On Starlink, presented by Geoff Huston at NZNOG 2024
How to Secure Your WordPress Site
1. Old is not gold! Update
Why make it easier for hackers? Shield the version number
Injection: It hurts! Don’t go with defaults!
Did You Know? What to Do?
Full Path Disclosure reveals
username and file path
from root directory.
Create .htaccess file in
root folder with the code
php_flag display_errors off
Files and directories are given
different permissions that specify
who can read, write, and modify them.
• wp-config.php should be 440 or 400
• Directories should not be given 777
• Use WordPress DDoS scanner
• Disable XML-RPC using appropriate plugin
2
3
Pingback DDoS - Yes, that happens! Scan and Disable4
Don’t leave a trail behind... Hide file path5
File Permissions Tweak it6
By default, username becomes the author slug (id)
making targeted WordPress hack easier.
• Check that username ≠ author name
• Use Edit Author Slug plugin
Slippery Slug Time for a nickname!
7
They have full access to your website.
Most vulnerable plugins
• WP Symposium
• FoxyPress
• VideoWhisper Live Streaming Integration
• Download from trusted sources: wordpress.org
• Review plugin code
• Install/activate only those that you need
• Remove unused plugins
Plugins are great, but... Follow these tips
• Create a .htaccess file with code
Options -Indexes
• Restrict access to
Directory Listing Disable indexing9
Top vulnerable versions
3.0.1
3.0
3.6
3.5.1
3.5
73.2%
vulnerable
1
Delete
Deny
readme.html
.htaccess:
<files readme.html>
order allow,deny
deny from all
</files>
This makes exploits easy.
Source code &
RSS feed reveal
version number.
Restrict
Avoid
Access to admin panel
• Wp-admin as table name
• Admin as username
Proper validation for user inputsEnsure
XSS (639)
SQLi (276)
CSRF (146)
Your site could be used
by attackers without
you realizing it.
Upgrade to the latest version
Current stable version: 4.1.1
Directory listing displays
sensitive data such as
backup files, hidden files,
user accounts, and
configuration file contents.
• Always keep an eye on logs
• Take backups periodically, encrypt them
• Install a reliable vulnerability scanner
Are you hacked? Monitor, Backup, Scan10
• Redirected links
• Unfamiliar pop-ups
• Odd text in Footer or ‘View Source’
• Spikes: traffic, bandwidth usage
7 4 4
8 5 5
6 3 3
Slughttp
• For Files
find/path/to/your/wordpress/
install/ -type d -exec chmod 755 {} ;
find/path/to/your/wordpress/install/
-type f -exec chmod 644 {} ;
• For Directories
8
References
https://www.owasp.org
https://wpvulndb.com/statistics
https://codex.wordpress.org
http://projects.webappsec.org
/wp-content/
/wp-content/themes/
/images/
/wp-content/plugins/
/uploads/
May 2015
Designed & Published by
WordPress installations