Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WordPress Security
How to secure your WordPress website
CMSCon2015
02
!
!
!
@rupok	

fb.com/rupokify	

rupokify@gmail.com	

www.rupok.xyz
Find Me
Rupok Chowdhury Protik
Also Known as “The F...
01
“ I have not failed. I've just found
10,000 ways that won't work “
03
Ways to secure your site
Ways to follow
Direct
Ap...
01
“ Direct Approach “
06
Direct Approach
Easiest way to follow
CMSCon2015
01
“ There is only “ONE” way to 100%
secure your WordPress Site “
04
Direct Approach
Easiest way to follow
CMSCon2015
01
“ BEST Way -100% Guaranteed “
05
Direct Approach
Easiest way to follow
CMSCon2015
01
“ DELETE IT ! “
06
Direct Approach
Easiest way to follow
CMSCon2015
01
“ Request ? “
07
Direct Approach
Easiest way to follow
CMSCon2015
A really really cute face may help
01
“ Indirect Approach “
08
Indirect Approach
Easiest way to follow
CMSCon2015
01
“ A Basic Understanding “
09
Indirect Approach
How you can really save your site
CMSCon2015
Current Scenario 0110
Based on 42,106 WordPress websites found in Alexa’s top 1 million websites
74 different versions of W...
769 websites (1.82%) are still running a
subversion of WordPress 2.0.
WordPress 2.0
1.82
Only 7,814 websites (18.55%) upgr...
01
“ Main Reasons “
11
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Indirect Approach 0112
Things that will really help you to save your site
41%

Hosting Provider
29%

Vulnerability in the ...
01
“ Understanding the reasons “
13
Indirect Approach
Things that will really help you to save your site
CMSCon2015
01
“ Four W One H “
14
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Who . Why . When . ...
01
“ Who ? “
15
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Anonymous . Your Friend . ...
01
“ Why ? “
16
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Fun . Revenge . Profit . Po...
01
“ When ? “
17
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Least Expected . You are ...
01
“ [every]Where ? “
18
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Shared Hosting . ...
01
“ How ? “
19
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Defacement, Spam Links, Ba...
01
“ What can we do ? “
20
Indirect Approach
Things that will really help you to save your site
CMSCon2015
01
“ Avoid nulled Themes & Plugins “
21
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Wh...
01
“ Delete “admin” account “
22
Indirect Approach
Things that will really help you to save your site
CMSCon2015
UPDATE wp...
01
“ Use secret keys “
23
Indirect Approach
Things that will really help you to save your site
CMSCon2015
https://api.word...
01
“ Update Everything “
24
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Keep everythin...
01
“ Modify File Permission “
25
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Files 644...
01
“ Move-up wp-config.php “
26
Indirect Approach
Things that will really help you to save your site
CMSCon2015
WordPress a...
01
“ Protect wp-config.php “
27
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Write the f...
01
“ Local Security “
28
Indirect Approach
Things that will really help you to save your site
CMSCon2015
KeyLogger, Malwar...
01
“ Control Login Attempts “
29
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Don’t let...
01
“ Database Table Prefix “
30
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Change from...
01
“ SSL Certificate “
31
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Try to use SSL Ce...
01
“ Move wp-content Folder “
32
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Before wp...
01
“ Protect wp-admin “
33
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Password Protec...
01
“ Disable Dashboard Edit “
34
Indirect Approach
Things that will really help you to save your site
CMSCon2015
define(‘DI...
01
“ Change Login URL “
35
Indirect Approach
Things that will really help you to save your site
CMSCon2015
RewriteRule ^lo...
01
“ Use strong password “
36
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Eight Charac...
01
“ Creating A Password “
37
Indirect Approach
Things that will really help you to save your site
CMSCon2015
- cabbage	

...
01
“ Lots of other things “
38
Indirect Approach
Things that will really help you to save your site
CMSCon2015
You may not...
01
“ Security Plugins “
39
Indirect Approach
Things that will really help you to save your site
CMSCon2015
BulletProof Sec...
01
“ Insane Plans “
40
Indirect Approach
Things that will really help you to save your site
CMSCon2015
01
“ Google Authenticator “
41
Indirect Approach
Things that will really help you to save your site
CMSCon2015
The Google ...
01
“ Voice Biometrics “
42
Indirect Approach
Things that will really help you to save your site
CMSCon2015
VoxedIn is a Sm...
01
“ SPECIAL THANKS “
43
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Jesse Pollak . Br...
“ Questions ? “
Thank You
Hope you enjoyed !
CMSCon2015
WordPress Security - How to Secure your WordPress Site
Upcoming SlideShare
Loading in …5
×

WordPress Security - How to Secure your WordPress Site

2,300 views

Published on

I presented this at "CMS Developers Conference 2015" on 10th February, 2015

Topics Include:
# A Basic Understanding
# Vulnerability Statics
# Direct Approach
# Indirect Approach
# Insane Approach
# Plugin URLs
# Tutorial URLs

* I've a presentation almost same couple of months ago but this one is with more data.

