SlideShare a Scribd company logo

Wordpress Security & Hardening Steps

Download as PPTX, PDF
Plasterdog Web Design
Plasterdog Web Design

Steps to make a WordPress installation more secure

TechnologyBusiness
1 of 37
HARDENING A WORDPRESS SITE Jeff McNear Plasterdog Web Design 847/849-7060 jeff@plasterdog.com FOR MORE WORDPRESS INFO: http://jeffmcnear.com
WHILE A HACKING INCIDENT DOES SEEM APOCALYPTIC, IT IS SURVIVABLE, AND EVEN AVOIDABLE IF: You anticipate the destruction with backups You have some sort of early alert system You make your site more difficult to compromise than provided for by a default install
RESOURCES: CODEX: http://codex.wordpress.org/Hardening_WordPress CODE POET: “LOCKING DOWN WORDPRESS” http://build.codepoet.com/2012/07/10/locking-down-wordpress/ - Rachel Baker | Brad Williams | John Ford DIGGING INTO WORDPRESS: http://digwp.com/book/ - Chris Coyier & Jeff Starr THE TAO OF WORDPRESS: http://wp-tao.com/ - Jeff Starr .htaccess made easy: http://htaccessbook.com/ - Jeff Starr
TYPICAL PATHS OF INFECTION: The overwhelmingly vast majority of all attacks are automated Entry Via Login to the Site or Database Entry Via vulnerable files or folders TYPICAL POINTS OF ENTRY Insecure server configuration Poor password security practices Outdated code (WordPress core, Plugins & Themes, PHP version)
TYPICAL TYPES OF INFECTION: Roughly 85% of website attacks are Cross-Site Scripting (aka XSS)* Purpose is to inject links into the site itself May be simply spam links intended to fool search engines Can be malicious code that is used to embed coding into the visitor’s machine Intent is to steal information like passwords *Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. The more malicious infections are designed to breed and spread from machine to machine
WHAT ARE THE RISKS OF INFECTION? Unwelcome links inserted into your header or footer (very common: WordPress Pharma hack … only visible in search results!) Your site can become a cause for infection of those who visit it Visitors will be automatically re-directed to another website Search engines will detect insertions and will first publish warnings, and eventually de-list the site Individual ISPs will also detect insertions and will deny access to the site
FIRST LEVEL SECURITY: SIMPLE THINGS THAT ANY SITE OWNER CAN DO: Many hardening techniques do not require any special tools, knowledge or expertise … just some common sense
KEEP A CLEAN MACHINE Eventually we are all going to visit a virused website – have a regular scanning & anti-virus routine Remember that you too are vulnerable to inserted code that will monitor & record your keystrokes
TRANSFER FILES IN THE MOST SECURE MANNER AVAILABLE Ideally we should all be using SFTP rather than regular old FTP Some would even say that having an SSL for any website is a good idea At very least when uploading files use a secure connection
KEEP YOUR CODE CURRENT A significant portion of core update work has to do with security issues The WordPress project has made it dead easy to keep your code current There is no excuse! ALSO: Inactive Themes and Plugins can be vulnerable to infection … if you aren’t using them, there is no reason to keep them!
AVOID ALLOWING ACCESS WHEN NOT NECESSARY Shut down open registration If you’re not using comments and pingbacks deactivate them Eliminate inactive users Be selective about permission levels Do not allow shared logins Never use “admin” as a login name – most “brute-force” attacks on Wordpress will focus on the “admin” login name If you display author information DO NOT show the login name! Use complex and secure passwords!
PREPARE FOR THE WORST: Backup: Database The active theme .htaccess file wp-config.php robots.txt index.php Record the list of active plugins Register your site with WebMaster tools: GOOGLE: http://www.google.com/webmasters/tools BING: http://www.bing.com/toolbox SITE SCANNING TOOLS: http://sitecheck.sucuri.net/scanner/ https://www.stopbadware.org/clearinghouse/ search http://www.unmaskparasites.com/
