This document outlines a presentation given by Maurizio Pelizzone on hardening WordPress sites. It provides tips over the course of 10 minutes in 10 slides, covering topics like keeping sites updated, testing backups, hiding logins, removing unnecessary plugins, using secure passwords, customizing directories, and using security tools. The presentation encourages attendees that security measures can be taken by anyone, not just experts, to reduce vulnerabilities. It concludes by thanking the audience and providing contact details for Maurizio.
Community Career Center: The Beginner’s Guide to LastPassKeitaro Matsuoka
You know you are supposed to use a password manager. In my workshops, attendees often ask me how I manage my passwords, and my answer is to use LastPass. At first glance, it seems like password managers are a pain to set up. Good news: getting started with a password manager is easier than you think.
In this workshop, I will cover the basics of LastPass and what makes it my favorite.
How to:
Log in to LastPass
Save a Site
Create a Form Fill
Generate a Password
Share a Password
Secure Your LastPass Account
How to Use LastPass on Your Smartphone
During this presentation, we'll discuss the ins and outs of website security. Using good security practices as a website owner helps keep the entire web environment as clean and safe as possible.
Expect to learn about:
- What website security is and how to approach the subject when making your own plan.
- The various access points and attack surfaces of a website.
- Simple ways to increase security for all website owners.
- Intermediate ways to further secure websites.
- General online security practices and preparedness.
WCEU 2016 Contributing to WordPress for Business, Profession & the CommunityKel
This talk shares the impact of WordPress contributions to business, professional growth & our community.
-Five For The Future
-Where to contribute
-Community
-Other contributions
This gives a walkthrough that may let you discover what you can enjoy sharing to WordPress & continue doing it & inspire others to share too.
Community Career Center: The Beginner’s Guide to LastPassKeitaro Matsuoka
You know you are supposed to use a password manager. In my workshops, attendees often ask me how I manage my passwords, and my answer is to use LastPass. At first glance, it seems like password managers are a pain to set up. Good news: getting started with a password manager is easier than you think.
In this workshop, I will cover the basics of LastPass and what makes it my favorite.
How to:
Log in to LastPass
Save a Site
Create a Form Fill
Generate a Password
Share a Password
Secure Your LastPass Account
How to Use LastPass on Your Smartphone
During this presentation, we'll discuss the ins and outs of website security. Using good security practices as a website owner helps keep the entire web environment as clean and safe as possible.
Expect to learn about:
- What website security is and how to approach the subject when making your own plan.
- The various access points and attack surfaces of a website.
- Simple ways to increase security for all website owners.
- Intermediate ways to further secure websites.
- General online security practices and preparedness.
WCEU 2016 Contributing to WordPress for Business, Profession & the CommunityKel
This talk shares the impact of WordPress contributions to business, professional growth & our community.
-Five For The Future
-Where to contribute
-Community
-Other contributions
This gives a walkthrough that may let you discover what you can enjoy sharing to WordPress & continue doing it & inspire others to share too.
Changing the World one WordPress Site at a TimeLesley Molecke
How we built a successful, distributed WordPress firm serving nonprofits
Video at http://wordpress.tv/2016/07/04/lesley-molecke-changing-world-one-wordpress-site-at-a-time-built-successful-distributed-firm-serving-nonprofits/
Presented at WordCamp Europe, Vienna Austria, June 2016
Cyber Security 101 – A Practical Guide for Small BusinessesPECB
Cybercrime is a massive 21st-century problem and small businesses face a huge hurdle to effectively protect themselves and their customers, compared to larger firms. Budgets are tight and not fully understanding the risks means that gaps can easily be left. This guide helps you build a budget-friendly layered cybersecurity strategy using a mixture of free and paid for services because something covering the gaps is better than nothing.
Main points covered:
• Why Would Cyber Criminals Target Me?
