This talk is all about the common security threads WordPress websites face. The audience will learn the type of attacks that WordPress websites get, how users will measure the security and how they will protect WordPress websites from the common security threads. The session easy suitable for any WordPress user, developer or enthusiast. It’s a 25 minutes session in the English language.

1. WordPress
Security Fundamentals

2. ABUL KHAYER
CTO, Search English Limited
Proprietor, Biggestech
Deputy, WordPress Community Team
Organizer, Dhaka WordPress Meetup
About Me

3. Type of Attacks
that are Threat
to WordPress Sites

4. SQL Injection Attack
Attack Types [1]
Image Source: acunetix.com

5. Cross Site Scripting (XSS)
Attack Types [2]
Image Source: acunetix.com

6. Attack Types [3]
Brute Force Attack
Image Source: security.stackexchange.com

7. Attack Types [4]
Session Hijacking Attack
Image Source: geeksforgeeks.org

8. Cross Site Request Forgery (CSRF) Attack
Attack Types [5]
And more…
Image Source: securityevaluators.com

9. Topics of Discussion

10. • General Measures of Security
• Security Measures using Plugin while Developing a Website
• Advance Security Measures while Developing Website with
less dependency on Plugin
• Advanced Security Measures while Developing Plugin/Theme
Topics of Discussion!

11. General
Measures of Security

12. General Measures of Security [1]
• Quality Web Hosting
– Always up to date
– Backup provision
– Web Application Firewall (WAF) provision
– Get Virus Scanner, like ClamAV
• SSL Certificate
– Security through Data Encryption
• Use CDN
– A Layer in Internet Ecosystem

13. General Measures of Security [2]
• Keep your Website up to Date
– Get latest security updates
– Stay safe from latest threats
• Use Safe Theme/Plugin
– Avoid Nulled or Cracked derivatives
– Avoid Low Rated or Untested things
– Remove unused Theme/Plugins

14. General Measures of Security [3]
• Use Captcha in Login Forms
– Stay away from Brute-Force Attack
– Stay safe from Bot Attempts
• Use Spam Protection Mechanism
– Use Akismet, the best one
– Use Antispam Bee

15. General Measures of Security [4]
• Use Safer Password
– Make it using Alphabet, Letter, Symbol
– Make it Long
– Never save it on a Open File or Browser
• Hide the Admin Name
– Don’t use default username “admin”
– Rename the Nick and Profile Name of System Admin

16. General Measures of Security [5]
• Change your Secret Keys in “wp-config.php”
Generate: https://api.wordpress.org/secret-key/1.1/salt/
define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' );
define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' );
define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' );
define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' );
define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' );
define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' );
define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' );
define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );

17. Security Measures
using Plugin
while Developing a
Website

18. Security Measures using Plugin [1]
• Creates Firewall
• Real-time Monitoring
• Stronger Login Practice
• Repair Files by Overwriting
• Scans Suspicious Contents
• Block various type of Threats Attempts
• Sends Alert on Vulnerability over Email
• Scan Core, Plugins, Themes, and other Files
• Finds Injections, Redirection Codes etc

19. Security Measures using Plugin [2]
• Limits Login Attempts
• Customize Login Page URL
• Prevent Brute Force Attacks
• Restrict Access from IP
• Log Users Attempts
• Block User on Prohibited Username Attempt
• Adds reCaptcha
• Disable Right Click
• Removes Version Info from CSS/JS
• Removes WP Generated Meta from HTML
• Backup of Security Settings
• Scheduled Database Backup
All In One WP Security & Firewall

20. Security Measures using Plugin [3]
• Track Post/Page/Tag/Comments Activities
• Track Widget/Menu Change
• Track Core and System Settings Change
• Track User/Profile Changes
• Track Forum, Ecommerce Shop Changes

21. Security Measures using Plugin [4]
• Change Theme Style File-name
• Change Plugins URL
• Change Individual Plugin URLs
• Custom Upload URL
• Remove WordPress Version

22. Security Measures using Plugin [5]
• SQL Injection Attack Prevention
• XSS and CSRF Attack Prevention
• Brute Force Attack Prevention
• Blocks Direct Access to PHP Files
• Disable Directory Listing
• Minify CSS

23. Security Measures using Plugin [6]
• Backup Database, Settings, Theme, Plugin, Images etc.
• Download Backup as Zip or Tar
• Run Schedule Backup as Daily / Weekly / Monthly
• Store Backup on Remote FTP Server
• Store Backup on Dropbox/Google Drive
• Send Backup to Email Address

24. Security Measures using Plugin [7]
• On-Change File Comparison to check Vulnerability
• Can Expire Password to Reset new Password
• Generates Strong Password with Salt
• Two Factor Authentication
• Malware Scanner
• Login Captcha

25. Advance Security Measures
while Developing Website
with less dependency on Plugin

26. Advanced Security Measures without Plugin [1]
Add an Extra Layer of Protection on Login Page:
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName "Private Access"
AuthType Basic
require user MySecretUsername
</Files>
MySecretUsername:$apr1$KW5IP
d9r$/C4HkGhAX7WqaOrJ1k9my1
.htaccess .htpasswd
Hash Pass Generator: http://www.htaccesstools.com/htpasswd-generator/

27. Restrict visiting Admin Panel by IP:
# Block Access to WP-Admin
order deny, allow
allow from 172.0.0.1
deny from all
.htaccess
Advanced Security Measures without Plugin [2]

