WordPress Hardening is an underestimated problem and many projects - after golive - are left in the lurch without love…
Here some simple «life saves» improvements that are achievable (arcivebol) with very little effort and can really make the difference
WordPress Hardening is an underestimated problem for many people and even when you keep your system updated you are never completely risk free. Many projects, after golive, are left in the lurch without love… I’d like to share some small improvements that are achievable with very little effort and can make the difference.
Welcome everybody - Thanks to been here. This is my first talk in english and I hope that you «takeaway» some nice ideas
Now I want to talk you about my method to “sleep better” during the night, with no calls, regarding hacked website.
Here is the link to download my presentation for preview
Just a quick word about me.My name is Maurizio Pelizzone and I’m a very - proud - WordPress developer (develoooper)
So, before starting, lets take a step backwards and ask ourselves - what - is - «hardening» ?
If someone doesn’t know the meening of this word, this is a definition from wikipedia:
I think that WordPress Hardening is an underestimated problem and many projects - after golive - are left in the lurch without love…
So, the next topic is why.
Why do we need «hardening» ?
The answer for me is very simple. All systems are vulnerable (vulneraaabol) Fully secure Systems - Dont’t Exist
Another important thing to remember is that the biggest used platform is going to be the biggest target to attack
So now lets look the dangers (dengers) I'm going to start with my list of - what I think - are the five most important dangers (dengers)
Number oneHuman Errors (in most cases the things we forget to do)
Such as forget to remove the admin user or move your old password to strong passwordSuch as forget to update your system
The technique to use a sequence of command to take advantage of a vulnerability to penetrate in your website
The Technique to collect your personal information ad use it against you
Number 4Brute forse attack
You need to know that many automated systems exixst that try to access to your login.Any damned day.Belive me….. ---- or look at your access log
White permissionIf you dont want that anyone is allowed to put a backdoor in your wordpress installation: Ask yourself . Do you really need to have all your directory 777?
Now let move to the solutions…Ok. Ok. Maybe this is non the right solution…
I think is better to say «my approch»
Some simple «life saves» improvements that are achievable (arcivebol) with very little effort and can really make the difference
A wise man could sum up my approach in this sentence:
We are not all security experts, but anyone can reduce some vulnerability (vuolneraaaBiliti)
One word yet before begin: - the most important thing – Remember to keep your WordPress Updated Becouse without care all tips are useless. OK. Now let's move to my ten-step countdown…
TEST YOUR BACKUP
The key point is TEST your backup because is obsiuve (ovius) you have a backup
You need to test before a distasterYou have to do it in fast way You must be shure to have all you need to recover
If you dont have a backup you can use one of these (thiiis)
if you don’t want to use one of this plugin it’s not a problems. Do it by hand, --- ask your sysadmin or your provider. But you must have a backup ad test a complete restore
PREVENT USER ENUMERATION
The keyword is PREVENT WordPress to show username information for the user that have a login in your website. (ofcourse unless you need to have a user page)
Try to write in your browser one of this links… If in URL you can read a username maybe you have a problem.
In this way now anyone can know all the user is able to login in your system
You can stop it wiht this 2 lines to put in your htaccess
The key is to LIMIT the ROLE to absolute minimum.Not all users have to be as administrator
WordPress has many build in role definition such as contributor, author, and editor Remember to assign (assain) only the necessary role-- nota: gestualità
Here I want to show that we can set No permission for user than don’t need it Standard «admin» username can be set to null
HIDE YOUR LOGIN
The majorit of site dont need have a public login page
So you can hide tha access and move it to custom url like «this-is-my-login-page»
Here is an example of how you can do it Put this code in your htaccess and remember to change the key…
Wp-login.php unluckily is not the only way to login in your system After reading an access log maybe you will find a lot of access to xmlrpc.phpif you don’t use WordPress.com o WordPress mobile app you can forbid to use in this way with this code to put in your htaccess
DON’T SHOW ERRORS When you can’t hide login maybe you can hide some error information… Here the key is «don’t show» unnececessary info
When you digit a wrong username i dont need to kwon if the error is the username or the password…
In you page you don’t need to know witch WordPress version is running
In your site you don’t need to keep the readme page visible and in the same way as xmlrpc we can forbid access to readme.html
Deny (denai) PHP Execution.I think that in upload direcotry php execution is not important.
In upload directory there should be only media file like Image, documents, fonts. NOT PHP FILE NOT PHP BACKDOOR FILE
Put this file inside your upload direcory and php will no longer be executed I told a little lie…In this code we non deny php execution but allow only some kind (caind) of file like image, docs and fonts…
Trash, remove, delete plugins is a good practice: - Less is more -
to sleep better
FOR THIS PRESENTATION
Born in the 70’s
Partner @ mavida.com
WordPress Solutions Architect
Co-Organizer @ WordCamp Torino
Active Member @ WordPress Meetup torino
WordPress proud user
What is «hardening» ?
hardening is the process of securing a system by
reducing its surface of vulnerability
Why do we need
All systems are vulnerable
Fully Secure Systems Don’t Exist
Usage of content management systems for websites
How to shrink plugins number
1. Remove inactive plugins
2. Remove useless plugins
3. Integrate a plugin functionality inside the your (child) themes
How to disallow
plugins installation and updates?
//Disable the Plugin and Theme Editor
// Disable Plugin and Theme Update and Installation
TIPS FOR MEMORIZABLE AND
my son likes playing with his red ball
(I’m) Addicted to WordPress
Phrase + Numbers + Symbol