Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting WordPress from the Inside Out


Published on

WordPress is pretty secure and they release updates periodically to fix loopholes. In order to stay safe you should always make sure to upgrade to the latest version of the software whenever they are available.

However there are several more ways in which you can protect your WordPress installation from getting misused or hacked. In this session, we are going to look at some of the most useful tips, tricks, and plugins to add an extra level of security to your WordPress site.

Published in: Technology, Business
  • good slide. thanks
    Are you sure you want to  Yes  No
    Your message goes here
  • When setting up WP installs I tend to use 20 char random ID's generated from (
    So, for example, the admin UID becomes something like: admin_0YcWgjYpelWKPJP59DGI

    I tend to do the same for passwords, DB prefixes (although not all 20 chars) and so on & keep track of them in something like Evernote or Google Docs. I've found it's the most consistent way of being random ;)

    Great slide btw, cheers for sharing.
    Are you sure you want to  Yes  No
    Your message goes here
  • Good stuff. Been wondering about this.
    Are you sure you want to  Yes  No
    Your message goes here
  • Awesome presentation about WP Security
    Are you sure you want to  Yes  No
    Your message goes here
  • Beveilliging van WordPress
    Are you sure you want to  Yes  No
    Your message goes here

Protecting WordPress from the Inside Out

  1. 1. Protecting WordPress from the Inside Out<br />By: Syed Balkhi<br /><br />
  2. 2. Who am I?<br />Syed Balkhi<br />Founder of<br />CEO of<br />Contact: <br />Email:<br />Twitter: @wpbeginner<br />
  3. 3. Goals of This Presentation<br />Increase awareness about WordPress Security<br />Share useful tips and plugins to improve WordPress Security.<br />Have everyone leave with a smile on their face.<br />
  4. 4. vs. Self Hosted WordPress<br />If you have a blog with then you do not have to worry about WordPress Security. <br />If you have a Self-Hosted Blog then you should pay extra attention.<br />
  5. 5. Why should you pay attention?<br />SQL Link Injection – Hackers inject spam links and files into you WordPress theme, plugin and other core files. <br />You won’t even know because all links will be hidden using CSS.<br />Your site will be dropped from Google, you will lose your rankings, traffic, and revenue from that site.<br />
  6. 6. Basic Things That You Should Do<br />It doesn’t just seem repetitive, it is repetitive. But it is ESSENTIAL, so do it.<br />
  7. 7. Regular Database Backups<br />Plugin: WP-DB-Backup<br />Author: Austin Matzko<br /><br />You can schedule backups daily, weekly, hourly, and have it sent to your email.<br />Absolutely critical to have backups because you will have situations where you will need to restore your site. You never know when you will need it, so keep regular backups. I know many people who lost their blog due to a hacker attack and they had to restore everything using RSS Feeds. It is not FUN!!<br />
  8. 8. Never use “admin” username<br />If the hacker knows your username, he knows half the answer. (Don’t help him)<br />Change the username in MySQL database by running this query:<br />update wp_users set user_login=‘yourusername’ where user_login=‘admin’;<br />OR<br />Create a new username (Make it very unique).<br />Assign Administrator roles to this new user.<br />Logout from your admin account.<br />Log back in as a the new username and then delete the “admin” username.<br />
  9. 9. Use Security Keys<br />Security keys ensure better encryption of your logged sessions. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password. <br />To add security keys, open your wp-config.php<br />Visit this URL to get Security Keys:<br />Find these lines:<br />define(&apos;AUTH_KEY&apos;, &apos;put your unique phrase here&apos;);<br />define(&apos;SECURE_AUTH_KEY&apos;, &apos;put your unique phrase here&apos;);<br />define(&apos;LOGGED_IN_KEY&apos;, &apos;put your unique phrase here&apos;);<br />define(&apos;NONCE_KEY&apos;, &apos;put your unique phrase here&apos;);<br />And replace them with your new key:<br />define(&apos;AUTH_KEY&apos;, &apos;|ry:$5-`e}z:+^+6{-e;;SbrPq``|s$z=X&&gt;ZbNnBmGOZ*L36e^,O[{]&TSU)~hC&apos;); define(&apos;SECURE_AUTH_KEY&apos;, &apos;GbZfHMi-0NuC7tc|,TQzV%2-9@0S?)APw[EW5$D&gt;)|8m;9^5AO![@.eDg0-I&gt;wWV&apos;); define(&apos;LOGGED_IN_KEY&apos;, &apos;QC^|p$*r]U$Zo[^hCL1}v|H@B^Z+EqYoT#[9YJ47D[x5B0to6,w&gt;+-[[64H^xee`&apos;); define(&apos;NONCE_KEY&apos;, &apos;hy;DQ_kV ),}4IRYC.PykF2_K`&2Y**Z8TnGMz=:_AP*kx|Hz~5miOia{,A-xm4(&apos;); <br />
