SlideShare a Scribd company logo

WordPress Security

My presentation on WordPress Security at WordCamp Montreal 2009

1 of 39
Download to read offline
WordPress Security



         Brad Williams
         WebDevStudios.com
Who Am I?
Who Am I?



I’m the guy that has to follow Matt
Who Am I?

Brad Williams
CEO & Co-Founder, WebDevStudios.com
Organizer NJ WordPress Meetup
Co-Host SitePoint Podcast
The Goal of this Presentation…
The Goal of this Presentation…




   …Is to scare the crap out of you!
The Goal of this Presentation…




   …and then make everything better
WordPress Security
Topics

 Example  Link Injection Hack
 Securing your WordPress Website
 Recommended Plugins
The Scary
Link Injection

Hacker bots look for known exploits (SQL Injection, folder perms, etc).
           This allows them to insert spam files/links into
          your WordPress Themes, plugins, and core files.
Example

Hosting account contained two separate websites




       WordPress           WordPress MU
Example

Bot dropped a hacker file on WPMU install




    WordPress           WordPress MU
Example

          WPMU starts hacking WordPress install
Inserting spam links into the theme, plugins, and core files




            WordPress             WordPress MU
Example
       WPMU contains no spam links
Acts as a carrier to spread the contamination

  Cleaning up the WordPress website only
resulted in more spam links a few days later



     WordPress             WordPress MU
375 Spam Links Per Page
CSS Hides the Spam

<b style=“display:none”>Any text you want to hide</b>
Aftermath
         • Website was dropped by Google completely
         • Pagerank went from 6 to 5
         • Hack also infected phpBB forum
         • Organic traffic for “viagra” started showing up




Hack happened in April 2009, website has still not fully recovered in search engines
Scared Yet?
WordPress Security
Securing WordPress
Don’t use the admin account
                 If you are using the admin account you are wrong!



     Either change the username in MySQL:

     update wp_users set user_login='newuser' where user_login='admin';


       Or create a new/unique account with administrator privileges.

       3.Create a new account. Make the username very unique
       4.Assign account to Administrator role
       5.Log out and log back in with new account
       6.Delete admin account


Make it hard on the hacker! If they already know your username that’s half the battle
The Great Permission Debate
               What folder permissions should you use?



Good Rule of Thumb:
• Files should be set to 644
• Folders should be set to 755



                  Start with the default settings above
          if you can’t upload increase privileges (ie 775, 777)




       Permission levels vary depending on server configuration
The Great Permission Debate

Permissions can be set via FTP




Or via shell access with the following commands

find [your path here] -type d -exec chmod 755 {} ;
find [your path here] -type f -exec chmod 644 {} ;
Move the wp-config.php file
      WordPress 2.6 added the ability to move the wp-config.php
           file one directory above your WordPress root


   If WordPress is located here:

           public_html/wordpress/wp-config.php

   You can move your wp-config.php file to here

           public_html/wp-config.php


       WordPress automatically checks the parent directory if a
         wp-config.php file is not found in your root directory


This makes it nearly impossible for anyone to access your wp-config.php
      file as it now resides outside of your website’s root directory
Move the wp-content Directory
        WordPress 2.6 added the ability to move the wp-content directory



1. Move your wp-content directory
2. Make two additions to wp-config.php

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');



 If you have compatibility issues with plugins there are two optional settings

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');




          If hackers can’t find your wp-content folder, they can’t hack it!
Remove WordPress Version from Header
    Viewing source on most WP sites will reveal the version they are running

   <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->

      This helps hackers find vulnerable WP blogs running older versions


To remove find the code below in your header.php file of your theme and remove it

   <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
                      <!-- leave this for stats please -->


                      Themes and plugins might also
                      display versions in your header.

                      Typically they come with an option
                      to disable
Stay Current on Updates
Keep WordPress core, plugins, and theme files up to date




                                         The newly added plugin
                                         Changelog tab makes it very
                                         easy to view what has
                                         changed in a new plugin
                                         version

                                         Expect wider adoption in the
                                         coming months as this was
                                         just added a few weeks ago
Use Secure Passwords
Use strong passwords to protect your website from dictionary attacks
         Not just for WordPress, but also FTP, MySQL, etc

         BAD PASSWORD: bradrules
         GOOD PASSWORD: S-gnop2D[6@8


                                            WordPress will tell you
                                            when you have it right




              Great resource:
            goodpassword.com

        Creates random passwords
Use Secret Keys
            A secret key is a hashing salt which makes your site harder to
                 hack by adding random elements to the password.

