This document provides tips and recommendations for hardening a WordPress site against hacking and security threats. It discusses typical paths of infection like insecure server configurations or outdated code. It recommends various security measures including keeping backups, using strong passwords, updating software regularly, and restricting access to admin areas and important files. It also suggests security plugins that can help scan sites for vulnerabilities, limit login attempts, backup data, and more. The document emphasizes that while no site is completely hack-proof, administrators can make sites much more difficult to compromise through diligent security practices.
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
WordPress Security Updated - NYC Meetup 2009Brad Williams
My updated WordPress Security presentation. Updated with more tips and information! This is a must read to keep your WordPress website safe!
Presented at the NYC WordPress Meetup on September 15, 2009
Presentation on WordPress security, which looks at why WordPress sites get hacked, how they get hacked, what to do to reduce your risk and how to recover your site after it has been hacked, or infected with malware.
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
WordPress Security Updated - NYC Meetup 2009Brad Williams
My updated WordPress Security presentation. Updated with more tips and information! This is a must read to keep your WordPress website safe!
Presented at the NYC WordPress Meetup on September 15, 2009
Presentation on WordPress security, which looks at why WordPress sites get hacked, how they get hacked, what to do to reduce your risk and how to recover your site after it has been hacked, or infected with malware.
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
You have been busy building your website, writing great content, touching people’s life, trying to make money online with your blog and you woke up to find out that your wordpress website has been hacked! And off course, your only option is to search Google for solution.
Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.
In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.
Download the original Keynote file for my presenter's notes with more details.
Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:
1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.
2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.
3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.
4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.
5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.
6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.
7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.
If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
Protect Your WordPress From The Inside OutSiteGround.com
The recent spike of hack attempts on various WordPress sites has made it more urgent than ever to take actions and secure your WordPress in the best possible way. In this webinar the WebDevStudios founders show the best practices and share insightful tricks how to protect your WordPress from getting hacked:
- WordPress Security Threats & Trends
- WordPress Admin Security Settings
- Securing Files, Folders & Databases
- Bullet Proof Passwords
- Vulnerable WordPress Extensions
- Recommended Plugins & Services
UNDP Round Table on Indigenous Trade and DevelopmentWayne Dunn
In October 1994 the concept of an international round table on Indigenous production and trade was considered ground-breaking. The UNDP, as part of its preparations for the Decade of the World’s Indigenous Peoples, engaged Wayne Dunn to assist with the development of program and project ideas. The concept of Indigenous trade and partnerships between Indigenous peoples in Canada and those in Latin America, to enable the sharing of development accomplishments and challenges, as well as facilitate direct economic collaboration, emerged as an area of intense interest to Latin American Indigenous Peoples and their leaders. The UNDP Round Table on Indigenous Production and Trade was held at the Inter-American Development Bank in Washington, DC. It brought together Indigenous Leaders, Indigenous development experts, UNDP and IDB Officials as well as many other stakeholders. The report summarizes the proceedings and findings of the Round Table and contains concrete recommendations for moving forward on the Indigenous Trade and Development Agenda
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
You have been busy building your website, writing great content, touching people’s life, trying to make money online with your blog and you woke up to find out that your wordpress website has been hacked! And off course, your only option is to search Google for solution.
Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.
In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.
Download the original Keynote file for my presenter's notes with more details.
Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:
1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.
2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.
3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.
4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.
5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.
6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.
7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.
If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
Protect Your WordPress From The Inside OutSiteGround.com
The recent spike of hack attempts on various WordPress sites has made it more urgent than ever to take actions and secure your WordPress in the best possible way. In this webinar the WebDevStudios founders show the best practices and share insightful tricks how to protect your WordPress from getting hacked:
- WordPress Security Threats & Trends
- WordPress Admin Security Settings
- Securing Files, Folders & Databases
- Bullet Proof Passwords
- Vulnerable WordPress Extensions
- Recommended Plugins & Services
UNDP Round Table on Indigenous Trade and DevelopmentWayne Dunn
In October 1994 the concept of an international round table on Indigenous production and trade was considered ground-breaking. The UNDP, as part of its preparations for the Decade of the World’s Indigenous Peoples, engaged Wayne Dunn to assist with the development of program and project ideas. The concept of Indigenous trade and partnerships between Indigenous peoples in Canada and those in Latin America, to enable the sharing of development accomplishments and challenges, as well as facilitate direct economic collaboration, emerged as an area of intense interest to Latin American Indigenous Peoples and their leaders. The UNDP Round Table on Indigenous Production and Trade was held at the Inter-American Development Bank in Washington, DC. It brought together Indigenous Leaders, Indigenous development experts, UNDP and IDB Officials as well as many other stakeholders. The report summarizes the proceedings and findings of the Round Table and contains concrete recommendations for moving forward on the Indigenous Trade and Development Agenda
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...Miguel Muñoz de Morales
TALLER DE EXPRESION INTEGRAL CREATIVIDAD Y DESARROLLO PERSONAL
TALLER INTENSIVO-FEBRERO
De Lunes a Jueves.