Published in: Technology

WordPress Security - How to Secure your WordPress Site

  1. 1. WordPress Security How to secure your WordPress website CMSCon2015
  2. 2. 02 ! ! ! @rupok fb.com/rupokify rupokify@gmail.com www.rupok.xyz Find Me Rupok Chowdhury Protik Also Known as “The Formatter” CMSCon2015
  3. 3. 01 “ I have not failed. I've just found 10,000 ways that won't work “ 03 Ways to secure your site Ways to follow Direct Approach Indirect Approach Scattered Approach CMSCon2015
  4. 4. 01 “ Direct Approach “ 06 Direct Approach Easiest way to follow CMSCon2015
  5. 5. 01 “ There is only “ONE” way to 100% secure your WordPress Site “ 04 Direct Approach Easiest way to follow CMSCon2015
  6. 6. 01 “ BEST Way -100% Guaranteed “ 05 Direct Approach Easiest way to follow CMSCon2015
  7. 7. 01 “ DELETE IT ! “ 06 Direct Approach Easiest way to follow CMSCon2015
  8. 8. 01 “ Request ? “ 07 Direct Approach Easiest way to follow CMSCon2015 A really really cute face may help
  9. 9. 01 “ Indirect Approach “ 08 Indirect Approach Easiest way to follow CMSCon2015
  10. 10. 01 “ A Basic Understanding “ 09 Indirect Approach How you can really save your site CMSCon2015
  11. 11. Current Scenario 0110 Based on 42,106 WordPress websites found in Alexa’s top 1 million websites 74 different versions of WordPress were identified WordPress Versions 74 11 of these versions are invalid. For example version 6.6.6 WordPress 6.6.6 11 18 websites had an invalid non existing versions of WordPress. Invalid Version 18 CMSCon2015
  12. 12. 769 websites (1.82%) are still running a subversion of WordPress 2.0. WordPress 2.0 1.82 Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1. WordPress 3.6.1 18.55 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September. Upgrade 1785 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6. Vulnerable 3.6 30.95 CMSCon2015
  13. 13. 01 “ Main Reasons “ 11 Indirect Approach Things that will really help you to save your site CMSCon2015
  14. 14. Indirect Approach 0112 Things that will really help you to save your site 41%
 Hosting Provider 29%
 Vulnerability in the WordPress theme 22%
 Vulnerability in a plugin 8%
 Weak Password
  15. 15. 01 “ Understanding the reasons “ 13 Indirect Approach Things that will really help you to save your site CMSCon2015
  16. 16. 01 “ Four W One H “ 14 Indirect Approach Things that will really help you to save your site CMSCon2015 Who . Why . When . Where . How
  17. 17. 01 “ Who ? “ 15 Indirect Approach Things that will really help you to save your site CMSCon2015 Anonymous . Your Friend . A Random Guy
  18. 18. 01 “ Why ? “ 16 Indirect Approach Things that will really help you to save your site CMSCon2015 Fun . Revenge . Profit . Political
  19. 19. 01 “ When ? “ 17 Indirect Approach Things that will really help you to save your site CMSCon2015 Least Expected . You are not Ready . The door is open
  20. 20. 01 “ [every]Where ? “ 18 Indirect Approach Things that will really help you to save your site CMSCon2015 Shared Hosting . VPS . Dedicated Server . Your Laptop
  21. 21. 01 “ How ? “ 19 Indirect Approach Things that will really help you to save your site CMSCon2015 Defacement, Spam Links, Backdoors, SQL Injections, Malicious Redirects, Form Abuse, Compromised Web Servers
  22. 22. 01 “ What can we do ? “ 20 Indirect Approach Things that will really help you to save your site CMSCon2015
  23. 23. 01 “ Avoid nulled Themes & Plugins “ 21 Indirect Approach Things that will really help you to save your site CMSCon2015 Why are they giving you for free ?
  24. 24. 01 “ Delete “admin” account “ 22 Indirect Approach Things that will really help you to save your site CMSCon2015 UPDATE wp_users SET user_login=‘batman’ WHERE user_login=‘admin’; ! Hackers need only two piece of information - “username” & “password” Don’t give them half. Try to avoid showing your username in posts
  25. 25. 01 “ Use secret keys “ 23 Indirect Approach Things that will really help you to save your site CMSCon2015 https://api.wordpress.org/secret-key/1.1/salt/
  26. 26. 01 “ Update Everything “ 24 Indirect Approach Things that will really help you to save your site CMSCon2015 Keep everything updated. Literally “EVERYTHING”
  27. 27. 01 “ Modify File Permission “ 25 Indirect Approach Things that will really help you to save your site CMSCon2015 Files 644 | Folders 755 | .htaccess 444 | wp-config.php 444