28. Disable Directory Listing:
Options All -Indexes
.htaccess
Advanced Security Measures without Plugin [3]

29. Show Error Page while User is trying Unknown URLs/Pages:
# Way One
ErrorDocument 404 "<H1>Page not found</H1>"
# Way Two
ErrorDocument 404 /not-found/
.htaccess
Advanced Security Measures without Plugin [4]

30. Restrict visiting WordPress Configuration File:
# PROTECT CONFIG FILE
<files wp-config.php>
Order deny, allow
Deny from all
</files>
.htaccess
Advanced Security Measures without Plugin [5]

31. Restrict Execution of PHP Code in “Uploads” Directory:
# Kill PHP EXECUTION
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all
</Files>
.htaccess
Advanced Security Measures without Plugin [5]

32. Implement Security using “mod_rewrite”, the Module
Enable HTTP Strict Transport Security
Enable (XSS) Filter
Hide Server Application Information
Restrict Visiting Open Directories
Block Access to Hidden Files
And, many more…
Source: http://htaccess.DB-Dzine.com/en-us
Advanced Security Measures without Plugin [6]

33. Disable File Editing in the WordPress Dashboard/Panel
Force Admin to use https:// (SSL Certificate enabled Path)
# Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);
wp-config.php
Advanced Security Measures without Plugin [7]
# Force Admin to use SSL
define('FORCE_SSL_ADMIN', true);
wp-config.php

34. If Host has the Provision, then allow FTPS
If Host has the Provision, then allow SFTP
# Enable FTPS
define('FTP_SSL', true);
wp-config.php
Advanced Security Measures without Plugin [7]
# Enable SFTP
define('FS_METHOD', 'ssh2');
wp-config.php

35. Disable Creating Error Log
Disable Showing Error Log
# Disable Debug Mode
define('WP_DEBUG', false);
wp-config.php
Advanced Security Measures without Plugin [8]
# Disable Front-end Error Logging
define('WP_DEBUG_DISPLAY', false);
wp-config.php

36. Enable Auto WordPress Version Update
Get Security Updates and more… Stay safe…
# Enable Auto WordPress Update
define('WP_AUTO_UPDATE_CORE', true);
wp-config.php
Advanced Security Measures without Plugin [8]

37. Advanced Security Measures
while Developing Plugin/Theme

38. Follow the Important Rules
Don’t Trust any Data
Rely on the WordPress API
Keep your codes Up to Date
Security while Developing Plugins/Themes [1]

39. Validate your Data using PHP Functions
Security while Developing Plugins/Themes [2]
Functions Description
isset() , empty() Value has or not
mb_strlen() , strlen() Identify whether String length is valid or not
preg_match() , strpos() Find certain characters inside String
in_array() Find whether your element exists in the Array or not
strip_tags() Removes HTML Tags from your String
filter_var() Identify Email, URL, Variable Type etc.
md5() , sha1() Secure your Password

40. Validate your Data using WordPress Functions
Security while Developing Plugins/Themes [2]
Functions Description
is_user_logged_in() Whether current user is Logged-in or Not
username_exists() , email_exists() Whether Username or Email exists or not
term_exists() Whether a Tag, Category or Term exists or not
validate_file() Whether a File Path valid or not
is_admin_bar_showing() Whether Admin Bar is visible or not

41. Secure your Input Data (Sanitize) using WordPress Functions
Security while Developing Plugins/Themes [3]
Functions Description
sanitize_email() Filters Email Address
sanitize_file_name() Filters File Name
sanitize_key() Filters the Internal Keys
sanitize_user() Filters the Username
sanitize_text_field() Filters the Input Fields
sanitize_title() Filters the Title
sanitize_sql_orderby() Filters Order By Clauses of SQL Queries
Sample Code: sanitize_####( $email );

42. Secure your Output Data (Escape) using WordPress Functions
Security while Developing Plugins/Themes [4]
Functions Description
esc_html() Prints safe HTML code, Removes Tags
esc_url() Prints safe URL, Removes unsafe Characters
esc_js()
Helps executing PHP codes inside JavaScript, escaping Single
Quotes, HTML Special Characters and fixing Line Endings
esc_sql() Helps to filter the Strings within SQL Queries
esc_attr() Helps to filter the Attributes inside HTML tags for keeping XSS Safe
Sample Code: <h2><?php echo esc_####( $url ); ?></h2>

43. Use “Nonces” to Prevent CSRF Attacks
Security while Developing Plugins/Themes [4]
Helps to add a Token while moving from an URL to another

44. Avoid writing Traditional Query
Security while Developing Plugins/Themes [5]
Unsafe

45. Avoid writing Traditional Query
You can hide Database Errors for Safety
Security while Developing Plugins/Themes [5]
Safe

46. Avoid using Deprecated Codes
Test your WordPress Website Online
Security while Developing Plugins/Themes [6]
https://developer.wordpress.org/reference/
https://wpscans.com/

47. • General Measures of Security
• Security Measures using Plugin while Developing a Website
• Advance Security Measures while Developing Website with
less dependency on Plugin
• Advanced Security Measures while Developing Plugin/Theme
Recap

48. Any Question?

49. www.abulkhayer.com
www.facebook.com/MyselfKhayer
+8801683551692
info@abulkhayer.com
ThankYou