THE REASONS WEBMASTER TOOL CONNECTION IS IMPERITIVE: You cannot communicate directly with Google or Bing without establishing the connection Diagnostic tools are made available Automatic alerts can be requested You can appeal for review and redemption
SECOND LEVEL SECURITY: Configuring the site correctly at the point of original install There are small adjustments that can: • Make it more difficult for an attacker to edit your files • Obscure the structure of your WordPress deployment • Lock down access to crucial files and directories
CHANGE THE DATABASE PREFIX
ELIMINATE A COUPLE OF FILES: (root)/readme.html ISSUE: relates information about the version of WordPress at point of install (root)/wp-admin/install.php ISSUE: if for some reason the connection between WordPress and the database are broken, then this file will activate and display the installation setup page
DISABLE THE FILE EDITOR As long as this is still enabled, anyone with admin access to your site will be able to modify files at will ADD TO THE wp-config.php file: //DISABLES FILE EDITING define('DISALLOW_FILE_EDIT', true);
DENY INFORMATION TO POTENTIAL ATTACKERS: IN THE ACTIVE THEME’S functions.php FILE: //REMOVES VERSION INFO remove_action('wp_head', 'wp_generator'); //OBSCURES LOGIN FAILURE MESSAGE add_filter('login_errors',create_function('$a', "ret urn null;"));
GIVE WORDPRESS A SEPARATE DIRECTORY: IF ALL OF THE CORE FILES ARE IN AN UN-EXPECTED PLACE THEY ARE LESS LIKELY TO BE FOUND: • Copy (NOT MOVE!) the index.php and .htaccess files from the directory into the root of your site • In your root directory's index.php Change the line that says: require('./wp-blog-header.php'); to require('./newdirectoryname/ wp-blog-header.php'); • Go to the General panel. In the box for Site address (URL): change the address to the root directory's URL
MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO THE WP-CONFIG FILE These security keys help encrypt the data that is stored in the cookies, which is data that helps WordPress identify your computer as one that is logged into your WordPress website as a certain user. If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies.
MAKE SURE FOLDER & FILE PERMISSIONS ARE SET CORRECTLY TYPICALLY THEY ARE GIVEN THE PROPER SETTINGS UPON DEPLOYMENT, BUT IT DOESN’T HURT TO CHECK FILE PERMISSION = 644 FOLDER PERMISSION = 755
THIRD LEVEL SECURITY: TIGHTENING DOWN SERVER SETTINGS VIA .htaccess FILES “The ability to include .htaccess files in specific directories gives you more control of your site’s configuration, optimization, and security.” -Jeff Starr While hosting in an environment optimized for WordPress is ideal … it is not always available….
BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE AN .htaccess FILE ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT WITH THIS CODE ONLY: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /”site-folder-name”/ RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L] </IfModule> # END WordPress
NEXT: INCLUDE THE FOLLOWING (outside the WP generated code) #PROTECT HTACCESS FILE <files .htaccess> order allow,deny deny from all </files> # SECURE WP-CONFIG.PHP <Files wp-config.php> Order Deny,Allow Deny from all </Files> # BLOCK THE INCLUDE-ONLY FILES. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
AN ADDITIONAL RULE WORTH ADDING: # CANONICAL FAVICONS - A COMMON POINT OF ATTACK <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC] RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC] RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L] </IfModule>
SPECIFIC .HTACCESS TO PROTECT WP-CONTENT protects php files | allows access to images, CSS, java-script and XML files, but denies for any other type # PREVENT ACCESS TO WP-CONTENT Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS /wp-content/uploads/.htaccess /wp-includes/.htaccess <Files *.php> deny from all </Files>
SOME ADDITIONAL .htaccess RULES: LOCATION: UPLOADS DIRECTORY # secure uploads directory <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$"> Order Deny,Allow Allow from all </FilesMatch> => issue: blocks ability to access pdf related URLs by link