1. Edit wp-config.php
2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1

BEFORE
 define('AUTH_KEY', 'put your unique phrase here');
 define('SECURE_AUTH_KEY', 'put your unique phrase here');
 define('LOGGED_IN_KEY', 'put your unique phrase here');
 define('NONCE_KEY', 'put your unique phrase here');


AFTER
 define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB');
 define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB');
 define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V');
 define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r');




                    You can add/change secret keys at anytime.
   This will invalidate all existing cookies and require your users to login again
Change WordPress Table Prefix

       1. Edit wp-config.php before installing WordPress
       2. Change the prefix wp_ to something unique:

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = ‘zztop_';




      All database tables will now have a unique prefix (ie zztop_posts)
.htaccess lockdown

1. Create a .htaccess file in your wp-admin directory
2. Add the following lines of code:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    #IP address to Whitelist
    allow from 67.123.83.59



  Only a user with the IP 67.123.83.59 can access wp-admin
WordPress Security
Recommended Security Plugins
WP Security Scan




http://wordpress.org/extend/plugins/wp-security-scan/
WordPress Exploit Scanner




http://wordpress.org/extend/plugins/exploit-scanner/
WordPress File Monitor




http://wordpress.org/extend/plugins/wordpress-file-monitor/
WordPress Security Resources

   Security Related Codex Articles
    ›   http://codex.wordpress.org/Hardening_WordPress
    ›   http://codex.wordpress.org/Changing_File_Permissions
    ›   http://codex.wordpress.org/Editing_wp-config.php
    ›   http://codex.wordpress.org/htaccess_for_subdirectories
   Blog Security Articles
    ›   http://www.growmap.com/wordpress-exploits/
    ›   http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-
        blog/
    ›   http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
    ›   http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-
        blog/
    ›   http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
    ›   http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
Contact

Brad Williams
brad@webdevstudios.com

Blog: strangework.com
@williamsba
IRC: WDS-Brad

Everywhere else: williamsba

Recommended

WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 

More Related Content

What's hot

WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksBrad Williams
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 

What's hot (20)

WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Website security
Website securityWebsite security
Website security
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and Tricks
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 

Viewers also liked

Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsEdgar Barbosa
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Zn task - defcon russia 20
Zn task  - defcon russia 20Zn task  - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014Amazon Web Services
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6fisher.w.y
 
Using python to analyze spatial data
Using python to analyze spatial dataUsing python to analyze spatial data
Using python to analyze spatial dataKudos S.A.S
 
Who am I? - Personal Development Framework for Employees
Who am I? - Personal Development Framework for EmployeesWho am I? - Personal Development Framework for Employees
Who am I? - Personal Development Framework for EmployeesHppy
 

Viewers also liked (19)

Rootkit
RootkitRootkit
Rootkit
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkits
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Zn task - defcon russia 20
Zn task  - defcon russia 20Zn task  - defcon russia 20
Zn task - defcon russia 20
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Using python to analyze spatial data
Using python to analyze spatial dataUsing python to analyze spatial data
Using python to analyze spatial data
 
Who am I? - Personal Development Framework for Employees
Who am I? - Personal Development Framework for EmployeesWho am I? - Personal Development Framework for Employees
Who am I? - Personal Development Framework for Employees
 

Similar to WordPress Security

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening StepsPlasterdog Web Design
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop   WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop Ella J Designs
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsBastian Grimm
 
WordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media InstituteWordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media InstituteBrendan Sera-Shriar
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press BlogChetan Gole
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 

Similar to WordPress Security (20)

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop   WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
 
WordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media InstituteWordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media Institute
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 

More from Brad Williams

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressBrad Williams
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress CodeBrad Williams
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application FrameworkBrad Williams
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012Brad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for BeginnersBrad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesBrad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPBrad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressBrad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfBrad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts  for a Successful Online PresenceWebsite Design Dos and Don’ts  for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceBrad Williams
 

More from Brad Williams (14)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts  for a Successful Online PresenceWebsite Design Dos and Don’ts  for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 

Recently uploaded

Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGRick Ossendrijver
 
Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...Modality Co
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriSafe Software
 
security-in-computing question paper 2023
security-in-computing question paper 2023security-in-computing question paper 2023
security-in-computing question paper 2023RohanMistry15
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyMustafa Kuğu
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...DianaGray10
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...James Anderson
 
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...ShapeBlue
 
eXtended Reality(XR) Basic introductions
eXtended Reality(XR) Basic introductionseXtended Reality(XR) Basic introductions
eXtended Reality(XR) Basic introductionsElanthirayan Madhavan
 
