WordPress Security Presentation by Jason Conroy (from Finding Simple - http://findingsimple.com) for the March 2013 WordPress Canberra Meetup (http://wpcanberra.com.au)
2. Why Security?
• SEO / Google rankings
• Downtime - Decreased Revenue
• Website / Business / Personal Credibility
• Increased Costs with cleaning up the mess ( Potentially Law
Suits )
• Lose everything - no site :-(
17. • If a vulnerability is discovered in WordPress and a new
version is released to address the issue, the information
required to exploit the vulnerability is almost certainly in the
public domain.
• This makes old versions more open to attack, and is one of
the primary reasons you should always keep WordPress up
to date.
18. • REMOVE unused themes and plugins (or at least keep them
up to date as well). Even when not activated, a vulnerable
plugin or theme can be used to attack a site.
19. 2. Rename “admin” account
• Make it hard for an attacker. If they already know your
username that’s half the battle
• As of 3.0 WordPress asks upfront during installation for an
admin account name - don't use "admin" and I recommend
not using anything related to the domain.
20. • If you do happen to have an “admin” account there are a
few options:
‣ Admin Renamer Extender - http://wordpress.org/
extend/plugins/admin-renamer-extended/
‣ Create another administrator user and then login as
new administrator user and delete "admin" user.
‣ Get your hands dirty with MySQL or use phpmyadmin
to edit the database directly
22. 3. Change your table_prefix
• My what? Its a database thing...
• Many published WordPress-specific SQL-injection attacks
make the assumption that the table_prefix is wp_, the
default.
• Changing this can block at least some SQL injection attacks.
• Good news - WordPress now asks upfront during installation
for you to specify a table prefix - so don’t use “wp”.
23. • If you haven’t changed your prefix:
‣ Change Table Prefix (http://wordpress.org/extend/
plugins/change-table-prefix/)
‣ Get your hands dirty with MySQL or use phpmyadmin
to edit the database directly (remember to update your
wp-config.php file as well)
25. 4. Setup Security Keys
• Often referred to as Salts - they add random elements to
your password when encrypting information in cookies
( that are used during the WordPress login process )
• They live in your sites wp-config.php and can be changed at
any time
• https://api.wordpress.org/secret-key/1.1/salt/
26.
27. • WordPress now generates the salts for you if none are
provided - but it’s better to be safe than sorry.
29. 5. Use Strong Passwords
• Weak passwords leave your site vulnerable to:
‣ Brute Force Attacks
‣ Dictionary Attacks
• Please use a strong password
• Don’t reuse passwords
• WordPress has a built in strength meter (don’t ignore it)
35. 7. Use SFTP or FTPS
• FTP transmits all data in the clear - including passwords
• If you need to regularly connect or upload files to your site
use SFTP or FTPS (especially if you are using public wifi)
36. 8. Check File Permissions
• Tricky to get right (especially in shared hosting where it is
more important to get it right)
• A good rule of thumb is to set file and folder permissions at
644 for files and 755 for folders
39. 9. Move wp-config.php
• wp-config.php is the main configuration file for your site
• WordPress automatically checks the parent directory if a wp-
config.php file is not found in your root directory
• Recommended that it is moved up one level (to the parent
directory) to make sure only your account and the server
can read the file
40. • If WordPress is located here:
‣ /public_html/mysite/wp-config.php
• You can move wp-config.php to here:
‣ /public_html/wp-config.php
41. • This makes it much more difficult for anyone to access your
wp-config.php file as it now resides outside of your sites root
directory
43. 10. Run Backups
• Hosts may provide backups
• However often...
‣ they don’t back up the right things
‣ they don’t back up regularly enough
‣ they don’t know WordPress
‣ they may charge you to restore your site
46. • Or just plain old...
‣ WP-DB-Backup - http://wordpress.org/extend/
plugins/wp-db-backup/
‣ WordPress Export (note the export doesn’t contain your
uploaded or options)
48. 11. Choose hosting wisely
• In my experience you get what you pay for
• Look for hosts that have
‣ Good backup regime
‣ WordPress Expertise (tougher than you think)
‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
49. 12. Be Security Minded
• Keep your own machine clean
• Don’t share or reuse passwords
• If you use public computers be sure to log out of WP
• If you use public networks
‣ avoid using ftp (that's the insecure one)
‣ avoid logging into WP if your not using HTTPS
50. There’s a plugin for that
• There are also range of “all in one” solutions that will cover
most of the above as well as things like:
‣ Remove the WordPress version/generator tag
‣ Remove update notifications
‣ Remove login error messages
‣ Change location of login urls