Protect Your WordPress From The Inside OutSiteGround.com
The recent spike of hack attempts on various WordPress sites has made it more urgent than ever to take actions and secure your WordPress in the best possible way. In this webinar the WebDevStudios founders show the best practices and share insightful tricks how to protect your WordPress from getting hacked:
- WordPress Security Threats & Trends
- WordPress Admin Security Settings
- Securing Files, Folders & Databases
- Bullet Proof Passwords
- Vulnerable WordPress Extensions
- Recommended Plugins & Services
Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!
WordPress Security Updated - NYC Meetup 2009Brad Williams
My updated WordPress Security presentation. Updated with more tips and information! This is a must read to keep your WordPress website safe!
Presented at the NYC WordPress Meetup on September 15, 2009
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
Protect Your WordPress From The Inside OutSiteGround.com
The recent spike of hack attempts on various WordPress sites has made it more urgent than ever to take actions and secure your WordPress in the best possible way. In this webinar the WebDevStudios founders show the best practices and share insightful tricks how to protect your WordPress from getting hacked:
- WordPress Security Threats & Trends
- WordPress Admin Security Settings
- Securing Files, Folders & Databases
- Bullet Proof Passwords
- Vulnerable WordPress Extensions
- Recommended Plugins & Services
Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!
WordPress Security Updated - NYC Meetup 2009Brad Williams
My updated WordPress Security presentation. Updated with more tips and information! This is a must read to keep your WordPress website safe!
Presented at the NYC WordPress Meetup on September 15, 2009
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
A simple slideshow that provides a brief look at the WordPress backstory + additional information and recommended sources for themes, security measures, hosts and more.
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.
In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.
Download the original Keynote file for my presenter's notes with more details.
Even the best software engineers can open themselves up to threats with lazy coding. These slides cover the basics of web security, the most common attacks, and simple measures you can employ in order to prevent them.
This presentation covers coding best practices and the following types of attacks:
• XSS - Cross-Site Scripting
• XSRF - Cross-Site Request Forgery
• Session Hijacking
• SQL Injection
As Presented at OSCon 2014
If your application doesn't have APIs, it was probably written during the Cold War, or maybe written in Cold Fusion. Every application has APIs, and APIs need authentication. See how OAuth2 is robust enough to satisfy the demands of the enterprise, while still serving the smallest of side projects.
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
My talk at #SMX Sydney 2013 featuring 40 tips on WordPress security, WordPress SEO as well as a huge set of plug-in recommendation to get the maximum out of WordPress.
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
A simple slideshow that provides a brief look at the WordPress backstory + additional information and recommended sources for themes, security measures, hosts and more.
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.
In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.
Download the original Keynote file for my presenter's notes with more details.
Even the best software engineers can open themselves up to threats with lazy coding. These slides cover the basics of web security, the most common attacks, and simple measures you can employ in order to prevent them.
This presentation covers coding best practices and the following types of attacks:
• XSS - Cross-Site Scripting
• XSRF - Cross-Site Request Forgery
• Session Hijacking
• SQL Injection
As Presented at OSCon 2014
If your application doesn't have APIs, it was probably written during the Cold War, or maybe written in Cold Fusion. Every application has APIs, and APIs need authentication. See how OAuth2 is robust enough to satisfy the demands of the enterprise, while still serving the smallest of side projects.
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
My talk at #SMX Sydney 2013 featuring 40 tips on WordPress security, WordPress SEO as well as a huge set of plug-in recommendation to get the maximum out of WordPress.
Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/
WordPress Security Essential Tips & TricksFaraz Ahmed
WordPress essential security guide covers several essential security measures you need to take to protect your WordPress blog from script kiddies and hackers. With this guide you can protect your WordPress blog from malwares, content theft and if you are running e-commerce website you can protect data transmission and security of your web store.
For more tips tricks and updates subscribe to our blog and forums
http://trainings.com.pk
Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:
1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.
2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.
3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.
4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.
5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.
6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.
7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.
If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
Presentation to YYC Bloggers Meetup on Plugins and Securing WordPress.
Geared to the beginner/average user. A presentation and discussion about the basic steps to better manage your WordPress site/blog.
WordPress Customization & Security
Presented By: Joe Casabona and Phil Erb
Track: Technology
Session Format: Co-Presentation
Description: WordPress is one of the most popular blogging platforms used today and if you’re using it already, you already know its benefits – but let’s take things a step further. In this session, Joe and Phil will dive into how to customize your WordPress blog and theme so that it reflects your brand and serves up your content in the best ways possible, ways to make your WordPress blog more secure (and how to monitor it so that it stays that way!), and other techniques and technologies to make the most of this content management system.