Del Lunes 22 al Jueves 25 de Febrero
Horario: de 20:30 a 22:30 H.
Ponente: Pepa Díaz-Meco
https://pepadiazmeco.wordpress.com/teatro/
Política de Públicos y Precios_
Precio del Taller: 35.-€
15% de descuento en Talleres y Cursos Intensivos.
Estudiantes, Alumnas/os y Comunidad Universitaria de CLM
Socias/os, Jubiladas/os y Desempleadas/os.
Interesadas/os, para más información:
Teatro de La Sensación/Calle Monjas nº1
Tfnos: 691232739-926922776 E mail teatrodelasensacio@yahoo.es
Persona de contacto: Miguel Muñoz de Morales.
Organiza: Teatro de la Sensación.
CSR-friendly tax policy: Unlocking value and aligning interestsWayne Dunn
Alignment of tax policy and CSR can facilitate greater societal impacts from business investment and operations
To keep updated on postings and events go to www.csrtraininginstitute.com and sign up for the newsletter. If interested the CSR Knowledge Centre http://bit.ly/CSRknowledge contains a series of short, pragmatic articles on CSR Strategy, Management and related areas.
Став членом клуба вы сможете: закупать продукцию с 25% скидкой, бесплатно получить все каталоги компании, участвовать в семинарах и вебинарах, получать дополнительные скидки, бонусы и подарки. Будете иметь свой личный кабинет с уникальной полезной информацией от врачей и специалистов по продуктам и системам здоровья..
La ralentización de la economía mundial al inicio de 2016 se está caracterizando por el retorno de los pesimistas, de los agoreros que vaticinan próximas calamidades económicas de mayor o menor intensidad. Y, sin embargo, los datos que presenta nuestra economía en su conjunto no son malos. El PIB crece a tasas superiores al 3%, se recupera el empleo, disminuye el paro, mejora la entrada de viajeros y los pasajeros en el aeropuerto, las perspectivas del comercio minorista son buenas… También es verdad que el comercio exterior y la compraventa de viviendas se ha ralentizado, que se incrementa la precariedad del empleo y que la creación de empresas no termina de coger ritmo positivo pero,
de momento, siempre y cuando las condiciones y expectativas
actuales se mantenga, las previsiones para nuestra economía en 2016 continúan siendo positivas.
How to communicate? Go online! Web is awesome, politics can be too.Tomislav Korman
Variations held in Budva, Montenegro (September 2012) "South Eastern European Government Communication Conference", in Belgrade, Serbia (October 2012), Dokukino Education, Ljubljana, Slovenia (October 2012), "E-demokracija" conference, Zagreb, Croatia (October 2012), "Promising politicians", London, United Kingdom (February 2013) - GDS office and in Zagreb, Faculty of Law (April 2014)
Will social media transform governments? The message is loud and clear: heads of governments and states cannot ignore Twitter, Facebook, YouTube, in fact they should use these spaces to reach out to their “netizens.”
It is therefore the conversation which leads to collaboration and, ultimately, to the building of a community.
(http://europeandcis.undp.org/blog/2012/10/29/will-social-media-transform-governments/
http://www.cmv.org.rs/komunikacija/promising-politicians-u-zagrebu/
http://digital.cabinetoffice.gov.uk/2013/02/22/sharing-across-borders/)
Сезон простуд
Сердце и сосуды
Желудочно-кишечный тракт
Для женщин
Для мужчин
Очищение организма
Витаминизация
Костно-мышечная система
Для иммунитета
Здоровый сон и энергичность
Securing Your WordPress Website by Vlad Laskywordcampgc
Vlad is a computer systems engineer with a humorous and educational story to tell about WordPress security. This presentation gives every WordPress site administrator tips on how to harden their site against would-be attackers and avoid inadvertently doing things that could compromise site security.
