RP
Uploaded byRyan Plas
PDF, PPTX190 views

WordPress Security Basics

The document discusses WordPress security basics using a defense in depth approach with multiple layers of security. It recommends keeping WordPress, plugins, and themes updated, using strong and unique passwords with a password manager and two-factor authentication, following the principle of least privilege, and choosing a hosting provider with security features like SSL and firewalls. Specific tips include disabling file editing, limiting login attempts, backing up sites, and using security plugins that address areas like backups, firewalls, and vulnerability scanning. The overall message is that no single method is sufficient and independent layers are needed.

Embed presentation

Download as PDF, PPTX
WordPress Security Basics Ryan Plas - @wordplas
Defense In Depth
Defense In Depth The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.1 There is no single approach to security - have many layers. 1: https://en.wikipedia.org/wiki/Defenseindepth_(computing)
Defense In Depth Layers: 1. Code 2. Authentication 3. Hosting
Code
Code What this section isn't: How to write secure code What this section is: How to make sure the code of your site is secure
Code Keep your site updated • Auto updates for minor versions since 3.7 • Update to major versions as soon as possible
Code Keep your plugins and themes updated • The longer you wait, the more likely there's a vulnerability. • WPScan Vulnerability Database
Code Only use plugins and themes from reputable sources • Trusted brands/companies • Don't avoid paying money • Don't look for free versions of premium plugins/themes • The Plugin/Theme repo is your friend
If the site looks like this...run!
Authentication
Authentication Use a strong password • Question...what is a strong password?
Authentication Use one of preferably both of the following: • Password manager • Two-factor authentication
Authentication Password Manager: • Program that can create and securely store passwords • Allows you to use longer/more complex passwords without having to memorize or write them down
Authentication Two-factor Authentication: • Something you know - password, pin • Something you have - phone, YubiKey
Authentication Passwords: Use a password manager and/or two-factor authentication • LastPass, 1Password, Dashlane - Personal • Duo, Google Authenticator, etc. - Plugin If you can't do that, use a long but easy to remember password. • correct horse battery staple • [date]-[place]-[thing]: 1976-Switzerland-dragon
Principle of Least Privilege
Authentication Principle of least privilege: • Any user should only be able to access exactly what they need to and nothing else. • Don't make everyone an admin • Restrict user roles to only what is required • Use a plugin if necessary
Authentication Bonus: Don't use admin as a username
Hosting
Hosting What to look for in a good hosting provider: • SSL • Firewall • Datacenter • Customer Support
Rapid-fire Tips
Disable File Editing In wp-config.php: ## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
Limit Login Attempts • Make brute forcing passwords take much longer • Potentially block malicious attempts • Lots of plugins that do this • JetPack, Limit Login Attempts
Backup Your Site • Helps in the event of a security incident • Able to roll back to an unaffected backup • Lots of plugins/services that do this • Backup Buddy, BackWPUp
"Complete" Solutions • No solution is "complete" (Defense in Depth) • But...these have a lot of the features we talked about • iThemes Security - plugin • JetPack - plugin • Wordfence - plugin • Securi - hosting/security platform
wpscan • Command-line utility to scan a WP install for vulnerabilities • https://github.com/wpscanteam/wpscan • *ONLY USE ON SITES YOU OWN*
Overview • Defense in Depth • Many layers of security • Code • Update your site/plugins/themes • Use reputable plugins/themes • Authentication • Password Manager/Two-factor Authentication • Principle of Least Privilege • Hosting • Look for emphasis on security (SSL, Firewall, Datacenter etc.)
Questions?
Ryan Plas @wordplas github.com/ryanplasma

More Related Content

PPT
WordCamp Philippines 2009: WordPress In The Wild
byrebelpixel
 
KEY
Word Camp Ph 2009 Word Press In The Wild
byrebelpixel
 
PDF
Should you be using WordPress as your web platform?
byNigel Harding
 
PDF
WordPress security & performance a beginners guide
byMickey Mellen
 
PDF
Keep Your SIte Secure
byMichele Butcher-Jones
 
PPTX
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
byDan Vasile
 
PPTX
Building Secure WordPress Sites
byCatch Themes
 
PPTX
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
byDan Vasile
 
WordCamp Philippines 2009: WordPress In The Wild
byrebelpixel
 
Word Camp Ph 2009 Word Press In The Wild
byrebelpixel
 
Should you be using WordPress as your web platform?
byNigel Harding
 
WordPress security & performance a beginners guide
byMickey Mellen
 
Keep Your SIte Secure
byMichele Butcher-Jones
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
byDan Vasile
 