LOCATION: WP-ADMIN DIRECTORY # SECURE WP-ADMIN FILES <FilesMatch "*.*"> Order Deny,Allow Deny from all Allow from 123.456.789 <= the allowed address </FilesMatch> => issue: restricting by IP address is not practical in many cases
LOCATION: ROOT DIRECTORY #Denies “hotlinking” of images <IfModule mod_rewrite.c> RewriteEngine on # ultimate hotlink protection RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org) [NC] RewriteRule .(gif|jpe?g?|png)$ - [F,NC,L] </ifModule> => issue: this disables the theme screenshot display so I don’t use it
LOCATION: ROOT DIRECTORY # MAKES EXPLICIT LOCATION OF ROBOTS.TXT <IfModule mod_rewrite.c> RewriteBase / RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC] RewriteCond %{REQUEST_URI} robots.txt [NC] RewriteRule .* http://example.com/robots.txt [R=301,L] </IfModule> => issue: seems like overkill # MAKES EXPLICIT LOCATION OF SITEMAP <IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$ http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$ http://example.com/sitemap.xml.gz</IfModule> => seems like overkill
WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE, IT WILL PREVENT FILES YOU WANT SECURED FROM BEING INDEXED User-agent: * Disallow: /cgi-bin/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: /tag/ Disallow: /trackback/ Disallow: */trackback/ Disallow: /index.php # separate directive for the main script file of WP Disallow: /*.php$ Disallow: /*.js$ Disallow: /*.inc$ Disallow: /*.css$ Allow: /wp-content/uploads/ Sitemap: http://SITEURL/sitemap_index.xml * *(SEO by Yoast generates a relilable sitemap)
PLUGINS OF NOTE: SITE SCANNERS wp security scan http://wordpress.org/plugins/wp-security-scan Sucuri Security - SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner WordPress File Monitor Plus http://wordpress.org/plugins/wordpress-file-monitor-plus Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. wordpress exploit scanner http://wordpress.org/plugins/exploit-scanner This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. secure wordpress http://wordpress.org/plugins/secure-wordpress
PLUGINS OF NOTE: MORE SCANNERS Wordfence http://wordpress.org/plugins/wordfence/ Better WP Security http://wordpress.org/plugins/better-wp-security/ BulletProof Security http://wordpress.org/plugins/bulletproof-security/
PLUGINS OF NOTE: BACKUP vaultpress http://wordpress.org/plugins/vaultpress/ (subscription) backup buddy http://ithemes.com/purchase/backupbuddy/ (paid) WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid) backwpup http://wordpress.org/plugins/backwpup/ backup to dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/ WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/ WP-DBManager http://wordpress.org/plugins/wp-dbmanager/ BackUpWordPress http://wordpress.org/plugins/backupwordpress/
PLUGINS OF NOTE: LOGIN LIMITATION limit login attempts http://wordpress.org/plugins/limit-login-attempts/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ Stealth Login Page http://wordpress.org/plugins/stealth-login-page/ PLUGINS OF NOTE: CHANGE LOGIN LOCATION lockdown wp-admin http://wordpress.org/plugins/lockdown-wp-admin/ Simple Login Lockdown http://wordpress.org/plugins/simple-login-lockdown/ Login Security Solution http://wordpress.org/plugins/login-security-solution/
PLUGINS OF NOTE: MIXED BAG theme authenticity checker http://wordpress.org/plugins/tac/ Theme-Check http://wordpress.org/plugins/theme-check/ Theme Test Drive http://wordpress.org/plugins/theme-test-drive/ block bad queries http://wordpress.org/plugins/block-bad-queries/ **jeff starr plugin antivirus http://wordpress.org/plugins/antivirus/
NOTHING IS 100% HACK-PROOF, BUT YOU CAN MAKE IT MORE DIFFICULT Keep your code current and work in a clean environment Restrict access to WordPress admin Block access to crucial files Backup crucial files on a regular basis Have a strategy to re-build if the easy solutions elude you