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)
Its all about WordPress security, how you can protect your WordPress setup.
Content:
Security Statistics
Security tips
Recommended plugins and services
Securing Your WordPress Website by Vlad Laskywordcampgc
Vlad is a computer systems engineer with a humorous and educational story to tell about WordPress security. This presentation gives every WordPress site administrator tips on how to harden their site against would-be attackers and avoid inadvertently doing things that could compromise site security.
WordPress is the most popular Blogging platform now a days. Many high profile companies are using WordPress as there Blogging platform. Have you ever thought about the security of your blog running WordPress ?? This presentation was presented On 13th Feb 2010, At Nagpur PHP Meetup by me.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. • Use complex usernames & passwords
• Check file permissions have minimum access
• Update software often & regularly
• Use security firewalls & scan regularly
• Consider using 2-factor authentication
• Stick to reputable theme providers
• Uninstall unused code/themes/plugins
• Lock all doors, windows & switch off Internet!
@DeveloperWil #wpsyd
TL;DR
3. • Chinese General
• Military Strategist
• Philosopher
• Born ~512BC
Book: The Art of War
http://www.classicly.com/read-the-art-of-war-online-free/page/1
@DeveloperWil #wpsyd
Introducing Sun Tzu
4. “Victorious warriors win first and then
go to war, while defeated warriors go to
war first and then seek to win.”
Don’t wait until your site gets hacked
first. Lock it down today and get
ready to defend it!
@DeveloperWil #wpsyd
Sun Tzu Says…
5. “To know your Enemy, you
must become your Enemy”
Learn how hackers try to get into your
site so you can pre-emptively fix it
and be ready for what is to come.
@DeveloperWil #wpsyd
Sun Tzu Says…
6. “Even the finest sword plunged into
salt water will eventually rust.”
Just because your site is secure today,
doesn’t mean it can’t get hacked
tomorrow, next month or next year.
Review & update regularly.
@DeveloperWil #wpsyd
Sun Tzu Says…
7. YOU ARE AT WAR
WITH MULTIPLE
UNKNOWN
ENEMIES
@DeveloperWil #wpsyd
8. There is always a current threat
The worst type of threats are those you
don’t know about
You need to understand your weaknesses
You need to build a solid defence
You need to have a plan of attack
@DeveloperWil #wpsyd
SO BE PREPARED
Security Is Cyclic
9. Locked in a deep dark basement
No internet connection
No user interaction
Switched off!
= Pretty useless website
= There is a balance to be had
@DeveloperWil #wpsyd
Ultimate Secure Site
10. Everything is Hackable
@DeveloperWil #wpsyd
Best we can do is make our site
less attractive than others to hack
into.
Would you attempt to break into
this car?
https://www.youtube.com/watch?v=aLhWzMOccTg
Before We Start
11. The most vulnerable part of your
website is…
YOU
Buy this book!
@DeveloperWil #wpsyd
Before We Start
12. Do not leave new WordPress sites in “setup
mode”. Complete the entire setup process.
Hackers can find WordPress setup pages and
install their own site – aka “WPSetup Attack”
Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/
@DeveloperWil #wpsyd
New WP Installations
Fundamentals
13. Beware when ordering a new SSL certificate
for a brand new WordPress website.
Hackers monitor SSL certificate transparency
report +30mins after new certificate being
issued.
They can take over your new site before you
complete the installation process.
Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/
@DeveloperWil #wpsyd
New Sites & SSLs
Fundamentals
15. Don’t replace letters with numbers or symbols.
Simple character substitution is weak.
butterfly → 8utt3rfly
This no longer works and takes
just a few days to crack!
Ref: https://pages.nist.gov/800-63-3/sp800-63b.html
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
16. Avoid personal / social information
• Name and memorable bates: DoB, Marriage
• Fav footie club name, car rego, house
number
Examples of Bad Passwords
Bob1976 Swans2017 !2Nancy
The Password Paradox And Why Our
Personalities Will Get Us Hacked
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
17. 1) Use a random 16 (at least) character password
UPPER, lower, d1g1ts, punctuat!on
b9G#Z4YVemTN^X6S
2) Use 4 random words stringed together:
correct horse battery staple
correcthorsebatterystaple
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
18. Random character & multi-word passwords
= difficult for you to remember
= difficult for hackers to guess ☺
Try to avoid reusing the same password on
multiple sites.