Building Secure WordPress Sites
byCatch Themes
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
byDan Vasile
 

What's hot

PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
byDan Vasile
 
PPTX
WordPress.org & Optimizing Security for your WordPress sites
byGovLoop
 
KEY
10 Ways to Secure WordPress
byJeremy Green
 
ODP
WordPress Security
bySuzette Franck
 
PPTX
How secure is WordPress ?
byEr. Narayan Koirala
 
PDF
Running WordPress on AWS
byJames Monek
 
PDF
Securing your WordPress site in 5 easy pieces
byKevin Koehler
 
PPTX
A crash course in scaling wordpress
byGovLoop
 
PPTX
Managing Multisite: Lessons from a Large Network
byWilliam Earnhardt
 
PDF
WordPress Security 101 - WordCamp Nairobi 2019
bystk_jj
 
PPTX
Cm9 secure code_training_1day_input sanitization
bydcervigni
 
PPTX
How WordPress Sites Get Hacked
byAndrew Marks
 
PPTX
WordPress on Amazon ec2
bybelsien
 
PDF
8 Simple Ways to Hack Your Joomla
bySiteGround.com
 
PPT
WordPress Fav Plugins & Security
byThe Toolbox, Inc.
 
PPTX
WordCamp Boston WordPress plugins-8-2014
byThe Toolbox, Inc.
 
PDF
The moment my site got hacked
byMarko Heijnen
 
PPTX
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
PDF
Prevent Hacking: 10 Steps to Secure your WordPress Site
byDr. Rachna Jain
 
PDF
LF_APIStrat17_Don't Build a Death Star
byLF_APIStrat
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
byDan Vasile
 
WordPress.org & Optimizing Security for your WordPress sites
byGovLoop
 
10 Ways to Secure WordPress
byJeremy Green
 
WordPress Security
bySuzette Franck
 
How secure is WordPress ?
byEr. Narayan Koirala
 
Running WordPress on AWS
byJames Monek
 
Securing your WordPress site in 5 easy pieces
byKevin Koehler
 
A crash course in scaling wordpress
byGovLoop
 
Managing Multisite: Lessons from a Large Network
byWilliam Earnhardt
 
WordPress Security 101 - WordCamp Nairobi 2019
bystk_jj
 
Cm9 secure code_training_1day_input sanitization
bydcervigni
 
How WordPress Sites Get Hacked
byAndrew Marks
 
WordPress on Amazon ec2
bybelsien
 
8 Simple Ways to Hack Your Joomla
bySiteGround.com
 
WordPress Fav Plugins & Security
byThe Toolbox, Inc.
 
WordCamp Boston WordPress plugins-8-2014
byThe Toolbox, Inc.
 
The moment my site got hacked
byMarko Heijnen
 
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
Prevent Hacking: 10 Steps to Secure your WordPress Site
byDr. Rachna Jain
 
LF_APIStrat17_Don't Build a Death Star
byLF_APIStrat
 

Similar to WordPress Security Basics

PPT
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
PPT
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
PDF
WordPress Security 101 - Meetup Nairobi March 2020
bystk_jj
 
PDF
WordPress Security 101: Practical Techniques & Best Practices
byJonathan Hall
 
PDF
WordPress Security Best Practices 2019 Update
byZero Point Development
 
PDF
Head Slapping WordPress Security
byChris Burgess
 
PDF
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
PDF
Be Securious – Hack Your Own Site for Better Security
bysecuriously
 
PPTX
Professional WordPress Security: Beyond Security Plugins
byChris Burgess
 
PDF
How to boost your website engagement
byMIK Web Solutions
 
PPT
Is your Wordpress safe enough?
bysaidmurat
 
PDF
10 WordPress security measures you can implement today!
byToru Miki
 
PDF
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
byStuartJDavidson.com
 
PPTX
WordPress Security Best Practices
byZero Point Development
 
PDF
Secure wordpress
byPrabesh Thapa
 
PPTX
Wordpress security issues
byDeepu Thomas
 
PDF
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
byAaron Saray
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
PDF
WordPress Security 101
byManifest Creative
 
PDF
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
byWordCamp Sydney
 
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
WordPress Security 101 - Meetup Nairobi March 2020
bystk_jj
 
