCLUDE - WP-CONTENT STANDARD WORDPRESS STRUCTURE @miziomon #wceuhttp://bit.do/10tips10minutes
  47. 47. - APPLICATION --- WP-ADMIN --- WP-INCLUDES - PUBLIC --- WP-CONTENT - UPLOADS CUSTOM WORDPRESS STRUCTURE @miziomon #wceuhttp://bit.do/10tips10minutes
  48. 48. define('WP_CONTENT_DIR', dirname(__FILE__) . '/public); define('WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/public'); define( 'WP_UPLOADS_DIR', dirname(__FILE__) . '/uploads' ); define('WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/application'); define('WP_HOME', 'http://' . $_SERVER['SERVER_NAME']); @miziomon #wceuhttp://bit.do/10tips10minutes
  49. 49. BLACKHOLE 10 09 08 07 06 05 04 03 02 01 @miziomon #wceuhttp://bit.do/10tips10minutes
  50. 50. BLACKHOLE http://perishablepress.com/blackhole-bad-bots/ @miziomon #wceuhttp://bit.do/10tips10minutes
  51. 51. TOOLS (for lazy peoples) @miziomon #wceuhttp://bit.do/10tips10minutes
  52. 52. https://it.wordpress.org/plugins/sucuri-scanner/ https://it.wordpress.org/plugins/wordfence/ https://it.wordpress.org/plugins/better-wp-security/ @miziomon #wceuhttp://bit.do/10tips10minutes
  53. 53. References • http://codex.wordpress.org/Hardening_WordPress • http://codex.wordpress.org/Administration_Over_SSL • http://codex.wordpress.org/Editing_wp-config.php • https://www.wordfence.com/learn/how-to-harden-wordpress-sites/ @miziomon #wceuhttp://bit.do/10tips10minutes
  54. 54. @miziomon #wceu Thank you Maurizio Pelizzone @miziomon maurizio@mavida.com http://maurizio.mavida.com

×