Jeff Hoffman, profile picture
Uploaded byJeff Hoffman
KEY, PPTX1,225 views

Securing WordPress by Jeff Hoffman

The document provides various strategies for securing a WordPress site against hacking, detailing the importance of server security, strong passwords, and proper file permissions. It advises on specific configurations, regular updates, and the use of security plugins, while emphasizing the necessity for backups and cleanup post-installation. Additional tips include altering default settings and monitoring for vulnerabilities to reduce risk.

Embed presentation

Download as KEY, PPTX
SECURING WORDPRESS Presented by Jeff K. Hoffman VP of R&D, MyLeadSystemPRO http://facebook.com/jeff.k.hoffman
WHY DO HACKERS HACK? • Easy SEO • Malware Distribution • Entertainment & Peer Recognition
HOW DO HACKERS HACK? • Bots - like the Google Bot, but Evil. • Widely available, frequently updated. • Viral spread
BEFORE YOU BEGIN • Backup your site! • Implement one tip and test, then another and test, etc. • If it’s over your head, just skip it (or, hire help.)
SECURE YOUR SERVER • Your blog is only as secure as your Web Host. • Ifa hacker gets into your hosting account (via FTP, SSH, etc.), they win before they even worry about hacking WordPress. • Use strong passwords. (StrongPasswordGenerator.com) • Ask your Web Host how to best secure your account.
PERMISSIONS • In general... • Files should be 644. • Folders should be 755. • /wp-content/uploads/ should be 775. • /wp-content/themes/ should be 775 for Theme Editor.
PERMISSIONS find /path/to/wordpress/ -type f -exec chmod 644 {} ; find /path/to/wordpress/ -type d -exec chmod 755 {} ; chmod -R 775 /path/to/wordpress/wp-content/uploads chmod -R 775 /path/to/wordpress/wp-content/themes
PERMISSIONS
DEFY CONVENTION • Change admin username • Never post as admin! • Move wp-config.php • Change database table prefix** • In wp-config.php • In your database
USE SECRET KEYS Edit wp-config.php... /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
CLEAN UP • After WordPress is installed, delete /wp-admin/install.php • Delete unused/inactive plugins & themes
UPDATE OFTEN • Always use the latest version of... • WordPress • Theme • Plugins
MAKE DAILY BACKUPS • BuyBackupBuddy.com ($75/year) • VaultPress.com ($180/year) • NOTE: Backups of a hacked site are ONLY useful for forensics!
STRONG PASSWORD • StrongPasswordGenerator.com • 1Password
AVOID DETECTION • Remove WordPress Footprints • Don’t use the Meta sidebar widget • http://wordpress.org/extend/plugins/secure-wordpress/
MINIMIZE PLUGINS • Every plugin you install increases risk • Popular, widely used plugins are less risky • Example: TimThumb
SECURE /WP-ADMIN* • http://www.cpanel.net/media/tutorials/passwdprotect.htm • Add to .htaccess... <FilesMatch ".(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>
SECURE /WP-ADMIN • SSL • http://codex.wordpress.org/Administration_Over_SSL
SECURE /WP-INCLUDES* • Add this to .htaccess... # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
BLOCK ATTACKS • WordPress Firewall 2 • Login Lockdown
MONITORING • Google Webmaster Tools • WordPress File Monitor
Q&A • http://mlspfanclub.com

More Related Content

PPTX
WordPress Security Updated - NYC Meetup 2009
byBrad Williams
 
PPT
WordPress Security
byBrad Williams
 
PPT
WordPress End-User Security - WordCamp Las Vegas 2011
byDre Armeda
 
PPTX
WordPress End-User Security
byDre Armeda
 
PDF
WordPress Security WordCamp OC 2013
byBrad Williams
 
PPT
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
byDre Armeda
 
PDF
Lockdown WordPress
byDre Armeda
 
PPT
WordPress Security - WordCamp NYC 2009
byBrad Williams
 
WordPress Security Updated - NYC Meetup 2009
byBrad Williams
 
WordPress Security
byBrad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
byDre Armeda
 
WordPress End-User Security
byDre Armeda
 
WordPress Security WordCamp OC 2013
byBrad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
byDre Armeda
 
Lockdown WordPress
byDre Armeda
 
WordPress Security - WordCamp NYC 2009
byBrad Williams
 

What's hot

PDF
WordCamp Mid-Atlantic WordPress Security
byBrad Williams
 
PPTX
Protect Your WordPress From The Inside Out
bySiteGround.com
 
PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
PDF
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
PPT
Now That's What I Call WordPress Security 2010
byBrad Williams
 
PPT
WordPress Security - WordCamp Boston 2010
byBrad Williams
 
PDF
Google Hacking Basics
byamiable_indian
 
PPTX
Website security
byAkhilesh Kant
 
PPT
Secure All The Things!
byDougal Campbell
 
KEY
Higher Order WordPress Security
byDougal Campbell
 
PDF
Introduction to WordPress Security
byShawn Hooper
 
PDF
WordPress Security Presentation
byAndrew Paton
 
PPTX
WordPress Security Presentation from South Florida WordPress Meetup
byJohn Carcutt
 