Recommended

WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 

Recommended

WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
Website security
Website securityWebsite security
Website securityAkhilesh Kant
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!Dougal Campbell
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress WorksAngela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Vlad Lasky
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101Shady A. Sharaf
 
Word Press Security
Word Press SecurityWord Press Security
Word Press SecurityRandall Rode
 
Denk Modulair, Denk Lego
Denk Modulair, Denk LegoDenk Modulair, Denk Lego
Denk Modulair, Denk LegoIde Koops
 
UNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentUNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentWayne Dunn
 

More Related Content

What's hot

Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Vlad Lasky
 
Word Press Security
Word Press SecurityWord Press Security
Word Press SecurityRandall Rode
 

What's hot (20)

Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Website security
Website securityWebsite security
Website security
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
Word Press Security
Word Press SecurityWord Press Security
Word Press Security
 

Viewers also liked

Denk Modulair, Denk Lego
Denk Modulair, Denk LegoDenk Modulair, Denk Lego
Denk Modulair, Denk LegoIde Koops
 
UNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentUNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentWayne Dunn
 
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...Kouluterveyskysely
 
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...Miguel Muñoz de Morales
 
Digitális költések okosan
Digitális költések okosanDigitális költések okosan
Digitális költések okosanEdit Ditte Szabó
 
CSR-friendly tax policy: Unlocking value and aligning interests
CSR-friendly tax policy: Unlocking value and aligning interestsCSR-friendly tax policy: Unlocking value and aligning interests
CSR-friendly tax policy: Unlocking value and aligning interestsWayne Dunn
 
Kudavi 1.24.2016
Kudavi 1.24.2016Kudavi 1.24.2016
Kudavi 1.24.2016Tom Currier
 
D_tpassat
D_tpassatD_tpassat
D_tpassattrigima
 
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21Cámara de Comercio de Bilbao
 
How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.Tomislav Korman
 
Kudavi 1.28.2016
Kudavi 1.28.2016Kudavi 1.28.2016
Kudavi 1.28.2016Tom Currier
 
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukenaSormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukenaKouluterveyskysely
 
Juveline Crime in Bulgaria
Juveline Crime in BulgariaJuveline Crime in Bulgaria
Juveline Crime in BulgariaTanya Madjarova
 
Multimedia01
Multimedia01Multimedia01
Multimedia01Les Davy
 
Danile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorageDanile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorageOpenCity Community
 
Conversation01
Conversation01Conversation01
Conversation01Les Davy
 

Viewers also liked (20)

Denk Modulair, Denk Lego
Denk Modulair, Denk LegoDenk Modulair, Denk Lego
Denk Modulair, Denk Lego
 
UNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentUNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and Development
 
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
 
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
 
Digitális költések okosan
Digitális költések okosanDigitális költések okosan
Digitális költések okosan
 
CSR-friendly tax policy: Unlocking value and aligning interests
CSR-friendly tax policy: Unlocking value and aligning interestsCSR-friendly tax policy: Unlocking value and aligning interests
CSR-friendly tax policy: Unlocking value and aligning interests
 
Kudavi 1.24.2016
Kudavi 1.24.2016Kudavi 1.24.2016
Kudavi 1.24.2016
 
D_tpassat
D_tpassatD_tpassat
D_tpassat
 
Стань членом Клуба Традо!
Стань членом Клуба Традо!Стань членом Клуба Традо!
Стань членом Клуба Традо!
 
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
 
How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.
 
Kudavi 1.28.2016
Kudavi 1.28.2016Kudavi 1.28.2016
Kudavi 1.28.2016
 
Notam 05 02-16
Notam 05 02-16Notam 05 02-16
Notam 05 02-16
 
Celebrate Alice! 2011
Celebrate Alice! 2011Celebrate Alice! 2011
Celebrate Alice! 2011
 
Программы здоровья ТРАДО
Программы здоровья ТРАДО Программы здоровья ТРАДО
Программы здоровья ТРАДО
 
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukenaSormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
 
Juveline Crime in Bulgaria
Juveline Crime in BulgariaJuveline Crime in Bulgaria
Juveline Crime in Bulgaria
 
Multimedia01
Multimedia01Multimedia01
Multimedia01
 
Danile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorageDanile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorage
 
Conversation01
Conversation01Conversation01
Conversation01
 

Similar to Wordpress Security & Hardening Steps

Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
WordPress Security is like a HHAM Sandwich
WordPress Security is like a HHAM SandwichWordPress Security is like a HHAM Sandwich
WordPress Security is like a HHAM SandwichRed8 Interactive
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Bastian Grimm
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop Ella J Designs
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101Pete Mall
 

Similar to Wordpress Security & Hardening Steps (20)

Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordPress Security is like a HHAM Sandwich
WordPress Security is like a HHAM SandwichWordPress Security is like a HHAM Sandwich
WordPress Security is like a HHAM Sandwich
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress security
WordPress securityWordPress security
WordPress security
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101
 

More from Plasterdog Web Design

full-site-editing-theme-presentation.pptx
full-site-editing-theme-presentation.pptxfull-site-editing-theme-presentation.pptx
full-site-editing-theme-presentation.pptxPlasterdog Web Design
 
Build and save your own Gutenberg Block Patterns
Build and save your own Gutenberg Block PatternsBuild and save your own Gutenberg Block Patterns
Build and save your own Gutenberg Block PatternsPlasterdog Web Design
 