• Reducing Your Exposure
• No Budget to Speak Of
• Seven Areas Every Small Business Needs to Cover
• Dealing with a Security Incident
Presenter:
Nick Ioannou is an IT professional, blogger, author and public speaker on cloud and security issues, with over 20 years’ corporate experience, including 15 years using cloud/hosted software as a service (SaaS) systems. As an early adopter of cloud systems, including BPOS, the first iteration of Office 365, he has been paying for the privilege of bug testing them ever since.
He started blogging in 2012 on free IT resources (http://nick-ioannou.com) currently with over 400+ posts. Author of 'Internet Security Fundamentals' and 'A Practical Guide to Cyber Security for Small Businesses' as well as contributing author of two 'Managing Cybersecurity Risk' books and 'Conquer The Web' by Legend Business Books.
Recorded webinar: https://youtu.be/GZTEYkW45eE
This presentation sums up the Magento vulnerabilities known to date, but also the classic exploitable methods that do not include specific flaws, and other potentially exploitable security flaws on Magento.
We will also show you how to secure the essential points for your Magento to be as safe as possible.
Internet Explorer 8 Developer Overview was presented at a series of MSDN Unleashed events hosted by the Microsoft Central Region Evangelism team from April 28 - June 12, 2009. You can find more information at http://msdnevents.com/unleashed.
What I learnt from building a chatbot - BrightonSEO 2017Emilie Reynaud
My presentation from BrightonSEO 2017 presenting why we went into chatbots and how we built a Messenger bot for our job vertical.
Sorry, the GIFs don't work on SlideShare!
Slides from the Web Princess Professional Blog Clinic at #pbevent 2014 at QT Gold Coast.
A talk on how to manage the back end of your WordPress website responsibly
Digitools: Sicherheit im Netz
Sowohl Internet wie auch das World Wide Web werden immer integriertere Bestandteile unseres Lebens. Jedoch sollte man im virtuellen Leben einige grundlegende Details beachten, um problemfrei die Vorteile der Online-Angebote nutzen zu können.
So wie z.B. das regelmäßige Service des Autos oder das Versperren der Haustüre zu den Selbstverständlichkeiten des täglichen Lebens gehören, so sollte man auch seinen Rechner „versperren“ und regelmäßig einer Überprüfung unterziehen.
Um „sicher“ im Netz unterwegs zu sein, genügt es jedoch nicht nur, eine Software zu installieren. Ein prüfender Blick auf die diversen Angebote und deren Nutzungsbedingungen gehören genauso dazu, wie ein kritischer Blick darauf, welche Daten von den verschiedenen Diensten überhaupt gesammelt werden.
Während es in manchen Situationen wichtig ist, genau zu wissen, mit wem man online kommuniziert und wie man dessen Identität - etwa bei signierten E-Mails - überprüfen kann, so ist es – etwa im Rahmen einer Recherche – manchmal von Vorteil, wirklich anonym im Netz unterwegs zu sein.
All diese Themen wollen wir im Rahmen des Workshops „Digitools: Sicherheit im Netz“ aufgreifen und Ihnen praxisorientiert zeigen, wie sie sicher surfen, vertrauliche E-Mails schreiben oder anonym kommunizieren können.
Der dreistündige Workshop ist in drei Teile (mit zwei Pausen zu je 15 Minuten) gegliedert und bietet zwischendurch auch ausreichend Zeit für Fragen und Diskussionen.
Teil 1 – Sicher Online
Firewall, Virenscanner, Einstellungen – Was sollte ich beachten, wenn ich „sicher“ surfen will. Welche Einstellungen sollte ich in meinem Browser ändern, wie schütze ich mich vor Spyware und Drive-By Downloads. Sind Cookies nun gut oder böse, wie kann ich diese einfacher verwalten. Wie kann ich „sicher“ Online-Banking und andere Online-Angebote nutzen.
Teil 2 – Vertrauen ist gut, ...