  10. 10. Keep your WordPress & Plugins Updated<br />Keep all your Core files, and plugins up to date. Even though sometimes there are quick releases, but those are only for security reasons. <br />Don’t be lazy and update your site, it only requires One CLICK to upgrade the WordPress installation or plugins. <br />After each security patch release, WordPress explains to the users, why that release was made and they mention the loophole which is open to everyone (HACKERS). They can use that information and your laziness to their advantage and hack your site. <br />Are you afraid that your plugins would not work? Well that problem is also solved now that there is a compatibility meter in WordPress plugin database. <br />
  11. 11. Use Strong Passwords<br />Use letters (both uppercase and lowercase), numbers, and symbols and make the password at least 10 characters long and it should take a super smart computer at least 59 years.<br />Chart from:<br />
  12. 12. Folder/File Permission<br />Good rule of thumb to start with:<br />Folder Permission (CHMOD 755)<br />File Permission (CHMOD 644)<br />If these does not work for some plugins or hinders you from uploading a file, then increase the permissions such as 775 or 777.<br />It varies on the server configuration. On Host Gator servers plugins will not give you a hard time about changing permissions but on more secured servers like Media Temple you will have to change file and folder permissions for some plugins to work.<br />
  13. 13. How to Change Permissions via FTP<br />You will need to right click on the folder and look for either properties, or file permission (it varies for each software).<br />
  14. 14. Remove WordPress Version Number from Header<br />Hackers can see your WordPress version number by viewing the source of your website. They can identify the sites that are not upgraded and are still vulnerable. <br />To remove the version number, open your header.php in your themes folder:<br />&lt;meta name=“generator” content=“WordPress &lt;?phpbloginfo(‘version’); ?&gt;” /&gt;<br />If you have wp_head function in your header.php then you should also add this function in your functions.php in your theme folder.<br />remove_action(‘wp_head’, ‘wp_generator’);<br />
  15. 15. Some Cool Tricks<br />Just like the one in this picture, except safer.<br />
  16. 16. Move wp-config.php file<br />Starting from WordPress 2.6, you can now move your wp-config.php file to one directory above the current location.<br />If your wp-config.php file is located at:<br />/public_html/wordpress/wp-config.php<br />Then you can move it to:<br />/public_html/wp-config.php<br />WordPress automatically checks the parent directory if wp-config.php is not found in the root directory. <br />
  17. 17. Force SSL Login and Admin Access<br />You can login to WordPress through the encrypted channels with SSL meaning your session URLs will have https://. You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate.<br />Open your wp-config.php file and add this code to force SSL (https) with logins:<br />define(&apos;FORCE_SSL_LOGIN&apos;, true);<br />Open your wp-config.php file and add this code to force SSL (https) on all admin pages & logins:<br />define(&apos;FORCE_SSL_ADMIN&apos;, true);<br />*I recommend using the second option because in this method, password and cookies from both logins and admin access are never sent in clear. Some people prefer the first one only because SSL is some what slower than sites with no SSL on the backend (Not if you have good servers).<br />If you don’t have SSL certificate, use this plugin called Semisecure Login. (JS Required)<br /><br />
  18. 18. Limited Access to wp-admin directory via .htaccess<br />Create a .htaccess file in your wp-admin directory!<br />Add the following codes and upload the site:<br />AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName “WordPress Admin Access Control”AuthType Basicorder deny,allowdeny from all# whitelistSyed’s IP addressallow from whitelistWordCamp Atlanta IP addressallow from whitelistWordCamp Atlanta Hotel IP addressallow from<br />Only users with IP addresses mentioned in this file will be able to see the wp-admin folder, no one else.<br />