More from Plasterdog Web Design (7)

full-site-editing-theme-presentation.pptx
full-site-editing-theme-presentation.pptxfull-site-editing-theme-presentation.pptx
full-site-editing-theme-presentation.pptx
 
Build and save your own Gutenberg Block Patterns
Build and save your own Gutenberg Block PatternsBuild and save your own Gutenberg Block Patterns
Build and save your own Gutenberg Block Patterns
 
Wordpress overview
Wordpress overviewWordpress overview
Wordpress overview
 
Pantheon basics
Pantheon basicsPantheon basics
Pantheon basics
 
Basic wordpress editing
Basic wordpress editingBasic wordpress editing
Basic wordpress editing
 
Youtube Basics
Youtube BasicsYoutube Basics
Youtube Basics
 
Wordpress multisite
Wordpress multisiteWordpress multisite
Wordpress multisite
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Wordpress Security & Hardening Steps

  • 1. HARDENING A WORDPRESS SITE Jeff McNear Plasterdog Web Design 847/849-7060 jeff@plasterdog.com FOR MORE WORDPRESS INFO: http://jeffmcnear.com
  • 2. WHILE A HACKING INCIDENT DOES SEEM APOCALYPTIC, IT IS SURVIVABLE, AND EVEN AVOIDABLE IF: You anticipate the destruction with backups You have some sort of early alert system You make your site more difficult to compromise than provided for by a default install
  • 3. RESOURCES: CODEX: http://codex.wordpress.org/Hardening_WordPress CODE POET: “LOCKING DOWN WORDPRESS” http://build.codepoet.com/2012/07/10/locking-down-wordpress/ - Rachel Baker | Brad Williams | John Ford DIGGING INTO WORDPRESS: http://digwp.com/book/ - Chris Coyier & Jeff Starr THE TAO OF WORDPRESS: http://wp-tao.com/ - Jeff Starr .htaccess made easy: http://htaccessbook.com/ - Jeff Starr
  • 4. TYPICAL PATHS OF INFECTION: The overwhelmingly vast majority of all attacks are automated Entry Via Login to the Site or Database Entry Via vulnerable files or folders TYPICAL POINTS OF ENTRY Insecure server configuration Poor password security practices Outdated code (WordPress core, Plugins & Themes, PHP version)
  • 5. TYPICAL TYPES OF INFECTION: Roughly 85% of website attacks are Cross-Site Scripting (aka XSS)* Purpose is to inject links into the site itself May be simply spam links intended to fool search engines Can be malicious code that is used to embed coding into the visitor’s machine Intent is to steal information like passwords *Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. The more malicious infections are designed to breed and spread from machine to machine
  • 6. WHAT ARE THE RISKS OF INFECTION? Unwelcome links inserted into your header or footer (very common: WordPress Pharma hack … only visible in search results!) Your site can become a cause for infection of those who visit it Visitors will be automatically re-directed to another website Search engines will detect insertions and will first publish warnings, and eventually de-list the site Individual ISPs will also detect insertions and will deny access to the site
  • 7. FIRST LEVEL SECURITY: SIMPLE THINGS THAT ANY SITE OWNER CAN DO: Many hardening techniques do not require any special tools, knowledge or expertise … just some common sense
  • 8. KEEP A CLEAN MACHINE Eventually we are all going to visit a virused website – have a regular scanning & anti-virus routine Remember that you too are vulnerable to inserted code that will monitor & record your keystrokes
  • 9. TRANSFER FILES IN THE MOST SECURE MANNER AVAILABLE Ideally we should all be using SFTP rather than regular old FTP Some would even say that having an SSL for any website is a good idea At very least when uploading files use a secure connection
  • 10. KEEP YOUR CODE CURRENT A significant portion of core update work has to do with security issues The WordPress project has made it dead easy to keep your code current There is no excuse! ALSO: Inactive Themes and Plugins can be vulnerable to infection … if you aren’t using them, there is no reason to keep them!
  • 11. AVOID ALLOWING ACCESS WHEN NOT NECESSARY Shut down open registration If you’re not using comments and pingbacks deactivate them Eliminate inactive users Be selective about permission levels Do not allow shared logins Never use “admin” as a login name – most “brute-force” attacks on Wordpress will focus on the “admin” login name If you display author information DO NOT show the login name! Use complex and secure passwords!