In the last couple of years, security has become a bigger focus point and it hasn’t been different for WordPress. During this talk, I dive into this a bit more by focusing on our role in making sure that projects are delivered as secure as they can be. This by going over several security issues that were discovered this year and ways how you can prevent yourself.
An overview of WordPress security targeted at beginning and intermediate users. Some light coding required. Talks about hosting, hardening, access and maintenance, the four areas to consider to keep a WordPress site protected from hackers.
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)
How to improve your workflows via SSH gateway. Experts at WP Engine help you learn about how WordPress developers can make their work more efficient using WP-CLI via SSH gateway to improve workflows.
On-demand webinar: https://hs.wpengine.com/webinar-improve-workflows-SSH-gateway
In this presentation we will go through how anyone with a WordPress site can make their editing process more efficient by using block patterns … and how anyone who can do a little bit of coding can create their own set of custom block patterns and wrap it all up in a little plugin.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Wordpress Security & Hardening Steps
1. HARDENING A
WORDPRESS SITE
Jeff McNear
Plasterdog Web Design
847/849-7060
jeff@plasterdog.com
FOR MORE WORDPRESS INFO:
http://jeffmcnear.com
2. WHILE A HACKING INCIDENT
DOES SEEM APOCALYPTIC, IT IS
SURVIVABLE, AND EVEN
AVOIDABLE IF:
You anticipate the destruction with
backups
You have some sort of early alert
system
You make your site more difficult to
compromise than provided for by a
default install
3. RESOURCES:
CODEX: http://codex.wordpress.org/Hardening_WordPress
CODE POET: “LOCKING DOWN WORDPRESS”
http://build.codepoet.com/2012/07/10/locking-down-wordpress/
- Rachel Baker | Brad Williams | John Ford
DIGGING INTO WORDPRESS: http://digwp.com/book/
- Chris Coyier & Jeff Starr
THE TAO OF WORDPRESS: http://wp-tao.com/
- Jeff Starr
.htaccess made easy: http://htaccessbook.com/
- Jeff Starr
4. TYPICAL PATHS OF INFECTION:
The overwhelmingly vast majority of all
attacks are automated
Entry Via Login to the Site or Database
Entry Via vulnerable files or folders
TYPICAL POINTS OF ENTRY
Insecure server configuration
Poor password security practices
Outdated code
(WordPress core, Plugins & Themes,
PHP version)
5. TYPICAL TYPES OF INFECTION:
Roughly 85% of website attacks are
Cross-Site Scripting (aka XSS)*
Purpose is to inject links into the site
itself
May be simply spam links intended to
fool search engines
Can be malicious code that is used to
embed coding into the visitor’s machine
Intent is to steal information like
passwords
*Cross-site scripting (XSS) is a security exploit in
which the attacker inserts malicious coding into a
link that appears to be from a trustworthy source.
The more malicious infections are
designed to breed and spread from
machine to machine
6. WHAT ARE THE RISKS OF
INFECTION?
Unwelcome links inserted into your
header or footer
(very common: WordPress Pharma hack
… only visible in search results!)
Your site can become a cause for
infection of those who visit it
Visitors will be automatically re-directed
to another website
Search engines will detect insertions and
will first publish warnings, and eventually
de-list the site
Individual ISPs will also detect insertions
and will deny access to the site
7. FIRST LEVEL SECURITY:
SIMPLE THINGS THAT ANY SITE
OWNER CAN DO:
Many hardening techniques do not
require any special tools, knowledge or
expertise … just some common sense
8. KEEP A CLEAN MACHINE
Eventually we are all going to visit a
virused website – have a regular
scanning & anti-virus routine
Remember that you too are vulnerable
to inserted code that will monitor &
record your keystrokes
9. TRANSFER FILES IN THE MOST
SECURE MANNER AVAILABLE
Ideally we should all be using SFTP
rather than regular old FTP
Some would even say that having an
SSL for any website is a good idea
At very least when uploading files use a
secure connection
10. KEEP YOUR CODE CURRENT
A significant portion of core update
work has to do with security issues
The WordPress project has made it
dead easy to keep your code current
There is no excuse!
ALSO:
Inactive Themes and Plugins can be
vulnerable to infection … if you aren’t
using them, there is no reason to keep
them!
11. AVOID ALLOWING ACCESS WHEN
NOT NECESSARY
Shut down open registration
If you’re not using comments and
pingbacks deactivate them
Eliminate inactive users
Be selective about permission levels
Do not allow shared logins
Never use “admin” as a login name –
most “brute-force” attacks on Wordpress
will focus on the “admin” login name
If you display author information DO NOT
show the login name!