Wie kann ich mich relativ gefahrlos in Sozialen Netzwerken bewegen. Was sollte ich im Umgang mit den diversen Anwendungen dieser Netzwerke beachten. Wann und wem darf ich meine Passwörter bekannt geben, wer verbirgt sich eigentlich hinter dieser Site, udgl.
Teil 3 – Black Helicopter Alert
Wirklich anonym über das Internet zu kommunizieren, ist ein Anspruch, den nicht nur die Anhänger von Verschwörungstheorien für sich in Anspruch nehmen können. Auch Anwälte, Unternehmen sowie Personen wie Du und ich wollen oder müssen immer wieder im Web surfen oder kommunizieren können, ohne Spuren zu hinterlassen. Aber auch das Löschen von Accounts in diversen Netzwerken oder Diensten ist nicht immer so einfach, wie man sich das vorstellt.
Im letzten Teil des Workshops widmen wir uns den „schwarzen Künsten“ des Internets wie etwa dem Tor Netzwerk oder jenen „offenen Proxies“ um solche Inhalte sehen zu können, die vor uns verborgen werden.
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
Here’s the slides from my talk on how to secure your WordPress website, which I gave at the WordCamp UK 2014 conference in Bournemouth on 12th July. I shared some security best practices and a few practical tips you can use to help harden your WordPress installation.
See the notes at: http://www.primaryimage.com/2014/07/secure-your-wordpress-website/
Czech SharePoint Conference 2019 - 10 things you should do with your o365 dem...Thomas Gölles
You need to create a new dev or demo tenant but have no idea where to start? Let's change that! There are some basic steps in the beginning of every tenant that just make your life so much easier, for example, enabling MFA for all your admin accounts. And then there are more resourceful things like using the demos available from the SharePoint PnP Provisioning service. If you want to start your next demo/dev tenant fast and easy this session is for you.
Similar to WCEU 2016 - 10 tips to sleep better at night (20)
hawto creatie a layout similar to the reference without third-party plugins and using only native features (WordPress 5.3.2 and Twenty Nineteen)in no more than two hours of work
Spesso il paramento con cui valutiamo un sito è la bellezza trascurando l'usabilità.
la conseguenza è che l'utente non è più il nostro obiettivo principale
Queste le parole di Jacob Nielsen che riassumuno le slide
«Credo che l’obiettivo della maggioranza dei progetti web dovrebbe essere il rendere semplice per le persone (o per i clienti) lo svolgimento delle attività che hanno un qualche fine pratico»
Nello sviluppo di progetti complessi sono richiesti efficienza, efficacia ed appropriatezza.
Questi 3 aspetti possono rappresentare il cuore di un modello di qualità capace di favorire la gestione delle complessità.
Considerando come “macro-obiettivo” la pubblicazione di un sito saranno presentati i requisiti generalmente considerati di “efficienza” e gli strumenti che possono rendere il lavoro più “efficace”
This is my speech at PHPDAY2011
WordPress for developers:
WordPress features overview
Custom type and Taxonomy
Routing and rewrite rules
Custom query and manipulation
Cache tips
Debugging tools
Poliedric WordPress is my speech at Go!Webdesign.
How Wordpress can be used for different applications with the flexibility provided by "custom type" and "taxonomies"...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
4. DOWNLOAD LINK
FOR THIS PRESENTATION
http://bit.do/10tips10minutes
@miziomon #wceuhttp://bit.do/10tips10minutes
5. About me
Maurizio Pelizzone
Born in the 70’s
Partner @ mavida.com
PHP Developer
WordPress Solutions Architect
Co-Organizer @ WordCamp Torino
Active Member @ WordPress Meetup torino
WordPress proud user
maurizio@mavida.com
http://www.mavida.com
http://maurizio.mavida.com
https://twitter.com/miziomon
http://www.slideshare.net/miziomon
http://www.linkedin.com/in/mauriziopelizzone
@miziomon #wceuhttp://bit.do/10tips10minutes
37. Order Allow,Deny
Deny from all
<Files ~
".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn
g|gif|jpg|ico|js|css|kmz|ttf|woff|woff
2)$">
Allow from all
</Files>
@miziomon #wceuhttp://bit.do/10tips10minutes
39. How to shrink plugins number
1. Remove inactive plugins
2. Remove useless plugins
3. Integrate a plugin functionality inside the your (child) themes
@miziomon #wceuhttp://bit.do/10tips10minutes
40. How to disallow
plugins installation and updates?