Read The Real Life Risks Of Re Using The Same
Passwords
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
19. Use a password service such as LastPass
Local 256-bit encryption, SSL data
transfer, 2-factor authentication
Free 14-day Last Pass Trial
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
20. Consider forcing users to have a strong
password
Force Strong Passwords plugin.
http://wordpress.org/plugins/force-strong-
passwords/
Gives more flexibility than built-in WordPress
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
21. Only allow one login per device.
Restrict logins under same username on
multiple devices (i.e. username/pass sharing)
WordPress Bouncer plugin
http://wordpress.org/plugins/wp-bouncer/
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
22. Change the default WordPress salt keys in wp-
config.php
WordPress uses cookies to store session
information. These are hashed with MD5 +
salt keys in the wp-config.php file
https://api.wordpress.org/secret-key/1.1/salt/
@DeveloperWil #wpsyd
Session Safety: Salk Keys
Fundamentals
23. Restrict the number of users with the
Administrator role.
You do need at least 1 Admin user to
administer the site – do you need any more
than that?
Editor role is sufficient for somebody to manage
90% of all the site’s day-to-day content.
@DeveloperWil #wpsyd
Admin & Editor Users
Fundamentals
24. Understanding Linux file permissions is key
@DeveloperWil #wpsyd
Linux File Permissions
Files & Perms
25. Each file and directory has three user based
permission groups:
• u – the user who owns the file or directory (owner)
• g - the group to which the user belongs
• o - all other users on the system (not owner or
user’s group), this is the permission group that you
want to watch the most.
@DeveloperWil #wpsyd
Permission Groups
Files & Perms
26. Each file or directory has three basic
permission types:
• r - a user's capability to read the contents of the file
• w - a user's capability to write or modify a file or
directory
• x - a user's capability to execute (run) a file or view
the contents of a directory.
@DeveloperWil #wpsyd
Permission Types
Files & Perms
27. In general…
WordPress folders/directories = 755
WordPress files = 644
Some hosting companies may insist you set
/wp-content/uploads to 777
Move to another hosting company!
@DeveloperWil #wpsyd
Files, Folders & Permissions
Files & Perms
28. Probably your three most important sys files are:
.htaccess (Apache Web Server)
= permalinks, redirects, error files, directory pswds, etc
This should be locked down to CHMOD 444
php.ini
= PHP version, extensions, remote opens, file uploads, etc
wp-config.php
= WordPress DB username & password, Salts
These should be locked down to CHMOD 440
@DeveloperWil #wpsyd
Config Files & Permissions
Files & Perms
29. Malware can be hidden in Themes, Plugins &
other server scripts
Sucuri detects and cleans malware on servers
De-blacklists your server/site
Notify by SMS, Email, Private Twitter etc
http://sucuri.net/ USD $199.99 per site per
year
@DeveloperWil #wpsyd
Malware Clean Server
Files & Perms
30. Update WordPress Core, Themes and Plugins
regularly = at least weekly
ManageWP service good for multiple sites
https://managewp.com
@DeveloperWil #wpsyd
Update Regularly
WordPress
31. Automatic Updates are in WordPress core for
point releases only by default.
For more control, in wp-config.php
define( 'WP_AUTO_UPDATE_CORE', true );
• true - Development, minor, and major updates are all
enabled
• false - Development, minor, and major updates are all
disabled
• 'minor’ - Minor updates are enabled, development, and
major updates are disabled
@DeveloperWil #wpsyd
Update Regularly
WordPress
32. In your theme’s functions.php
add_filter( 'auto_update_plugin', '__return_true’ );
add_filter( 'auto_update_theme', '__return_true’ );
For specific plugin & theme updates see:
https://codex.wordpress.org/Configuring_Automatic_Background_Updates
@DeveloperWil #wpsyd
Update Plugins & Themes
WordPress
33. Especially “free” themes and torrents
– Likely to contain spam links & malware
– Malware can read your wp-config.php file and
email it to the hacker = you’re screwed
– Don’t use themes or plugins from torrent sites!
– Always try to download from original source
Read: http://premium.wpmudev.org/blog/free-wordpress-
themes-ultimate-guide/
@DeveloperWil #wpsyd
Beware “Free” Premium Downloads
34. Search through files for:
Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authenticity Checker
http://wordpress.org/plugins/tac/
Exploit Scanner
http://wordpress.org/plugins/exploit-scanner/
@DeveloperWil #wpsyd
Beware “Free” Premium Downloads
35. Not all Base64_decode function calls are evil!
WordPress uses the function extensively
throughout the core.
Should be easy to decode and work out if good
or bad in plugins or themes.