  28. 28. 01 “ Move-up wp-config.php “ 26 Indirect Approach Things that will really help you to save your site CMSCon2015 WordPress automatically checks the parent directory if wp- config.php file is not found in your root directory ! public_html/wordpress/wp-config.php public_html/wp-config.php
  29. 29. 01 “ Protect wp-config.php “ 27 Indirect Approach Things that will really help you to save your site CMSCon2015 Write the following code in your .htaccess file ! <files wp-config.php> order allow, deny deny from all </files>
  30. 30. 01 “ Local Security “ 28 Indirect Approach Things that will really help you to save your site CMSCon2015 KeyLogger, Malwares Don’t use FTP, try to use sFTP or SSH
  31. 31. 01 “ Control Login Attempts “ 29 Indirect Approach Things that will really help you to save your site CMSCon2015 Don’t let them try for eternity https://wordpress.org/plugins/login-lockdown/
  32. 32. 01 “ Database Table Prefix “ 30 Indirect Approach Things that will really help you to save your site CMSCon2015 Change from “wp_” to “wp_anything_” or wpanything_” anything may contain a-z, 0-9
  33. 33. 01 “ SSL Certificate “ 31 Indirect Approach Things that will really help you to save your site CMSCon2015 Try to use SSL Certificate ! define(‘FORCE_SSL_ADMIN’, true); define(‘FORCE_SSL_LOGIN’, true);
  34. 34. 01 “ Move wp-content Folder “ 32 Indirect Approach Things that will really help you to save your site CMSCon2015 Before wp-settings.php is called in wp-config.php ! define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' ); define( 'WP_CONTENT_URL', 'http://www.paulund.co.uk/blog/content/wp-content' );
  35. 35. 01 “ Protect wp-admin “ 33 Indirect Approach Things that will really help you to save your site CMSCon2015 Password Protect wp-admin folder using .htaccess + .htpasswd ! http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/
  36. 36. 01 “ Disable Dashboard Edit “ 34 Indirect Approach Things that will really help you to save your site CMSCon2015 define(‘DISALLOW_FILE_EDIT’, true);
  37. 37. 01 “ Change Login URL “ 35 Indirect Approach Things that will really help you to save your site CMSCon2015 RewriteRule ^login$ http://www.rupok.xyz/wp-login.php [NC, L] Now I can login at www.rupok.xyz/login
  38. 38. 01 “ Use strong password “ 36 Indirect Approach Things that will really help you to save your site CMSCon2015 Eight Characters . Two Uppercase Letters . Two Symbols Avoid your Name, Birth Year, Birthday, Age, Phone Number etc.
  39. 39. 01 “ Creating A Password “ 37 Indirect Approach Things that will really help you to save your site CMSCon2015 - cabbage - Sorry, the password must be more than 8 characters. ! - boiled cabbage - Sorry, the password must contain 1 numerical character, ! - 1 boiled cabbage - Sorry, the password cannot have blank spaces. ! - 50fuckingboiledcabbages - Sorry, the password must contain at least one upper case character. ! - 50FUCKINGboiledcabbages - Sorry, the password cannot use more than one upper case character consecutively. ! - 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately - Sorry, the password cannot contain punctuation. ! - NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately - Sorry, that password is already in use!
  40. 40. 01 “ Lots of other things “ 38 Indirect Approach Things that will really help you to save your site CMSCon2015 You may not protect it fully, but you can make it a nightmare for a hacker to hack your site
  41. 41. 01 “ Security Plugins “ 39 Indirect Approach Things that will really help you to save your site CMSCon2015 BulletProof Security, Secure WordPress, Exploit Scanner, Malware Scanner (sucuri.net), Acunetix WP Security
 
 And specially, Rublon
  42. 42. 01 “ Insane Plans “ 40 Indirect Approach Things that will really help you to save your site CMSCon2015
  43. 43. 01 “ Google Authenticator “ 41 Indirect Approach Things that will really help you to save your site CMSCon2015 The Google Authenticator plugin for WordPress gives you two- factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. ! http://wordpress.org/plugins/google-authenticator/
  44. 44. 01 “ Voice Biometrics “ 42 Indirect Approach Things that will really help you to save your site CMSCon2015 VoxedIn is a Smartphone app and web toolkit that lets your users log in to your site using voice biometrics ! http://wordpress.org/plugins/voxedin/
  45. 45. 01 “ SPECIAL THANKS “ 43 Indirect Approach Things that will really help you to save your site CMSCon2015 Jesse Pollak . Brad Williams . Lime Canvas
  46. 46. “ Questions ? “ Thank You Hope you enjoyed ! CMSCon2015

×