@miziomon #wceuhttp://bit.do/10tips10minutes
41. //Disable the Plugin and Theme Editor
define('DISALLOW_FILE_EDIT', true);
// Disable Plugin and Theme Update and Installation
define('DISALLOW_FILE_MODS',true);
@miziomon #wceuhttp://bit.do/10tips10minutes
44. TIPS FOR MEMORIZABLE AND
UNFORGETABLE PASSWORD
my son likes playing with his red ball
mSlPwHrB
(I’m) Addicted to WordPress
@ddict3d.2.WordPr3ss
Phrase + Numbers + Symbol
@miziomon #wceuhttp://bit.do/10tips10minutes
WordPress Hardening is an underestimated problem for many people and even when you keep your system updated you are never completely risk free. Many projects, after golive, are left in the lurch without love… I’d like to share some small improvements that are achievable with very little effort and can make the difference.
Welcome everybody - Thanks to been here. This is my first talk in english and I hope that you «takeaway» some nice ideas
Now I want to talk you about my method to “sleep better” during the night, with no calls, regarding hacked website.
Here is the link to download my presentation for preview
Just a quick word about me.My name is Maurizio Pelizzone and I’m a very - proud - WordPress developer (develoooper)
So, before starting, lets take a step backwards and ask ourselves - what - is - «hardening» ?
If someone doesn’t know the meening of this word, this is a definition from wikipedia:
I think that WordPress Hardening is an underestimated problem and many projects - after golive - are left in the lurch without love…
So, the next topic is why.
Why do we need «hardening» ?
The answer for me is very simple.
All systems are vulnerable (vulneraaabol)
Fully secure Systems - Dont’t Exist
Another important thing to remember is that the biggest used platform is going to be the biggest target to attack
So now lets look the dangers (dengers)
I'm going to start with my list of - what I think - are the five most important dangers (dengers)
Number oneHuman Errors (in most cases the things we forget to do)
Such as forget to remove the admin user or move your old password to strong passwordSuch as forget to update your system
Number two
Expoitation
The technique to use a sequence of command to take advantage of a vulnerability to penetrate in your website
Number three
Social engineering
The Technique to collect your personal information ad use it against you
Number 4Brute forse attack
You need to know that many automated systems exixst that try to access to your login.Any damned day.Belive me….. ---- or look at your access log
Number 5
White permissionIf you dont want that anyone is allowed to put a backdoor in your wordpress installation:
Ask yourself . Do you really need to have all your directory 777?
Now let move to the solutions…Ok. Ok. Maybe this is non the right solution…
I think is better to say «my approch»
Some simple «life saves» improvements that are achievable (arcivebol) with very little effort and can really make the difference
A wise man could sum up my approach in this sentence:
We are not all security experts, but anyone can reduce some vulnerability (vuolneraaaBiliti)
One word yet before begin: - the most important thing – Remember to keep your WordPress Updated
Becouse without care all tips are useless.
OK. Now let's move to my ten-step countdown…
TEST YOUR BACKUP
The key point is TEST your backup because is obsiuve (ovius) you have a backup
You need to test before a distasterYou have to do it in fast way
You must be shure to have all you need to recover
If you dont have a backup you can use one of these (thiiis)
if you don’t want to use one of this plugin it’s not a problems. Do it by hand, --- ask your sysadmin or your provider.
But you must have a backup ad test a complete restore
PREVENT USER ENUMERATION
The keyword is PREVENT WordPress to show username information for the user that have a login in your website. (ofcourse unless you need to have a user page)
Try to write in your browser one of this links…
If in URL you can read a username maybe you have a problem.
