Successfully reported this slideshow.
Your SlideShare is downloading. ×

Word camp pune 2013 security

Ad

WordPress Security
Nothing exposed to www is 100% secure


       WordCamp Pune 2013


           Gaurav Singh
          @...

Ad

The Real Problem
“38% of us Would Rather Clean a Toilet
   Than Think of A New Password”
            -- mashable




     ...

Ad

Challenges
•   Environment
•   Network
•   Application
•   End Users -- YOU

        Any of these levels can screw you.


...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
Website security
Website security
Loading in …3
×

Check these out next

1 of 34 Ad
1 of 34 Ad
Advertisement

More Related Content

Advertisement

Word camp pune 2013 security

  1. 1. WordPress Security Nothing exposed to www is 100% secure WordCamp Pune 2013 Gaurav Singh @sgaurav_baghel
  2. 2. The Real Problem “38% of us Would Rather Clean a Toilet Than Think of A New Password” -- mashable @sgaurav_baghel
  3. 3. Challenges • Environment • Network • Application • End Users -- YOU Any of these levels can screw you. @sgaurav_baghel
  4. 4. Environment @sgaurav_baghel
  5. 5. The Real Scenario Word phpMy Modul cPanel Press Admin es Apache MySQL PHP Linux Each contains its own list of vulnerabilities. @sgaurav_baghel
  6. 6. Network Why worry, be safe. @sgaurav_baghel
  7. 7. Application Core Plugin Theme You WordPress Secure each, hackers have an eye on all. @sgaurav_baghel
  8. 8. End User @sgaurav_baghel
  9. 9. Attack Types If you know it well, you are already half secure. @sgaurav_baghel
  10. 10. Opportunistic Attacks • Mostly automated • Scanning web looking for know vulnerabilities. • Brute Force/Data Dictionary Attacks. • SQLi • XSS @sgaurav_baghel
  11. 11. Targeted Attacks • Against Large Enterprise with mass user base. • Sophisticated attacks mostly involving group of hackers. • DDOS attacks to bring website down. • Done for financial/data benefits. @sgaurav_baghel
  12. 12. Top WordPress Infections • Defacement • Injections • Redirects • Pharma Hacks • Backdoors – hardest to find out @sgaurav_baghel
  13. 13. Tips to Save Yourself “A stitch in time, saves nine.” – Matt Mullenweg @sgaurav_baghel
  14. 14. For “I Don’t Care” Rockstars I know you login with admin to post blogs. Please change it from now. @sgaurav_baghel
  15. 15. Know your Host 1. Cheap should never be the criteria. 2. Choose your host wisely. 3. Know there security plan. 4. If your host do not offer SSH, time to find a new. 5. What will they do in case you get hacked? 6. http://google.com/safebrowsing/diagnostics?sit e=<yourhost> @sgaurav_baghel
  16. 16. Be Safe and Connect Securely 1. Choose SFTP over FTP. 2. Always login with least privileges. • Use account with least privileges to get your task done. • Avoid using root as far as possible. 3. Marry Linux as your OS. 4. Keep antivirus updated, on your Mac too. @sgaurav_baghel
  17. 17. Backup Regularly 1. Do not rely on your host to backup data for you. 2. All it takes is a single command to do the job. 3. Use VaultPress to do backup job. 4. Never keep backup on same server. 5. Keeping backup of database is equally important. @sgaurav_baghel
  18. 18. Update Update Update 1. Single key to cut off most of attacks on WordPress. 2. Version like 3.1.X are mostly security patches. 3. Not just WordPress, update your themes and plugin as well. 4. Keep an eye on all vulnerabilities exposed and check if that can affect you. @sgaurav_baghel
  19. 19. Care your WordPress 1. Use secure passwords and do not share. 2. Change Passwords regularly. 3. Login with least privileges possible. 4. Create a nickname to post blogs. 5. Do not search “Free Woo themes” until you plan to end up serving Viagra from your blog. @sgaurav_baghel
  20. 20. For “Yes, I do care” guys • Connect Securely, use SSH/SFTP • Choose a different “Admin” name. • Use a Nickname to post blogs. • Keep WordPress cookies salted. http://api.wordpress.org/secret-keys/1.1/salt/ @sgaurav_baghel
  21. 21. For “Yes, I do care” guys • Limit theme and plugin use, delete unused ones. • Move up wp-config.php one level and lock it down. • Rename database prefix during installation. • ‘Limit Login Attempts’ – kills brute force • Disable user registration • Use Child Themes to modify CSS instead of tweaking base files. @sgaurav_baghel
  22. 22. For “Yes, I do care” guys • Manage File Permissions Files: 644 or 640 Folder: 755 or 750 • Hide version info – these small steps help. In functions.php add these lines @sgaurav_baghel
  23. 23. For “Yes, I do care” guys • Enable SSL Login Site needs to be accessible from https Add following lines in wp-config.php @sgaurav_baghel
  24. 24. For “Yes, I do care” guys • Discourage unnecessary crawl Crawlers can crawl unnecessary files and expose them to hackers. Create a robot.txt and disallow crawling of unnecessary files. @sgaurav_baghel
  25. 25. For “The Paranoids” These Settings can break your website, know well before you execute. @sgaurav_baghel
  26. 26. Kill PHP Execution Ensure that PHP files can not be executed from within a directory. If it messes with theme/plugin, ensure this is implemented in at least wp-includes and uploads directory. @sgaurav_baghel
  27. 27. Disable Editing in WP Admin Too often your passwords get hacked and you end up giving hacker access to entire code base. Add these lines in wp-config.php @sgaurav_baghel
  28. 28. Limit Admin/Login access by IP Add these lines of code in the .htaccess file placed in admin/root folder To implement this, you need to have static ip address. @sgaurav_baghel
  29. 29. Forbid Proxy Comment Posting Deny requests that use a proxy server to post comments and eliminate some spam. Courtesy, perishablepress.com @sgaurav_baghel
  30. 30. Disable PHP settings Edit php.ini - Idea is to turn display errors to off, in case of error they might return location of your web root. This will most likely break something, test in dev server before moving to live @sgaurav_baghel
  31. 31. Some Security Plugins • Akismet • Duo Two Factor Authentication • Vaultpress • Limit Login Attempts • BulletProof Security @sgaurav_baghel
  32. 32. [Sh]it Happens Nothing to Panic, just clean and resubmit @sgaurav_baghel
  33. 33. [Sh]it Happens • WordPress Forum – http://wordpress.org/tags/hacked http://wordpress.org/tags/malware • http://safeweb.norton.com @sgaurav_baghel
  34. 34. Wish your WordPress a secure future Queries/feedback? @sgaurav_baghel

×