This document discusses WordPress security best practices. It outlines common threats like injection attacks and cross-site scripting. It recommends server-side measures like proper file permissions, limiting admin access, and monitoring servers. Client-side recommendations include using SSL, blocking PHP execution in directories, and obscuring details in wp-config.php. Specific plugins are also mentioned for enhancing security. Regular backups, updates, and monitoring are advised to help prevent and recover from hacks. The key message is that no system is completely secure, so diligence is important.

1. WordPress Security
How to not get hacked
WordCamp Finland - Tiia Rantanen

2. What is security?
- no unauthorized modification of information without
detection
- information must be available when required
- information must be accurate and trustworthy
- verified transactions
Source: Wikipedia

3. Possible threats
- injection
- cross site scripting (XSS)
- security misconfiguration
- sensitive data exposure
- missing function level access control
- cross site request forgery (CSRF)
- using components with known vulnerabilities
and also..
- brute force
Some according to WordPress White Paper & OWASP

4. What can I do? ..on the server-side
- correct user permissions (directory 755, files 644)
- limit access and change the url to wp-admin
- track file changes (version control, git)
- use public/private keys for server login
- enable firewall
- monitor your server (New Relic, Boundary, Cloud Flare,
OSSEC)
- update

5. What can I do? ..on the server-side
- use SSL
- deny direct PHP execution in directories (with caution)
- block access to directories and files (wp-config, xmlrpc,
author archives, wp-config, readme, license etc.)
- block PHP files in uploads
- Remove or change unwanted headers (Server, X-
Powered-By)

6. ...in wp-config file
- obscurity
- change database table prefix
- disallow file edit (WordPress code editor)
- authentication keys
- disallow plugin, update and theme installations
- move to core parent (up one folder)

7. ...in theme functions
- remove unnecessary wp head information
- remove the generator-meta tag
- hide the version number in enqueued js files
- disable xmlrpc
- overwrite login errors
- disable unnecessary feeds
- remove x-pingback from header
- remove version revealing html comments from plugins
if possible

8. ...in WordPress admin
- force strong passwords
- user privileges
- don’t use ‘admin’-username
- security enhancing plugins with logging

9. Security plugins
- iThemes Security
- Wordfence
- Bulletproof Security
- Sucuri Security
- Google Authenticator (for two-factor authentication)
...and lots more,
For backups
- VaultPress
- BackUp Buddy

10. Is my WordPress safe?
- WPScan
- Audit the source code
- Update
- Monitor
- Read WordPress Core and plugin related news (klikki.fi,
insecure.org, wpvulndb.com)

11. No matter what you do,
you can still get hacked
Always backup your files

12. I got hacked :(
- if you have backups, use them
- if you use version control or some other tool that
checks altered files, use that
- if none of the above, you’re in for a lot of work going
through the modified dates
- always find out why you were hacked
- make sure your WordPress is safe by taking the
precautions mentioned

13. Thank you for listening!
Any questions?