@DeveloperWil #wpsyd
What is Base64?
36. In general
• Not being maintained
• No security issues being fixed
• Uses outdated/flawed functions/practices
• Known exploit vectors available on Interwebs
@DeveloperWil #wpsyd
Avoid Old Plugins
WordPress
37. Popular image/thumbnail resizing script
Bundled in many older themes and plugins
Responsible for many many WordPress
security breaches
“The ability for a site visitor to load content from a
remote website and to make the web server write that
remote content to a web accessible directory is the cause
of the vulnerability in timthumb.php.”
Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
@DeveloperWil #wpsyd
Beware of TimThumb
WordPress
38. Script was “fixed” of exploits however old
versions still lurk out there.
Search for TimThumb and check you are using
the “fixed” version 2.8.14
https://code.google.com/p/timthumb/
@DeveloperWil #wpsyd
Beware of TimThumb
WordPress
39. The nature of TimThumb still makes it
potentially very dangerous to have on your
site.
TimThumb is no longer supported or
maintained as of Sept 2014
http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
Read this:
https://zeropointdevelopment.com/timthumb-is-evil/
@DeveloperWil #wpsyd
Beware of TimThumb
WordPress
40. Won’t make your site “secure” from hacks
Will encrypt the data transmitted between
computer and server
More on SSL certificates at
https://letsencrypt.org/docs/faq/
@DeveloperWil #wpsyd
SSL Certificates
41. If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.php
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
@DeveloperWil #wpsyd
HTTPS Dashboard
WordPress
42. Gives additional level of security.
WordFence plugin is recommended:
http://www.wordfence.com/
Scans for…
malware, TimThumb, differences in core/plugin/theme files from
repository, new available updates, login limiter, force strong
passwords, trojans, SQL injection, DNS changes, files outside
WordPress folder, hide login errors, prevent creating ‘admin’
user, country blocking*, cell phone sign-in*, advanced scheduled
scans*, Cryptocurrency miners
*premium functions
@DeveloperWil #wpsyd
Software Firewalls
WordPress
43. New breed of malware (ref: The rise of cryptocurrency miners as
malware).
JS cryptocurrency miner (mostly Coinhive).
Runs in browser when visitor opens infected
page.
Uses 100% of your computer’s CPU power.
Grey area between legit use & as malware:
• Some firewall & malware scanners look past
mining code
• Wordfence detects known miner scripts
@DeveloperWil #wpsyd
Cryptocurrency Miners
New Threat
44. Brute force attacks try to repeatedly guess
username & password.
Block IP address after X number of
unsuccessful login attempts within a time
period.
Limit Login Attempts Reloaded plugin
https://wordpress.org/plugins/limit-login-attempts-reloaded/
@DeveloperWil #wpsyd
Prevent Login Attempts
WordPress
45. Don’t give the hackers a
helping hand
Remove that info!
Add this to functions.php
add_filter(‘login_errors', '__return_null');
@DeveloperWil #wpsyd
Don’t Show Login Errors
WordPress
46. There is NO EXCUSE not to back up your
entire site frequently (real-time, hourly, daily,
weekly).
Back up to email https://wordpress.org/plugins/updraftplus/
Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/
Backup Buddy https://ithemes.com/purchase/backupbuddy/
VaultPress http://vaultpress.com/
Set your retention frequency.
Can you restore from an issue that’s been happening for 2
months?
Check your backup files – do a test restore!
@DeveloperWil #wpsyd
Back Your Site Up
WordPress
48. Using another device to generate an
authentication code e.g. Mobile phone app
WP Login Details + Authenticator Code = 2FA
Google Authenticator
@DeveloperWil #wpsyd
Two Factor/Two Step Authentication
49. WordPress stores user passwords in the database as
salted MD5 hashes using Portable PHP password
hashing framework
e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP.
Passwords themselves are not stored in the DB
Password can be replaced in DB with MD5 hash.
After login it’s replaced by a salted MD5 hash.
@DeveloperWil #wpsyd
PASSWORD TYPE
PASSWORD HASH
WordPress Password Storage
50. MD5 hash designed for high volume, not security.
“collision resistance” ~264 MD5 has been broken
but not resistance to preimages or second-
preimages.
MD5 + salts still poor choice as it’s designed to be
fast. Modern GPUs generate billions of candidate
passwords per second i.e. brute force
Ref: https://en.wikipedia.org/wiki/MD5
Ref: https://en.wikipedia.org/wiki/Collision_attack
Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-
1996
@DeveloperWil #wpsyd
Is MD5 Insecure?