Trailblazer Community - Flows Workshop (Session 1)
Trailblazer Community - Flows Workshop (Session 1)Trailblazer Community - Flows Workshop (Session 1)
Trailblazer Community - Flows Workshop (Session 1)Muhammad Tiham Siddiqui
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
Mastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationMastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationAppsthentic Technology
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIVijayananda Mohire
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Chris Bingham
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)François
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
Communities, networking and developer culture
Communities, networking and developer cultureCommunities, networking and developer culture
Communities, networking and developer cultureRavi Sanghani
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueShapeBlue
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfMostafa Higazy
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
 
Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & Esri
 
security-in-computing question paper 2023
security-in-computing question paper 2023security-in-computing question paper 2023
security-in-computing question paper 2023
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5Company
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
 
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
 
eXtended Reality(XR) Basic introductions
eXtended Reality(XR) Basic introductionseXtended Reality(XR) Basic introductions
eXtended Reality(XR) Basic introductions
 
Trailblazer Community - Flows Workshop (Session 1)
Trailblazer Community - Flows Workshop (Session 1)Trailblazer Community - Flows Workshop (Session 1)
Trailblazer Community - Flows Workshop (Session 1)
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
Mastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationMastering Play Store App Listing and Optimization
Mastering Play Store App Listing and Optimization
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AI
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
Communities, networking and developer culture
Communities, networking and developer cultureCommunities, networking and developer culture
Communities, networking and developer culture
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
 

WordPress Security

  • 1. WordPress Security Brad Williams WebDevStudios.com
  • 3. Who Am I? I’m the guy that has to follow Matt
  • 4. Who Am I? Brad Williams CEO & Co-Founder, WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast
  • 5. The Goal of this Presentation…
  • 6. The Goal of this Presentation… …Is to scare the crap out of you!
  • 7. The Goal of this Presentation… …and then make everything better
  • 9. Topics  Example Link Injection Hack  Securing your WordPress Website  Recommended Plugins
  • 11. Link Injection Hacker bots look for known exploits (SQL Injection, folder perms, etc). This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.
  • 12. Example Hosting account contained two separate websites WordPress WordPress MU
  • 13. Example Bot dropped a hacker file on WPMU install WordPress WordPress MU
  • 14. Example WPMU starts hacking WordPress install Inserting spam links into the theme, plugins, and core files WordPress WordPress MU
  • 15. Example WPMU contains no spam links Acts as a carrier to spread the contamination Cleaning up the WordPress website only resulted in more spam links a few days later WordPress WordPress MU
  • 16. 375 Spam Links Per Page
  • 17. CSS Hides the Spam <b style=“display:none”>Any text you want to hide</b>
  • 18. Aftermath • Website was dropped by Google completely • Pagerank went from 6 to 5 • Hack also infected phpBB forum • Organic traffic for “viagra” started showing up Hack happened in April 2009, website has still not fully recovered in search engines
  • 22. Don’t use the admin account If you are using the admin account you are wrong! Either change the username in MySQL: update wp_users set user_login='newuser' where user_login='admin'; Or create a new/unique account with administrator privileges. 3.Create a new account. Make the username very unique 4.Assign account to Administrator role 5.Log out and log back in with new account 6.Delete admin account Make it hard on the hacker! If they already know your username that’s half the battle
  • 23. The Great Permission Debate What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
  • 24. The Great Permission Debate Permissions can be set via FTP Or via shell access with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ;
  • 25. Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory
  • 26. Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); If you have compatibility issues with plugins there are two optional settings define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If hackers can’t find your wp-content folder, they can’t hack it!
  • 27. Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats --> This helps hackers find vulnerable WP blogs running older versions To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. Typically they come with an option to disable
  • 28. Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The newly added plugin Changelog tab makes it very easy to view what has changed in a new plugin version Expect wider adoption in the coming months as this was just added a few weeks ago
  • 29. Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrules GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right Great resource: goodpassword.com Creates random passwords
  • 30. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 1. Edit wp-config.php 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1 BEFORE define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); AFTER define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB'); define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB'); define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V'); define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r'); You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
  • 31. Change WordPress Table Prefix 1. Edit wp-config.php before installing WordPress 2. Change the prefix wp_ to something unique: /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘zztop_'; All database tables will now have a unique prefix (ie zztop_posts)
  • 32. .htaccess lockdown 1. Create a .htaccess file in your wp-admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 Only a user with the IP 67.123.83.59 can access wp-admin
  • 38. WordPress Security Resources  Security Related Codex Articles › http://codex.wordpress.org/Hardening_WordPress › http://codex.wordpress.org/Changing_File_Permissions › http://codex.wordpress.org/Editing_wp-config.php › http://codex.wordpress.org/htaccess_for_subdirectories  Blog Security Articles › http://www.growmap.com/wordpress-exploits/ › http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress- blog/ › http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ › http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress- blog/ › http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog › http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/