Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1 0 W O R D P R E S S S E C U R I T Y M E A S U R E S
Y O U C A N I M P L E M E N T T O D AY !
Wo rd P re s s M e e t u p ...
A s s i s t a n t We b m a s t e r a t Te m p l e
U n i v e r s i t y, J a p a n C a m p u s
Wo rd P re s s e x p e r i e ...
# 1 S e c u re y o u r l o c a l e n v i ro n m e n t
• Use good internet security software
• Antivirus
• Firewall
• Antis...
# 2 S e c u re f i l e t r a n s f e r
• Use
• SSH
• FTPS
• SFTP
• Stop using
• FTP
• Does your hosting server only allows...
# 3 U p d a t e , u p d a t e , u p d a t e !
• Core
• Minor updates (E.g. 4.1.x, 4.2.x, 4.3.x, etc) are security fixes
• ...
# 4 S t ro n g p a s s w o rd
• Stronger password =
• harder for others to guess
• harder for brute force attack to succee...
# 4 S t ro n g p a s s w o rd
English alphabet (uppercase not distinguished)
English alphabet (lower & upper) + number
Eng...
# 4 S t ro n g p a s s w o rd
• WordPress’ password strength meter
• Password manager softwares
• 1 Password - https://agi...
# 5 Tw o - s t e p a u t h e n t i c a t i o n
• = Two-factor authentication/verification
• 2nd layer of secure login
• Pl...
# 6 L i m i t a c c e s s t o / w p - a d m i n /
• Limit by password protection (e.g. BasicAuth)
• http://codex.wordpress...
# 7 S e t t h e f i l e p e r m i s s i o n s r i g h t
• WordPress Codex’s recommendations are…
• All directories should ...
# 8 D i s a b l e f i l e e d i t i n g
• By default, administrators can edit Theme and Plugin
files from the dashboard. T...
# 1 0 G e t T h e m e s a n d P l u g i n s f ro m
t r u s t e d s o u rc e s , a n d d e l e t e i f n o t u s e d
• The ...
E x t r a — a n o t e o n “ a d m i n ” u s e r
• Username “admin” is often targeted by brute-force attack
• But even if y...
E x t r a — h i d e y o u r Wo rd P re s s v e r s i o n ?
• Hide you WordPress version, so the attacker won’t know which ...
E x t r a — s o m e p l u g i n s
• Wordfence Security

https://wordpress.org/plugins/wordfence/
• Login Security Solution...
E x t r a — s o m e l i n k s
• Hardening WordPress « WordPress Codex

http://codex.wordpress.org/Hardening_WordPress
• Br...
Upcoming SlideShare
Loading in …5
×

10 WordPress security measures you can implement today!

1,774 views

Published on

Slide for WordPress Meetup Tokyo #23, 23 May 2015.