  19. 19. Remove Error Message from the Login Page<br />Insert the following codes in your themes functions.php file<br />add_filter(‘login_errors’,create_function(‘$a’, “return null;”));<br />Secure WordPress Plugin can do this as well -<br />Don’t help the hacker, make him work for it.<br />
  20. 20. Change WordPress Table Prefix<br />Everyone knows the default table prefix is wp_, so hackers usually try to do SQL injection in the tables with wp_ prefix. But if they do not know the table prefix, it is harder for them.<br />Before installing WordPress, edit your wp-config.php file and change the Table prefix to something unique instead of wp_<br />$table_prefix = ‘w0rdpr3ssjim_&apos;;<br />If you didn’t do that upon install and you want to do it now, it requires a few extra steps.<br />
  21. 21. Change WordPress Table Prefix<br /><ul><li>First change the prefix in wp-config.php file
  22. 22. Login to your MySQL Database using phpMyAdmin and run this SQL Query</li></ul>Rename table wp_comments to w0rdpr3ssjim_comments;Rename table wp_links to w0rdpr3ssjim_links;Rename table wp_options to w0rdpr3ssjim_options;Rename table wp_postmeta to w0rdpr3ssjim_postmeta;Rename table wp_posts to w0rdpr3ssjim_posts;Rename table wp_terms to w0rdpr3ssjim_terms;Rename table wp_term_relationships to w0rdpr3ssjim_term_relationships;Rename table wp_term_taxonomy to w0rdpr3ssjim_term_taxonomy;Rename table wp_usermeta to w0rdpr3ssjim_usermeta;Rename table wp_users to w0rdpr3ssjim_users;<br /><ul><li>Browse w0rdpr3ssjim_options table and change option_id 94, wp_user_roles to w0rdpr3ssjim_user_roles.
  23. 23. Browse w0rdpr3ssjim_usermeta and change the meta key wp_capabilities and wp_user_level to w0rdpr3ssjim_capabilities and w0rdpr3ssjim_user_level</li></ul><br />
  24. 24. Protect against Malicious URL Requests<br />Copy and paste this code in a .php file, name it whatever you like and upload in your plugins directory /wp-content/plugins<br />&lt;?php /* Plugin Name: Block Bad Queries */ <br />global $user_ID; if($user_ID) { if(!current_user_can(&apos;level_10&apos;)) { if (strlen($_SERVER[&apos;REQUEST_URI&apos;]) &gt; 255 || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;eval(&quot;) || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;CONCAT&quot;) || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;UNION+SELECT&quot;) || strpos($_SERVER[&apos;REQUEST_URI&apos;], &quot;base64&quot;)) { @header(&quot;HTTP/1.1 414 Request-URI Too Long&quot;); @header(&quot;Status: 414 Request-URI Too Long&quot;); @header(&quot;Connection: Close&quot;); @exit; } } }<br />?&gt;<br />This script will check for long strings as well as base64 code which was in the last attack and the eval( code which could be a threat in the future. Once active, this plugin will silently and effectively close any connections for these sorts of injection-type attacks.<br />All credit goes to Jeff Starr from Perishable Press<br /><br />
  25. 25. Useful Security Plugins<br />Image by Pelfusion<br />
  26. 26. Login Lockdown<br />Login LockDown records the IP address and timestamp of every failed login attempt. Once it reaches a certain number of failed attempts, it blocks the login access from that IP address for one hour (Default). You can change how many attempts, and times in settings.<br /><br />
  27. 27. WordPress File Monitor<br />WordPress File Monitor plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.<br />This is a life saver plugin because if there was a SQL injection in your site which was hidden with CSS, you probably will not find out for a good amount of time. With this plugin, you will know instantly.<br /><br />
  28. 28. WordPress Security Scan<br />This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. A good plugin to install to make sure that you have everything in place.<br />In WP Plugin Directory, some people are saying that this plugin does not work with the latest version. But it works for me, so I am one of the 6 out of 10 that says it works.<br /><br />
  29. 29. Stealth Login<br />This plugin allows you to create custom URLs for logging in, logging out, administration and registration for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly.<br />Even if someone did manage to crack/guess your WordPress password with this plugin, they would not know where to login to your admin panel.<br /><br />
  30. 30. Resources<br /><br /><br /><br /><br /><br /><br /><br /><br />
  31. 31. Who am I?<br />Syed Balkhi<br />Founder of<br />CEO of<br />Contact: <br />Email:<br />Twitter: @wpbeginner<br />