In this way now anyone can know all the user is able to login in your system
You can stop it wiht this 2 lines to put in your htaccess
USER PERMISSION
The key is to LIMIT the ROLE to absolute minimum.Not all users have to be as administrator
WordPress has many build in role definition such as contributor, author, and editor
Remember to assign (assain) only the necessary role-- nota: gestualità
Here I want to show that we can set No permission for user than don’t need it Standard «admin» username can be set to null
HIDE YOUR LOGIN
The majorit of site dont need have a public login page
So you can hide tha access and move it to custom url like «this-is-my-login-page»
Here is an example of how you can do it
Put this code in your htaccess and remember to change the key…
Wp-login.php unluckily is not the only way to login in your system
After reading an access log maybe you will find a lot of access to xmlrpc.phpif you don’t use WordPress.com o WordPress mobile app you can forbid to use in this way with this code to put in your htaccess
DON’T SHOW ERRORS
When you can’t hide login maybe you can hide some error information…
Here the key is «don’t show» unnececessary info
When you digit a wrong username i dont need to kwon if the error is the username or the password…
In you page you don’t need to know witch WordPress version is running
In your site you don’t need to keep the readme page visible and in the same way as xmlrpc we can forbid access to readme.html
Deny (denai) PHP Execution.I think that in upload direcotry php execution is not important.
In upload directory there should be only media file like Image, documents, fonts. NOT PHP FILE
NOT PHP BACKDOOR FILE
Put this file inside your upload direcory and php will no longer be executed
I told a little lie…In this code we non deny php execution but allow only some kind (caind) of file like image, docs and fonts…
TRASHABLE PLUGINS
Trash, remove, delete plugins is a good practice: - Less is more -
This is my checklist:
Remove inactive plugins
Remove useless (or duplicate) plugins
For the bravest you can try to integrate same plugin functionality inside your theme
Remember this mantra: : - Less is more - - Less is more -
But when a «wannabe» user is able to install new plugins while you sleep…your breakfast is NOT gonna be so greet. (greit)
For this reason, if you want to keep controooll, - you can disallow automatic installation
Here the lines to put in your wp-config
USE SECURE PASSWORD
Password is a problem
Password is always a big problem
Normal people hate passoword
But in a normal word we must not be lazy and be brave to use very strong password
This is a tips FOR MEMORIZABLE (memoraisabol) AND UNFORGETABLE (unforgettebol) PASSWORD
You have to use Phase , Numbers and Symbol - And mix upper case and lower case
Custom direcotory
Other unknown awesome (osom) WordPress feature
Custom directoy is a defence line to hide your structure
I explain better whit an exsample…
This is standard structure with the login page always in the same place…
What happens if I move my WordPress installation in this way?
the first achievement ( accivment) is that the automatic bot that tries to use brute force attack will fail…
Another thig is that stucture is more lovely and you can do more efficent (effiscent) deploy
Here the code to put in wp-config
The last one BLACKHOLE
One of my Favourites tips - Blackhole is a way to set a trap for common url
One simple exsample: Have you moved your login page from wp-login.php to custom-login-url ?
Well. - Who is it - that keeps on going to - wp-login.php ?
Maybe it’s someone who - should not to be there…
How does it work?
The blackhole watch some candy link (wp-login, wp-admin, phpmyadmin, ecc)Log the ip, and block next access
The implementation is a little bit technical but you can find more info at - perishablepress.com (perishibolpress)
Are you still alive ? (pausa) Greit
For those of you - who don’t like - to put your hand hunder the hood - here a «Ready made» plugins that can do the dirty work for you –
but now you can use them with more undesting about what they do
Sucuri Security / WordFence / Ithemes Security
Ok. I have to go…
Last but not least some link to delve deeper
Thank you for listening and being (been) so patient with my terrible English