Successfully reported this slideshow.
Your SlideShare is downloading. ×

WordPress Server Security

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 18 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to WordPress Server Security (20)

Advertisement
Advertisement

WordPress Server Security

  1. 1. WordPress Server Security Best Practices Peter Baylies aka @pbaylies on Twitter Semper Fi Web Design
  2. 2. Security • isn't simple • isn't perfect • isn't ever finished • ...no pressure!
  3. 3. Basic Tips and Gotchas • Backups, backups, backups. • Change the defaults • Use strong passwords (and password salts!) • Use SFTP and HTTPS • Update all the things • Trust no one.
  4. 4. Do I Need To Do All This? • Probably? - depends on your situation. • Find a great managed hosting company? • http://wpdevshed.com/managed-wordpress-hosting/ • Have a good sysadmin - or be one.
  5. 5. Good Advice • Limiting Access - reduce possible entry points • Containment - minimize potential damage • Preparation and Knowledge - backups! • Trusted Sources - download from reputable sites • http://codex.wordpress.org/Hardening_WordPress
  6. 6. Understanding the Environment • “LAMP” Environment – OS -­‐ Linux – Webserver -­‐ Apache – Database -­‐ MySQL – Scripting -­‐ PHP • and… WordPress!
  7. 7. WordPress Security • Move wp-config.php out of the webroot • Friends don't let friends use any eval plugins. • iThemes Security - https://ithemes.com/tutorials/ getting-started-ithemes-security-part-1/ • Wordfence - https://wordpress.org/plugins/wordfence/ • BruteProtect (soon to be JetPack) - https:// wordpress.org/plugins/bruteprotect/
  8. 8. OS Level Security • File permissions • User groups • mount / chroot / jail • Firewalls - csf / lfd • Virtual Machines • ...and much more. http://en.wikipedia.org/wiki/Unix_security
  9. 9. Web Server Security • Turn off indexing • Disable unnecessary modules • Use Deny / Allow directives, .htaccess • Hardening - mod_security, mod_evasive • Consider using a service like CloudFlare • http://www.tecmint.com/apache-security-tips/
  10. 10. Database security • User permissions • Disable remote access • Change the defaults • mysql_secure_installation • http://dev.mysql.com/doc/refman/5.0/en/mysql-secure- installation.html
  11. 11. PHP Security • suPHP - http://www.suphp.org/Home.html • Suhosin - back from the dead - https://github.com/ stefanesser/suhosin • php.ini - disable_functions - http://php.net/manual/en/ ini.core.php#ini.disable-functions • php.ini - set open_basedir - http://php.net/manual/en/ ini.core.php#ini.open-basedir
  12. 12. More Tools and Testing • Sucuri Sitecheck - http://sitecheck.sucuri.net/ • Beyond Security - https://www.scanmyserver.com/ • Hacker Target - http://hackertarget.com/wordpress-security- scan/ • WPScan - https://github.com/wpscanteam/wpscan
  13. 13. So You Think You Got • Don't Panic! • Contact your host • Remember those backups I mentioned? • Change passwords, check logs • Tools - rkhunter, ClamAV, Linux Malware Detect • http://codex.wordpress.org/ FAQ_My_site_was_hacked
  14. 14. Questions? • Thank you! • Slides available here -

×