PDF
WordPress Security Best Practices 2019 Update
byZero Point Development
 
PDF
WordCamp Finland 2015 - WordPress Security
byTiia Rantanen
 
PDF
8 Ways to Hack a WordPress website
bySiteGround.com
 
PPTX
WordPress End-User Security - Orange County WordCamp 2011
byDre Armeda
 
PPT
Wordpress Security Tips
byLalit Nama
 
PDF
Joomla! on Heroku
byYireo
 
PDF
Joomla! security
byYireo
 
WordCamp Mid-Atlantic WordPress Security
byBrad Williams
 
Protect Your WordPress From The Inside Out
bySiteGround.com
 
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
Now That's What I Call WordPress Security 2010
byBrad Williams
 
WordPress Security - WordCamp Boston 2010
byBrad Williams
 
Google Hacking Basics
byamiable_indian
 
Website security
byAkhilesh Kant
 
Secure All The Things!
byDougal Campbell
 
Higher Order WordPress Security
byDougal Campbell
 
Introduction to WordPress Security
byShawn Hooper
 
WordPress Security Presentation
byAndrew Paton
 
WordPress Security Presentation from South Florida WordPress Meetup
byJohn Carcutt
 
WordPress Security Best Practices 2019 Update
byZero Point Development
 
WordCamp Finland 2015 - WordPress Security
byTiia Rantanen
 
8 Ways to Hack a WordPress website
bySiteGround.com
 
WordPress End-User Security - Orange County WordCamp 2011
byDre Armeda
 
Wordpress Security Tips
byLalit Nama
 
Joomla! on Heroku
byYireo
 
Joomla! security
byYireo
 

Viewers also liked

PPT
How2 Start Ocw
byTerri Bays
 
KEY
Internet Marketing: Conversation marketing
byIan Lurie
 
PPT
Collaborating in the Clouds: selecting tools
byBobbi Newman
 
PPTX
2013 Enterprise Strategy Outlook
byMiha Kralj
 
PPT
Final Mobile Youth Net Project
byRede Jovem
 
PDF
Community keynote
bySidu Ponnappa
 
PPT
MiT6 - Anne Kustritz
byJulie Levin Russo
 
PPT
5 Things
byCon Morris
 
PDF
The Universe Problem: Poll results, Facebook and the 2012 Presidential campaign
byIan Lurie
 
PPTX
Presentation to SA National Treasury on National Broadband Funding
byBrian Pinnock
 
PDF
This is all such bullshit
byJason Falls
 
PDF
Jeremy Vickers Liquidity Hub
bydeimos
 
PPS
Pod Barcelona Paris
byAlexandru S
 
PPTX
Improving audience engagement in your ILTA 2011 conference sessions
byPeter Buck
 
PPTX
How metrics shape decisions f2psummit
byPascal Zuta
 
PDF
Introducing the Open Container Project
byAndrew Kennedy
 
PPTX
Zookeeper's guide to architecture frameworks
byMiha Kralj
 
KEY
I can haz HTTP - Consuming and producing HTTP APIs in the Ruby ecosystem
bySidu Ponnappa
 
PPT
Debate a la OAE y a Empresas Públicas de Neiva
byCarlos Mauricio Iriarte
 
PDF
Simulating Production with Clocker
byAndrew Kennedy
 
How2 Start Ocw
byTerri Bays
 
Internet Marketing: Conversation marketing
byIan Lurie
 
Collaborating in the Clouds: selecting tools
byBobbi Newman
 
2013 Enterprise Strategy Outlook
byMiha Kralj
 
Final Mobile Youth Net Project
byRede Jovem
 
Community keynote
bySidu Ponnappa
 
MiT6 - Anne Kustritz
byJulie Levin Russo
 
5 Things
byCon Morris
 
The Universe Problem: Poll results, Facebook and the 2012 Presidential campaign
byIan Lurie
 
Presentation to SA National Treasury on National Broadband Funding
byBrian Pinnock
 
This is all such bullshit
byJason Falls
 
Jeremy Vickers Liquidity Hub
bydeimos
 
Pod Barcelona Paris
byAlexandru S
 
Improving audience engagement in your ILTA 2011 conference sessions
byPeter Buck
 
How metrics shape decisions f2psummit
byPascal Zuta
 
Introducing the Open Container Project
byAndrew Kennedy
 
Zookeeper's guide to architecture frameworks
byMiha Kralj
 
I can haz HTTP - Consuming and producing HTTP APIs in the Ruby ecosystem
bySidu Ponnappa
 
Debate a la OAE y a Empresas Públicas de Neiva
byCarlos Mauricio Iriarte
 
Simulating Production with Clocker
byAndrew Kennedy
 

Similar to Securing WordPress by Jeff Hoffman

PPTX
Wordpress Security & Hardening Steps
byPlasterdog Web Design
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
PPTX
WordPress security
byShelley Magnezi
 
PPSX
WordPress Security by Nirjhor Anjum
byAbul Khayer
 
PPT
WordCamp Philly WordPress End-User Security
byDre Armeda
 
PDF
WordPress Security 101
byManifest Creative
 
PPTX
WordPress Plugins and Security
byThink Media Inc.
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
PDF
Hardening WordPress - Friends of Search 2014 (WordPress Security)
byBastian Grimm
 
PPTX
WordPress Security Best Practices
byZero Point Development
 
PPT
Securing Word Press Blog
byChetan Gole
 
PDF
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
PDF
WordPress Security
byChristina Hawkins
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
PDF
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
byChetan Soni
 
PPTX
Presentation to SAIT Students - Dec 2013
byThink Media Inc.
 