51. Bcrypt is an adaptive hashing algorithm.
Bcrypt intentionally takes a relatively long time
to be calculated; over time, the iteration count
can be increased to make it even slower.
This is done intentionally to resist brute force
attacks as computational power increases.
Ref: https://en.wikipedia.org/wiki/Bcrypt
@DeveloperWil #wpsyd
Bcrypt Alternative
53. Is two factor authentication
not enough for you?
Biometric authentication uses part of our own
body as the second verification part.
This is going to be the normal way of
authenticating with systems in the not-so-
distant future.
@DeveloperWil #wpsyd
Biometric Authentication
54. @DeveloperWil #wpsyd
Fingerprint via mobile phone
https://wordpress.org/plugins/rapid-secure-login/
Fingerprint and facial recognition via mobile phone
https://wordpress.org/plugins/launchkey/
Biometric Authentication
55. Move the wp-content folder to a new location.
Add the following into wp-config.php before
the line: /* That's all, stop editing! Happy blogging. */
define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');
define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');
Warning: badly developed plugins & themes
may have hard-coded wp-content location.
@DeveloperWil #wpsyd
Move wp-content Folder
56. Use .htaccess to protect your wp-config.php
file
<files wp-config.php>
order allow,deny
deny from all
</files>
Nobody can access the wp-config.php file now
except for the web server owner.
@DeveloperWil #wpsyd
Protect wp-config.php
57. Use .htaccess to stop SQL injection attacks on
form fields and URLs.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Any requests or changes to global variables
containing <script> gets blocked.
@DeveloperWil #wpsyd
SQL Injection Protection
58. Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsing
Options –Indexes
@DeveloperWil #wpsyd
Prevent Directory Browsing
59. Password protect wp-admin folder using
cPanel and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-
wordpress-admin-wp-admin-directory/
@DeveloperWil #wpsyd
Secure wp-admin Folder
60. Open the .htaccess file located in your /wp-
admin/ folder (NOT the main .htaccess in root).
In the wp-admin .htaccess file, paste the
following code:
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
@DeveloperWil #wpsyd
Allow Admin Ajax
61. Remove the WordPress dashboard Editor
for themes and plugins
Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
@DeveloperWil #wpsyd
Disable User File Editor
62. Default MySQL DB table prefix is wp_
Change before installing new WordPress
sites.
Add to wp-config.php
$table_prefix = ‘mynewprefix_';
Existing websites – use WP Prefix Changer
https://wordpress.org/plugins/wp-prefix-changer/
@DeveloperWil #wpsyd
Change Default Table Prefix
63. Does nothing to enhance security.
Once an attacker has access to your DB they
can easily find the table prefix.
@DeveloperWil #wpsyd
SELECT DISTINCT SUBSTRING(`TABLE_NAME`
FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) )
FROM information_schema.TABLES
WHERE `TABLE_NAME` LIKE '%postmeta';
Output: wp_
Ref: Changing WordPress' default table prefix does nothing to enhance
security
Change Default Table Prefix
64. Monitor who does what on your WordPress
site.
Stream: http://wp-stream.com/
@DeveloperWil #wpsyd
Be “Big Brother”
65. Using .htaccess
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:
http://www.mywebsite.com/login
@DeveloperWil #wpsyd
Change wp-login.php
67. Add to .htaccess:
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:
http://www.mysite.com/secret-folder/
@DeveloperWil #wpsyd
Change /wp-admin/ - Step 2
68. Add to .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Replace 123.123.123.123 with your own computer’s
IP if you use the WordPress mobile app. Remove line
5 to completely block all XML-RCP requests to your
site.
Note: this will stop Jetpack, official WP mobile app,
trackbacks and pingbacks from working.
@DeveloperWil #wpsyd
Disable XML-RPC
69. Known as DoS or DDoS (distributed).
Consider using Cloudflare.
@DeveloperWil #wpsyd
Attack Without Cloudflare Attack With Cloudflare
Denial of Service Attacks
70. Stay up to date with these additional security
resources.
National Vulnerability Database (WordPress)
Wordfence Blog and Free Security Scan
Sucuri Blog
Hardening WordPress from wordpress.org
WPScan Vulnerability Database
Zero Point Development Blog
@DeveloperWil #wpsyd
More Resources
71. Get my free eBook.
Yours to keep
forever.
@DeveloperWil #wpsyd
Get My eBook
goo.gl/k5brQE
Free Ebook
72. Did I miss anything?
Tweet to @DeveloperWil
@DeveloperWil #wpsyd
All Done!