  • 12. PREPARE FOR THE WORST: Backup: Database The active theme .htaccess file wp-config.php robots.txt index.php Record the list of active plugins Register your site with WebMaster tools: GOOGLE: http://www.google.com/webmasters/tools BING: http://www.bing.com/toolbox SITE SCANNING TOOLS: http://sitecheck.sucuri.net/scanner/ https://www.stopbadware.org/clearinghouse/ search http://www.unmaskparasites.com/
  • 13. THE REASONS WEBMASTER TOOL CONNECTION IS IMPERITIVE: You cannot communicate directly with Google or Bing without establishing the connection Diagnostic tools are made available Automatic alerts can be requested You can appeal for review and redemption
  • 14. SECOND LEVEL SECURITY: Configuring the site correctly at the point of original install There are small adjustments that can: • Make it more difficult for an attacker to edit your files • Obscure the structure of your WordPress deployment • Lock down access to crucial files and directories
  • 16. ELIMINATE A COUPLE OF FILES: (root)/readme.html ISSUE: relates information about the version of WordPress at point of install (root)/wp-admin/install.php ISSUE: if for some reason the connection between WordPress and the database are broken, then this file will activate and display the installation setup page
  • 17. DISABLE THE FILE EDITOR As long as this is still enabled, anyone with admin access to your site will be able to modify files at will ADD TO THE wp-config.php file: //DISABLES FILE EDITING define('DISALLOW_FILE_EDIT', true);
  • 18. DENY INFORMATION TO POTENTIAL ATTACKERS: IN THE ACTIVE THEME’S functions.php FILE: //REMOVES VERSION INFO remove_action('wp_head', 'wp_generator'); //OBSCURES LOGIN FAILURE MESSAGE add_filter('login_errors',create_function('$a', "ret urn null;"));
  • 19. GIVE WORDPRESS A SEPARATE DIRECTORY: IF ALL OF THE CORE FILES ARE IN AN UN-EXPECTED PLACE THEY ARE LESS LIKELY TO BE FOUND: • Copy (NOT MOVE!) the index.php and .htaccess files from the directory into the root of your site • In your root directory's index.php Change the line that says: require('./wp-blog-header.php'); to require('./newdirectoryname/ wp-blog-header.php'); • Go to the General panel. In the box for Site address (URL): change the address to the root directory's URL
  • 20. MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO THE WP-CONFIG FILE These security keys help encrypt the data that is stored in the cookies, which is data that helps WordPress identify your computer as one that is logged into your WordPress website as a certain user. If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies.
  • 21. MAKE SURE FOLDER & FILE PERMISSIONS ARE SET CORRECTLY TYPICALLY THEY ARE GIVEN THE PROPER SETTINGS UPON DEPLOYMENT, BUT IT DOESN’T HURT TO CHECK FILE PERMISSION = 644 FOLDER PERMISSION = 755
  • 22. THIRD LEVEL SECURITY: TIGHTENING DOWN SERVER SETTINGS VIA .htaccess FILES “The ability to include .htaccess files in specific directories gives you more control of your site’s configuration, optimization, and security.” -Jeff Starr While hosting in an environment optimized for WordPress is ideal … it is not always available….
  • 23. BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE AN .htaccess FILE ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT WITH THIS CODE ONLY: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /”site-folder-name”/ RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L] </IfModule> # END WordPress
  • 24. NEXT: INCLUDE THE FOLLOWING (outside the WP generated code) #PROTECT HTACCESS FILE <files .htaccess> order allow,deny deny from all </files> # SECURE WP-CONFIG.PHP <Files wp-config.php> Order Deny,Allow Deny from all </Files> # BLOCK THE INCLUDE-ONLY FILES. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
  • 25. AN ADDITIONAL RULE WORTH ADDING: # CANONICAL FAVICONS - A COMMON POINT OF ATTACK <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC] RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC] RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L] </IfModule>
  • 26. SPECIFIC .HTACCESS TO PROTECT WP-CONTENT protects php files | allows access to images, CSS, java-script and XML files, but denies for any other type # PREVENT ACCESS TO WP-CONTENT Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS /wp-content/uploads/.htaccess /wp-includes/.htaccess <Files *.php> deny from all </Files>
