Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hardening WordPress Security

1,486 views

Published on

How to harden WordPress security with few steps and methods

Published in: Software

Hardening WordPress Security

  1. 1. Hardening WordPress Security WordPress Day 2015 - Pordenone, Italy
  2. 2. What is security? (http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)
  3. 3. Risk reduction
  4. 4. SECURITYBecause sometimes a Rottweiler is not enough
  5. 5. Why we need more security?
  6. 6. WordPress Popularity, Market Share and Responsibility
  7. 7. 0 10 20 30 40 50 60 70 No CMS WordPress Joomla Drupal Usage of content management systems for websites Market Share Usage http://w3techs.com/technologies/overview/content_management/all
  8. 8. What are the dangers?
  9. 9. - Social Engineering - Human Mistakes - Brute Force Attacks - WordPress Vulnerabilities - Web Server Vulnerabilities - Network Vulnerabilities - FTP - File Permissions - And other beautiful things…
  10. 10. Solutions
  11. 11. Backup! Modern Task Runner for PHP
  12. 12. Use strong passwords Insecure examples admin mysite123 mysitename myname4321 password Secure examples -yCpHuHJ68fRtB805i "kaN4Y]99Z)[/ylaJN &3388wu1530Cx;73kR zN1/K>9'51]9~495° 1'N434g&h51I78x3?M
  13. 13. Stay updated! Update WordPress Core Update Themes Update Plugins
  14. 14. Remove Version Reference
  15. 15. Deny access / delete readme.html
  16. 16. Deny access / delete readme.html # .htaccess <files readme.html> Order allow,deny Deny from all </files>
  17. 17. Remove WordPress Version // ** functions.php function wp_remove_version() { return ''; } add_filter('the_generator', 'wp_remove_version');
  18. 18. Secure your login
  19. 19. Secure your login - .htaccess Authentication - Limit attempts - Restrict to certain IPs - Hide - Capcha - Two Factor Authentication - HTTPS
  20. 20. .htaccess Authentication (example with http://www.htaccesstools.com/)
  21. 21. .htaccess Authentication (example with http://www.htaccesstools.com/)
  22. 22. Limit attempts
  23. 23. Restrict to certain IPs # .htaccess order deny,allow deny from all allow from 1.2.3.4
  24. 24. Restrict to certain IPs
  25. 25. Hide your login # BEGIN Hidden login RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L] RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L] RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule . http://%{SERVER_NAME}/? [L] # END Hidden login
  26. 26. Hide your login
  27. 27. Captcha on login
  28. 28. Two-Factor Authentication
  29. 29. Is there anything more?
  30. 30. Admin user
  31. 31. Admin user - Don’t use «admin» as username - Or change «admin» role
  32. 32. Change WordPress Structure
  33. 33. Change WordPress Structure From this..
  34. 34. Change WordPress Structure ..to this
  35. 35. Change WordPress Structure # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] # Redirect RewriteRule ^wp-admin$ wp-admin/ [R,L] RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ - [L] RewriteRule ^(.*.php)$ /$1 [L] RewriteRule . /index.php [L] </IfModule> # END WordPress
  36. 36. Change WordPress Structure // ** index.php define( 'WP_USE_THEMES', true ); require( __DIR__ . '/application/wp-blog-header.php‘ ); // ** wp-config.php define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' ); define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' ); define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' ); define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
  37. 37. Htaccess Tips and Tricks
  38. 38. Disable Directory Browsing # .htaccess Options All -Indexes
  39. 39. Protect your .htaccess # .htaccess <files .htaccess> Order allow,deny Deny from all </files>
  40. 40. Protect your configuration # .htaccess <files wp-config.php> Order allow,deny Deny from all </files>
  41. 41. Deny access to xmlrpc.php # .htaccess <files xmlrpc.php> Order allow,deny Deny from all </files>
  42. 42. Prevent WordPress users listing http://www.yourbeautifulsite.org/?author=1 http://www.yourbeautifulsite.org/?author=2 http://www.yourbeautifulsite.org/?author=3 http://www.yourbeautifulsite.org/?author=4 […] # .htaccess RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L]
  43. 43. Deny php execution from upload directory # /path/to/upload-folder/.htaccess <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files>
  44. 44. Rewrite assets permalinks # .htaccess RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L] RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L] RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
  45. 45. WP-config Tricks
  46. 46. WP-config Tricks - Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/) - Override File Permissions - Change WP Db Prefix
  47. 47. Disable Plugins install/updates // ** wp-config.php define( DISALLOW_FILE_EDIT', true ); define( DISALLOW_FILE_MODS', true );
  48. 48. Check installed Themes/Plugins - Remove inactive themes/plugins - Remove useless themes/plugins - Evaluate code integration
  49. 49. Blackhole
  50. 50. Blackhole (http://perishablepress.com/blackhole-bad-bots/) # END Blackholde <ifModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg ister|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L] </ifModule> # END Blackhole
  51. 51. Tools
  52. 52. Tools Sucury Security Plugin
  53. 53. Help us to check our WordPress Project Vulnerabilities
  54. 54. Monitoring time series database for monitoring your application https://influxdb.com/
  55. 55. Web Server Infrastructure
  56. 56. Codex References http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Administration_Over_SSL http://codex.wordpress.org/Editing_wp-config.php
  57. 57. Questions?
  58. 58. Thanks Mattia Piovano @shadow_droid https://joind.in/15557

×