PPTX
WordPress Security Best Practices
byZero Point Development
 
ODP
WordPress Security & Backup
byRandy Barnes
 
PDF
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
byBrecht Ryckaert
 
PPTX
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
byBastian Grimm
 
Wordpress Security & Hardening Steps
byPlasterdog Web Design
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
WordPress security
byShelley Magnezi
 
WordPress Security by Nirjhor Anjum
byAbul Khayer
 
WordCamp Philly WordPress End-User Security
byDre Armeda
 
WordPress Security 101
byManifest Creative
 
WordPress Plugins and Security
byThink Media Inc.
 
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
byBastian Grimm
 
WordPress Security Best Practices
byZero Point Development
 
Securing Word Press Blog
byChetan Gole
 
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
WordPress Security
byChristina Hawkins
 
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
byChetan Soni
 
Presentation to SAIT Students - Dec 2013
byThink Media Inc.
 
WordPress Security Best Practices
byZero Point Development
 
WordPress Security & Backup
byRandy Barnes
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
byBrecht Ryckaert
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
byBastian Grimm
 

Recently uploaded

PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final.pdf
byomarbishtawi04
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 

Securing WordPress by Jeff Hoffman

  • 1.
    SECURING WORDPRESS Presented by Jeff K. Hoffman VP of R&D, MyLeadSystemPRO http://facebook.com/jeff.k.hoffman
  • 2.
    WHY DO HACKERSHACK? • Easy SEO • Malware Distribution • Entertainment & Peer Recognition
  • 3.
    HOW DO HACKERSHACK? • Bots - like the Google Bot, but Evil. • Widely available, frequently updated. • Viral spread
  • 4.
    BEFORE YOU BEGIN •Backup your site! • Implement one tip and test, then another and test, etc. • If it’s over your head, just skip it (or, hire help.)
  • 5.
    SECURE YOUR SERVER •Your blog is only as secure as your Web Host. • Ifa hacker gets into your hosting account (via FTP, SSH, etc.), they win before they even worry about hacking WordPress. • Use strong passwords. (StrongPasswordGenerator.com) • Ask your Web Host how to best secure your account.
  • 6.
    PERMISSIONS • In general... • Files should be 644. • Folders should be 755. • /wp-content/uploads/ should be 775. • /wp-content/themes/ should be 775 for Theme Editor.
  • 7.
    PERMISSIONS find /path/to/wordpress/ -typef -exec chmod 644 {} ; find /path/to/wordpress/ -type d -exec chmod 755 {} ; chmod -R 775 /path/to/wordpress/wp-content/uploads chmod -R 775 /path/to/wordpress/wp-content/themes
  • 8.
  • 9.
    DEFY CONVENTION • Change admin username • Never post as admin! • Move wp-config.php • Change database table prefix** • In wp-config.php • In your database
  • 10.
    USE SECRET KEYS Edit wp-config.php... /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
  • 11.
    CLEAN UP • AfterWordPress is installed, delete /wp-admin/install.php • Delete unused/inactive plugins & themes
  • 12.
    UPDATE OFTEN • Always use the latest version of... • WordPress • Theme • Plugins
  • 13.
    MAKE DAILY BACKUPS •BuyBackupBuddy.com ($75/year) • VaultPress.com ($180/year) • NOTE: Backups of a hacked site are ONLY useful for forensics!
  • 14.
  • 15.
    AVOID DETECTION • RemoveWordPress Footprints • Don’t use the Meta sidebar widget • http://wordpress.org/extend/plugins/secure-wordpress/
  • 16.
    MINIMIZE PLUGINS • Every plugin you install increases risk • Popular, widely used plugins are less risky • Example: TimThumb
  • 17.
    SECURE /WP-ADMIN* • http://www.cpanel.net/media/tutorials/passwdprotect.htm •Add to .htaccess... <FilesMatch ".(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>
  • 18.
    SECURE /WP-ADMIN • SSL • http://codex.wordpress.org/Administration_Over_SSL
  • 19.
    SECURE /WP-INCLUDES* • Add this to .htaccess... # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
  • 20.
    BLOCK ATTACKS • WordPress Firewall 2 • Login Lockdown
  • 21.
    MONITORING • Google WebmasterTools • WordPress File Monitor
  • 22.

Editor's Notes