Use complex and secure passwords!
12. PREPARE FOR THE WORST:
Backup:
Database
The active theme
.htaccess file
wp-config.php
robots.txt
index.php
Record the list of active plugins
Register your site with WebMaster tools:
GOOGLE:
http://www.google.com/webmasters/tools
BING:
http://www.bing.com/toolbox
SITE SCANNING TOOLS:
http://sitecheck.sucuri.net/scanner/
https://www.stopbadware.org/clearinghouse/
search
http://www.unmaskparasites.com/
13. THE REASONS WEBMASTER
TOOL CONNECTION IS
IMPERITIVE:
You cannot communicate directly with
Google or Bing without establishing the
connection
Diagnostic tools are made available
Automatic alerts can be requested
You can appeal for review and
redemption
14. SECOND LEVEL SECURITY:
Configuring the site correctly at
the point of original install
There are small adjustments that can:
• Make it more difficult for an attacker
to edit your files
• Obscure the structure of your
WordPress deployment
• Lock down access to crucial files and
directories
16. ELIMINATE A COUPLE OF FILES:
(root)/readme.html
ISSUE: relates information about the
version of WordPress at point of install
(root)/wp-admin/install.php
ISSUE: if for some reason the connection
between WordPress and the database
are broken, then this file will activate and
display the installation setup page
17. DISABLE THE FILE EDITOR
As long as this is still enabled, anyone
with admin access to your site will be
able to modify files at will
ADD TO THE wp-config.php file:
//DISABLES FILE EDITING
define('DISALLOW_FILE_EDIT', true);
18. DENY INFORMATION TO POTENTIAL
ATTACKERS:
IN THE ACTIVE THEME’S
functions.php FILE:
//REMOVES VERSION INFO
remove_action('wp_head', 'wp_generator');
//OBSCURES LOGIN FAILURE MESSAGE
add_filter('login_errors',create_function('$a', "ret
urn null;"));
19. GIVE WORDPRESS A
SEPARATE DIRECTORY:
IF ALL OF THE CORE FILES ARE IN
AN UN-EXPECTED PLACE THEY
ARE LESS LIKELY TO BE FOUND:
• Copy (NOT MOVE!) the index.php
and .htaccess files from the
directory into the root of your site
• In your root directory's index.php
Change the line that says:
require('./wp-blog-header.php');
to
require('./newdirectoryname/
wp-blog-header.php');
• Go to the General panel. In the box
for Site address (URL): change the
address to the root directory's URL
20. MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO
THE WP-CONFIG FILE
These security keys help encrypt the data that is stored in the cookies, which is data
that helps WordPress identify your computer as one that is logged into your
WordPress website as a certain user.
If your WordPress cookies are ever obtained by someone with bad intentions, the
encrypted cookie will make it much more difficult if not impossible for this individual to
compromise your website using your cookies.
21. MAKE SURE FOLDER & FILE
PERMISSIONS ARE SET
CORRECTLY
TYPICALLY THEY ARE GIVEN THE
PROPER SETTINGS UPON
DEPLOYMENT, BUT IT DOESN’T
HURT TO CHECK
FILE PERMISSION = 644
FOLDER PERMISSION = 755
22. THIRD LEVEL SECURITY:
TIGHTENING DOWN SERVER
SETTINGS VIA .htaccess FILES
“The ability to include .htaccess files
in specific directories gives you more
control of your site’s
configuration, optimization, and
security.”
-Jeff Starr
While hosting in an environment
optimized for WordPress is ideal …
it is not always available….
23. BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE
AN .htaccess FILE
ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT
WITH THIS CODE ONLY:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /”site-folder-name”/
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L]
</IfModule>
# END WordPress
24. NEXT: INCLUDE THE FOLLOWING (outside the WP generated code)
#PROTECT HTACCESS FILE
<files .htaccess>
order allow,deny
deny from all
</files>
# SECURE WP-CONFIG.PHP
<Files wp-config.php>
Order Deny,Allow
Deny from all
</Files>
# BLOCK THE INCLUDE-ONLY FILES.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
25. AN ADDITIONAL RULE WORTH ADDING:
# CANONICAL FAVICONS - A COMMON POINT OF ATTACK
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC]
RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC]
RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L]
</IfModule>
26. SPECIFIC .HTACCESS TO PROTECT WP-CONTENT
protects php files | allows access to images, CSS, java-script and XML
files, but denies for any other type
# PREVENT ACCESS TO WP-CONTENT
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS
/wp-content/uploads/.htaccess
/wp-includes/.htaccess
<Files *.php>
deny from all
</Files>
27. SOME ADDITIONAL .htaccess RULES:
LOCATION: UPLOADS DIRECTORY
# secure uploads directory
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$">
Order Deny,Allow
Allow from all
</FilesMatch>
=> issue: blocks ability to access pdf related URLs by link
28. LOCATION: WP-ADMIN DIRECTORY
# SECURE WP-ADMIN FILES
<FilesMatch "*.*">
Order Deny,Allow
Deny from all
Allow from 123.456.789 <= the allowed address
</FilesMatch>
=> issue: restricting by IP address is not practical in many cases
29. LOCATION: ROOT DIRECTORY
#Denies “hotlinking” of images
<IfModule mod_rewrite.c>
RewriteEngine on
# ultimate hotlink protection
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$
[NC]
RewriteCond %{HTTP_REFERER}
!^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org)
[NC]
RewriteRule .(gif|jpe?g?|png)$
- [F,NC,L]
</ifModule>
=> issue: this disables the theme screenshot display so I don’t use it
30. LOCATION: ROOT DIRECTORY
# MAKES EXPLICIT LOCATION OF ROBOTS.TXT
<IfModule mod_rewrite.c>
RewriteBase /
RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC]
RewriteCond %{REQUEST_URI} robots.txt [NC]
RewriteRule .* http://example.com/robots.txt [R=301,L]
</IfModule>
=> issue: seems like overkill
# MAKES EXPLICIT LOCATION OF SITEMAP
<IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$
http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$
http://example.com/sitemap.xml.gz</IfModule>
=> seems like overkill
31. WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE,
IT WILL PREVENT FILES YOU WANT SECURED FROM BEING
INDEXED
User-agent: *
Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: /tag/
Disallow: /trackback/
Disallow: */trackback/
Disallow: /index.php # separate directive for the main script file of WP
Disallow: /*.php$
Disallow: /*.js$
Disallow: /*.inc$
Disallow: /*.css$
Allow: /wp-content/uploads/
Sitemap: http://SITEURL/sitemap_index.xml *
*(SEO by Yoast generates a relilable sitemap)
32. PLUGINS OF NOTE: SITE SCANNERS
wp security scan
http://wordpress.org/plugins/wp-security-scan
Sucuri Security - SiteCheck Malware Scanner
http://wordpress.org/plugins/sucuri-scanner
WordPress File Monitor Plus
http://wordpress.org/plugins/wordpress-file-monitor-plus
Monitors your WordPress installation for added/deleted/changed files.
When a change is detected an email alert can be sent to a specified
address.
wordpress exploit scanner
http://wordpress.org/plugins/exploit-scanner
This plugin searches the files on your website, and the posts and
comments tables of your database for anything suspicious.
secure wordpress
http://wordpress.org/plugins/secure-wordpress
33. PLUGINS OF NOTE: MORE SCANNERS
Wordfence
http://wordpress.org/plugins/wordfence/
Better WP Security
http://wordpress.org/plugins/better-wp-security/
BulletProof Security
http://wordpress.org/plugins/bulletproof-security/
34. PLUGINS OF NOTE: BACKUP
vaultpress http://wordpress.org/plugins/vaultpress/ (subscription)
backup buddy http://ithemes.com/purchase/backupbuddy/ (paid)
WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid)
backwpup http://wordpress.org/plugins/backwpup/
backup to dropbox
http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/
WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/
WP-DBManager http://wordpress.org/plugins/wp-dbmanager/
BackUpWordPress http://wordpress.org/plugins/backupwordpress/
36. PLUGINS OF NOTE: MIXED BAG
theme authenticity checker http://wordpress.org/plugins/tac/
Theme-Check http://wordpress.org/plugins/theme-check/
Theme Test Drive http://wordpress.org/plugins/theme-test-drive/
block bad queries http://wordpress.org/plugins/block-bad-queries/
**jeff starr plugin
antivirus http://wordpress.org/plugins/antivirus/
37. NOTHING IS 100% HACK-PROOF,
BUT YOU CAN MAKE IT MORE
DIFFICULT
Keep your code current and work in a
clean environment
Restrict access to WordPress admin
Block access to crucial files
Backup crucial files on a regular basis
Have a strategy to re-build if the easy
solutions elude you