This document discusses the importance of WordPress security and provides tips to improve security. It notes that WordPress is constantly updated to patch vulnerabilities and urges users to keep their sites updated. It then lists several vulnerabilities in versions before 4.8.2 and explains how hackers can exploit known issues. The document advocates using security plugins, restricting file permissions, changing passwords, and other measures to protect sites. It stresses that while perfect security is impossible, keeping WordPress updated is essential for mitigating risks.
4. Lets Talk about Versions
• WordPress is constantly evolving and patches are released from
WordPress to keep your site safe
• Let me ask
• What Version WordPress do you have?
7. Before WordPress 4.8.2
• Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
• Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-
edit.php.
• Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
• Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not
properly address the possibility of plugins and themes enabling SQL injection attacks.
• There are over 250 known issues that can give hackers access
• https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
8. How do we know about these issues
• They are published online freely available to all… see the changelog
• A Changelog will show everyone, everything they have fixed.
• This means a hacker just has to wait for the latest patch, look at the
change log and review all the issues in the previous versions
• Then they test these on your WordPress site, assuming that you
haven’t updated it.
9. You’re never be Perfectly safe… however
• Exploits are found all the time by hackers
• Whitehats inform the developers and they fit them
• Blackhats keep it to themselves and use it for their own purposes
• So keeping up to date is essential!
10. Updating is a PAIN!
• Yes updating software can;
• Break themes
• Stop plugins working
• Takes your site down
• Corrupts files
• The list goes on
11. Simple ways to mitigate…
• Install a security plugin…
• WordFence is my recommendation – Just use the free one and it’ll
immediately help
• Secure the folders
• Do you need the wp-admin folder readable
• What about the other files, will you ever change the wp-config file
• Are you using secure passwords for your database
• Use your .htaccess file
• You can deny all IP addresses bar ones you use from the wp-admin area of the
site.
12. User Permissions
• Are you giving every the user the right permission?
• Do they all need admin, or is editor okay?
• When did you last check the users in your wordpress and remove the
old ones?
13. Change the admin Username
• When you install wordpress we all like to use Admin as the main user,
but leaving as this user makes it easier for a brute force
• Create a new user and delete the old one.
• Tips for good usernames and passwords
• Username – Random characters, not using common names like david but try
something more like;
• B105_GHZA!
• Make your passwords similar! Lots of different characters and numbers,
special characters are useful, such as !£%^ to substitute numbers.
14. Disable File editing
• Add this to your wp-config.php file
• //Disallow file edit
• Define ( ‘DISALLOW_FILE_EDIT’, true ):
• This takes away the ability to edit files from the WordPress admin
area, meaning if your login is compromised they can’t add code to
your files.
15. Don’t let people upload .php files
• This one is an easy way to hack a site!
• Using your .htaccess file add this
• <Files *.php>
• deny from all
• </Files>
16. Password Protect your WP-ADMIN folder
• Simpler than you think!
• From your hosting area just setup the wp-admin area with a username and
password
• This means you have to login twice and its seriously hampers user login
attempts.
17. Wow that’s a lot!
• Yes that’s loads of work but good news there are plenty of plugins
that will do this for you and save you a lot of time.
• WordFence
• Sucuri Scanner
• BulletProof Security
• And hundreds more