WordPress Security 101: Practical Techniques & Best Practices
byJonathan Hall
 
WordPress Security Best Practices 2019 Update
byZero Point Development
 
Head Slapping WordPress Security
byChris Burgess
 
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
Be Securious – Hack Your Own Site for Better Security
bysecuriously
 
Professional WordPress Security: Beyond Security Plugins
byChris Burgess
 
How to boost your website engagement
byMIK Web Solutions
 
Is your Wordpress safe enough?
bysaidmurat
 
10 WordPress security measures you can implement today!
byToru Miki
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
byStuartJDavidson.com
 
WordPress Security Best Practices
byZero Point Development
 
Secure wordpress
byPrabesh Thapa
 
Wordpress security issues
byDeepu Thomas
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
byAaron Saray
 
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
WordPress Security 101
byManifest Creative
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
byWordCamp Sydney
 

Recently uploaded

PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Supercharging Grafana with Community Plugins
byImma Valls Bernaus
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
PDF
Langchain4J - An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Supercharging Grafana with Community Plugins
byImma Valls Bernaus
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
Langchain4J - An Introduction for Impatient Developers
byJuarez Junior
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 

WordPress Security Basics

  • 1.
  • 2.
  • 3.
    Defense In Depth Theidea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.1 There is no single approach to security - have many layers. 1: https://en.wikipedia.org/wiki/Defenseindepth_(computing)
  • 4.
    Defense In Depth Layers: 1.Code 2. Authentication 3. Hosting
  • 5.
  • 6.
    Code What this sectionisn't: How to write secure code What this section is: How to make sure the code of your site is secure
  • 7.
    Code Keep your siteupdated • Auto updates for minor versions since 3.7 • Update to major versions as soon as possible
  • 8.
    Code Keep your pluginsand themes updated • The longer you wait, the more likely there's a vulnerability. • WPScan Vulnerability Database
  • 9.
    Code Only use pluginsand themes from reputable sources • Trusted brands/companies • Don't avoid paying money • Don't look for free versions of premium plugins/themes • The Plugin/Theme repo is your friend
  • 11.
    If the sitelooks like this...run!
  • 12.
  • 13.
    Authentication Use a strongpassword • Question...what is a strong password?
  • 14.
    Authentication Use one ofpreferably both of the following: • Password manager • Two-factor authentication
  • 15.
    Authentication Password Manager: • Programthat can create and securely store passwords • Allows you to use longer/more complex passwords without having to memorize or write them down
  • 16.
    Authentication Two-factor Authentication: • Somethingyou know - password, pin • Something you have - phone, YubiKey
  • 17.
    Authentication Passwords: Use a passwordmanager and/or two-factor authentication • LastPass, 1Password, Dashlane - Personal • Duo, Google Authenticator, etc. - Plugin If you can't do that, use a long but easy to remember password. • correct horse battery staple • [date]-[place]-[thing]: 1976-Switzerland-dragon
  • 18.
  • 19.
    Authentication Principle of leastprivilege: • Any user should only be able to access exactly what they need to and nothing else. • Don't make everyone an admin • Restrict user roles to only what is required • Use a plugin if necessary
  • 20.
  • 21.
  • 22.
    Hosting What to lookfor in a good hosting provider: • SSL • Firewall • Datacenter • Customer Support
  • 25.
  • 26.
    Disable File Editing Inwp-config.php: ## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
  • 27.
    Limit Login Attempts •Make brute forcing passwords take much longer • Potentially block malicious attempts • Lots of plugins that do this • JetPack, Limit Login Attempts
  • 28.
    Backup Your Site •Helps in the event of a security incident • Able to roll back to an unaffected backup • Lots of plugins/services that do this • Backup Buddy, BackWPUp
  • 29.
    "Complete" Solutions • Nosolution is "complete" (Defense in Depth) • But...these have a lot of the features we talked about • iThemes Security - plugin • JetPack - plugin • Wordfence - plugin • Securi - hosting/security platform
  • 30.
    wpscan • Command-line utilityto scan a WP install for vulnerabilities • https://github.com/wpscanteam/wpscan • *ONLY USE ON SITES YOU OWN*
  • 31.
    Overview • Defense inDepth • Many layers of security • Code • Update your site/plugins/themes • Use reputable plugins/themes • Authentication • Password Manager/Two-factor Authentication • Principle of Least Privilege • Hosting • Look for emphasis on security (SSL, Firewall, Datacenter etc.)
  • 32.
  • 33.