  • 27. SOME ADDITIONAL .htaccess RULES: LOCATION: UPLOADS DIRECTORY # secure uploads directory <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$"> Order Deny,Allow Allow from all </FilesMatch> => issue: blocks ability to access pdf related URLs by link
  • 28. LOCATION: WP-ADMIN DIRECTORY # SECURE WP-ADMIN FILES <FilesMatch "*.*"> Order Deny,Allow Deny from all Allow from 123.456.789 <= the allowed address </FilesMatch> => issue: restricting by IP address is not practical in many cases
  • 29. LOCATION: ROOT DIRECTORY #Denies “hotlinking” of images <IfModule mod_rewrite.c> RewriteEngine on # ultimate hotlink protection RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org) [NC] RewriteRule .(gif|jpe?g?|png)$ - [F,NC,L] </ifModule> => issue: this disables the theme screenshot display so I don’t use it
  • 30. LOCATION: ROOT DIRECTORY # MAKES EXPLICIT LOCATION OF ROBOTS.TXT <IfModule mod_rewrite.c> RewriteBase / RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC] RewriteCond %{REQUEST_URI} robots.txt [NC] RewriteRule .* http://example.com/robots.txt [R=301,L] </IfModule> => issue: seems like overkill # MAKES EXPLICIT LOCATION OF SITEMAP <IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$ http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$ http://example.com/sitemap.xml.gz</IfModule> => seems like overkill
  • 31. WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE, IT WILL PREVENT FILES YOU WANT SECURED FROM BEING INDEXED User-agent: * Disallow: /cgi-bin/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: /tag/ Disallow: /trackback/ Disallow: */trackback/ Disallow: /index.php # separate directive for the main script file of WP Disallow: /*.php$ Disallow: /*.js$ Disallow: /*.inc$ Disallow: /*.css$ Allow: /wp-content/uploads/ Sitemap: http://SITEURL/sitemap_index.xml * *(SEO by Yoast generates a relilable sitemap)
  • 32. PLUGINS OF NOTE: SITE SCANNERS wp security scan http://wordpress.org/plugins/wp-security-scan Sucuri Security - SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner WordPress File Monitor Plus http://wordpress.org/plugins/wordpress-file-monitor-plus Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. wordpress exploit scanner http://wordpress.org/plugins/exploit-scanner This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. secure wordpress http://wordpress.org/plugins/secure-wordpress
  • 33. PLUGINS OF NOTE: MORE SCANNERS Wordfence http://wordpress.org/plugins/wordfence/ Better WP Security http://wordpress.org/plugins/better-wp-security/ BulletProof Security http://wordpress.org/plugins/bulletproof-security/
  • 34. PLUGINS OF NOTE: BACKUP vaultpress http://wordpress.org/plugins/vaultpress/ (subscription) backup buddy http://ithemes.com/purchase/backupbuddy/ (paid) WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid) backwpup http://wordpress.org/plugins/backwpup/ backup to dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/ WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/ WP-DBManager http://wordpress.org/plugins/wp-dbmanager/ BackUpWordPress http://wordpress.org/plugins/backupwordpress/
  • 35. PLUGINS OF NOTE: LOGIN LIMITATION limit login attempts http://wordpress.org/plugins/limit-login-attempts/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ Stealth Login Page http://wordpress.org/plugins/stealth-login-page/ PLUGINS OF NOTE: CHANGE LOGIN LOCATION lockdown wp-admin http://wordpress.org/plugins/lockdown-wp-admin/ Simple Login Lockdown http://wordpress.org/plugins/simple-login-lockdown/ Login Security Solution http://wordpress.org/plugins/login-security-solution/
  • 36. PLUGINS OF NOTE: MIXED BAG theme authenticity checker http://wordpress.org/plugins/tac/ Theme-Check http://wordpress.org/plugins/theme-check/ Theme Test Drive http://wordpress.org/plugins/theme-test-drive/ block bad queries http://wordpress.org/plugins/block-bad-queries/ **jeff starr plugin antivirus http://wordpress.org/plugins/antivirus/
  • 37. NOTHING IS 100% HACK-PROOF, BUT YOU CAN MAKE IT MORE DIFFICULT Keep your code current and work in a clean environment Restrict access to WordPress admin Block access to crucial files Backup crucial files on a regular basis Have a strategy to re-build if the easy solutions elude you