Published in: Internet
  • Be the first to comment

10 WordPress security measures you can implement today!

  1. 1. 1 0 W O R D P R E S S S E C U R I T Y M E A S U R E S Y O U C A N I M P L E M E N T T O D AY ! Wo rd P re s s M e e t u p To k y o # 2 3 — M a y 2 0 1 5 Toru Miki
  2. 2. A s s i s t a n t We b m a s t e r a t Te m p l e U n i v e r s i t y, J a p a n C a m p u s Wo rd P re s s e x p e r i e n c e : 9 y e a r s h t t p s : / / p ro f i l e s . w o rd p re s s . o rg / t o r u To r u M i k i
  3. 3. # 1 S e c u re y o u r l o c a l e n v i ro n m e n t • Use good internet security software • Antivirus • Firewall • Antispam • etc
  4. 4. # 2 S e c u re f i l e t r a n s f e r • Use • SSH • FTPS • SFTP • Stop using • FTP • Does your hosting server only allows FTP? • Move! C o m m a n d - l i n e C l i e n t s o f t w a re • W i n S C P • F i l e Z i l l a • C y b e rd u c k • Tr a n s m i t …
  5. 5. # 3 U p d a t e , u p d a t e , u p d a t e ! • Core • Minor updates (E.g. 4.1.x, 4.2.x, 4.3.x, etc) are security fixes • Major updates (e.g. 3.x, 4.x, 5.x, etc) includes lots of bug fixes too • Themes • Plugins • If you are a developer — libraries/scripts you have used • E.g. TimThumb script
 http://wptavern.com/wordpress-security-alert-new-zero-day- vulnerability-discovered-in-timthumb-script
  6. 6. # 4 S t ro n g p a s s w o rd • Stronger password = • harder for others to guess • harder for brute force attack to succeed • At least 8 characters, include uppercase letter(s), include special character(s), include number(s), and not found in the dictionary • E.g. K#5r!g3y
  7. 7. # 4 S t ro n g p a s s w o rd English alphabet (uppercase not distinguished) English alphabet (lower & upper) + number English alphabet (lower & upper) + number + special character Type of letters used Available number of letters Max. time needed to decrypt No. characters Ref: IPA 独立行政法人 情報処理推進機構:コンピュータウイルス・不正アクセスの届出状況[2008年9月分および第3四半期]について http://www.ipa.go.jp/security/txt/2008/10outline.html 3 sec. 2 min. 9 min. 54 days 5 days 37 min. 17 days 50 yrs. 32 yrs. 0.2m yrs. 1000 yrs. 10m yrs.
  8. 8. # 4 S t ro n g p a s s w o rd • WordPress’ password strength meter • Password manager softwares • 1 Password - https://agilebits.com/onepassword • LastPass - https://lastpass.com/
  9. 9. # 5 Tw o - s t e p a u t h e n t i c a t i o n • = Two-factor authentication/verification • 2nd layer of secure login • Plugins (e.g.) • Google Authenticator - https://wordpress.org/plugins/google-authenticator/ • Rublon - https://wordpress.org/plugins/rublon/ • Jetpack - https://wordpress.org/plugins/jetpack/ • Use “sign in using your WordPress.com account” feature, and utilize its “Two Step Authentification” feature • E.g. Using Google Two-Factor Authentication With WordPress - Tuts+ Code Tutorial 
 http://code.tutsplus.com/tutorials/using-google-two-factor-authentication-with- wordpress--cms-22263
  10. 10. # 6 L i m i t a c c e s s t o / w p - a d m i n / • Limit by password protection (e.g. BasicAuth) • http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php • create .htpassword • edit .htaccess • Limit by IP address • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP • For both methods, watch out for plugin which uses admin-ajax.php • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP
  11. 11. # 7 S e t t h e f i l e p e r m i s s i o n s r i g h t • WordPress Codex’s recommendations are… • All directories should be 755 or 750
 find . -type d -print -exec chmod 755 {} ; • No directories should ever given 777 • All files should be 644 or 640
 find . -type f -print -exec chmod 644 {} ; • Except, wp-config.php should be 440 or 400
 chmod 644 wp-config.php; Changing File Permissions « WordPress Codex https://codex.wordpress.org/Changing_File_Permissions
  12. 12. # 8 D i s a b l e f i l e e d i t i n g • By default, administrators can edit Theme and Plugin files from the dashboard. This feature can be used by an attacker to insert malicious code… • To disable editing files in dashboard, add this to wp- config.php
 define('DISALLOW_FILE_EDIT', true); • http://codex.wordpress.org/ Hardening_WordPress#Disable_File_Editing
  13. 13. # 1 0 G e t T h e m e s a n d P l u g i n s f ro m t r u s t e d s o u rc e s , a n d d e l e t e i f n o t u s e d • The official repository at WordPress.org • Frequently updated, and still in continuous development • Delete any Themes and Plugins you are not using any more
  14. 14. E x t r a — a n o t e o n “ a d m i n ” u s e r • Username “admin” is often targeted by brute-force attack • But even if you don’t use “admin”, attacker can find out the username by http://example.com/?author=1 • So not using “admin” does not mean it is safe • However, it is still a good practice because: • We know “admin” is targeted, so it is better not use it than using it • High number of login attempts uses so much of your server resources, and can bring the server down
  15. 15. E x t r a — h i d e y o u r Wo rd P re s s v e r s i o n ? • Hide you WordPress version, so the attacker won’t know which version you are using — Not True
 remove_action('wp_head', ‘wp_generator'); • There are other ways of attackers to find the version: • http://example.com/readme.html • Query string appended to style sheet and scripts, such as style.css? ver=4.1.0 • And many more…
 The WordPress Meta “generator” Tag Paranoia 
 http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag- paranoia/
  16. 16. E x t r a — s o m e p l u g i n s • Wordfence Security
 https://wordpress.org/plugins/wordfence/ • Login Security Solution
 https://wordpress.org/plugins/login-security-solution/ • Crazy Bone
 https://wordpress.org/plugins/crazy-bone/
  17. 17. E x t r a — s o m e l i n k s • Hardening WordPress « WordPress Codex
 http://codex.wordpress.org/Hardening_WordPress • Brute Force Attacks « WordPress Codex
 http://codex.wordpress.org/Brute_Force_Attacks • WordPress Tavern 
 http://wptavern.com/ • Sucuri Blog | Website Security News
 https://blog.sucuri.net/

×