SlideShare una empresa de Scribd logo

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

Bastian Grimm
Bastian Grimm

My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)

TecnologíaEmpresariales
1 de 37
Bastian Grimm, Managing Partner - Grimm Digital Hardening WordPress at WP Luvfest: “Maximising WordPress for Search” http://gdig.de/sascon13 Manchester, June 2013
About me 2 @basgr SEO Trainings, Seminars & Strategy Consulting WordPress Security, Consulting & Development Berlin-based Full-Service Performance Marketing Agency
http://gdig.de/sascon13
#1 Setup WordPress properly Use unique keys and salts to add random elements for encryption! https://api.wordpress.org/secret-key/1.1/salt/ Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
#2 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Did you know this? Even better… move wp-config.php outside of „www“. Also do chmod 400/440
#3 Remove the default „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
Credits: http://bit.ly/T8wMwO Make absolutely sure you only use plug-ins from trusted authors!
#4 Lock-out multiple failed logins http://wordpress.org/extend/plugins/limit-login-attempts/ Limit Login Attempts
#5 Protect your Login (and wp-admin) Don’t just put an .htaccess to your /wp-admin/ for basic passwd. protection. It’s pure “hazzle”… Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wp- admin as well as the login itself. http://wordpress.org/extend/plugins/lockdown-wp-admin/
Or: Lockdown using a Secret URL? http://wordpress.org/plugins/stealth-login-page/ Stealth Login Page
#6 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
#6 Even better: Two-factor Verification http://wordpress.org/plugins/google-authenticator/ Google Authenticator
#6 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.
#7 SSL Logins & Administration define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
#8 Never EVER do this! These sites are more than worse…
A quick peak into some theme files… 16 LOL! „family friendly“ links – my a*s…
A quick peak into some theme files… 17 functions.php: This theme won‘t be working without those links…
#9 Always use TAC to do a pre-check! http://builtbackwards.com/projects/tac/ Theme Authenticity Checker (TAC)
It gets worse: base64 encoded footer 19 Are you really sure you want to see that footer.php file?
Right… NICE FOOTER! 20
PLEASE… stay away from “free” WordPress themes – they’re not free, really!
#10 Remove Version & Login Message add_filter('login_errors',create_function('$a', "return null;")); function my_remove_version() { return ''; } add_filter('the_generator', 'my_remove_version'); Remove error message from your login- page. You don’t want to give away if either user and / or password was (in-) correct. You need to do it this way since removing “wp_generator” will NOT get rid of the version number in your RSS feed(s).
#11 Block malicious URL requests http://wordpress.org/plugins/block-bad-queries/ BBQ: Block Bad Queries
Or one for all: Harden your Settings Secure WordPress http://wordpress.org/extend/plugins/secure-wordpress/ Most important: Remove version number from ALL components & block malicious URL requests.
#12 Update your blogs regularly!  WP Updates Notifier to get emails on out-dated components (core, themes & plug-ins) for all blogs: – http://wordpress.org/extend/plugins /wp-updates-notifier/  ManageWP can do one-click mass updates (core, themes, plug-ins again) for all your blogs: – http://managewp.com/features
#13 Keep your installation clean 26 Remove all inactive plug-ins as well as themes!
#14 Scan your Theme daily http://wordpress.org/extend/plugins/antivirus/ WP AntiVirus
Or try this one to scan for Exploits http://wordpress.org/plugins/exploit-scanner/ Exploit Scanner Caution: Use a good portion of common sense when reviewing!
#15 Move the “wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) WP_CONTENT_URL points to “new” full URI (no trailing slash either)
#16 Fix File & Folder Permissions http://wordpress.org/extend/plugins/wp-security-scan/ WP-Security Scan Very important: chmod your wp-config.php to be read-only!
#17 Disable File Editing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
#18 Delete Files & Disable Listings Delete those files manually; also get rid of “readme.html” in your WP root. This needs to go into your WP roots’ .htaccess file disable all directory listings. Options -Indexes http://httpd.apache.org/docs/2.4/mod/core.html#options
If you’d change “last modified” to “.php.bak” this would then… ok, enough!
#19 Backup Database & Files BackWPup http://wordpress.org/extend/plugins/backwpup/
13.10.2011 35 OMCap 2011 - Online Marketing Konferenz Berlin And that’s it! …
#20 Some more WordPress Knowledge http://gdig.de/slides
Bastian Grimm, Managing Partner - Grimm Digital Thanks! Questions? mail@grimm-digital.com twitter.com/basgr linkedin.com/in/bastiangrimm facebook.com/grimm.digital http://gdig.de/sascon13

Recomendados

Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Bastian Grimm
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nlJoomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
Philip Locke
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Beginning WordPress Plugin Development
Beginning WordPress Plugin DevelopmentBeginning WordPress Plugin Development
Beginning WordPress Plugin Development
Aizat Faiz
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you check
Angela Bowman
 
Plugins at WordCamp Phoenix
Plugins at WordCamp PhoenixPlugins at WordCamp Phoenix
Plugins at WordCamp Phoenix
Andrew Ryno
 
Really Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutReally Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know About
Angela Bowman
 

Recomendados

Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Bastian Grimm
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nlJoomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
Philip Locke
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Beginning WordPress Plugin Development
Beginning WordPress Plugin DevelopmentBeginning WordPress Plugin Development
Beginning WordPress Plugin Development
Aizat Faiz
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you check
Angela Bowman
 
Plugins at WordCamp Phoenix
Plugins at WordCamp PhoenixPlugins at WordCamp Phoenix
Plugins at WordCamp Phoenix
Andrew Ryno
 
Really Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutReally Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know About
Angela Bowman
 
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nlJoomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Philip Locke
 
SEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog: Wordpress SEO with Joost de ValkSEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 edition
Otto Kekäläinen
 
Don't sh** in the Pool
Don't sh** in the PoolDon't sh** in the Pool
Don't sh** in the Pool
Chris Jean
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
Otto Kekäläinen
 
WhiteHat SEO for Blog Owner
WhiteHat SEO for Blog OwnerWhiteHat SEO for Blog Owner
WhiteHat SEO for Blog Owner
Delaserna Bonarte
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
Digamber Pradhan
 
Introduction to WordPress Class 4
Introduction to WordPress Class 4Introduction to WordPress Class 4
Introduction to WordPress Class 4
Adrian Mikeliunas
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
Introduction to WordPress Class 2
Introduction to WordPress Class 2Introduction to WordPress Class 2
Introduction to WordPress Class 2
Adrian Mikeliunas
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Earn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free trafficEarn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free traffic
Adam Jacob
 
Joomla! Plugin Development
Joomla! Plugin DevelopmentJoomla! Plugin Development
Joomla! Plugin Development
Yireo
 
So i have a website now what?
So i have a website now what?So i have a website now what?
So i have a website now what?
Michele Butcher-Jones
 
WordPress Hardening
WordPress HardeningWordPress Hardening
WordPress Hardening
Maurizio Pelizzone
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
Denise (Dee) Teal
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 

Más contenido relacionado

La actualidad más candente

Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nlJoomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Philip Locke
 
Don't sh** in the Pool
Don't sh** in the PoolDon't sh** in the Pool
Don't sh** in the Pool
Chris Jean
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 

La actualidad más candente (20)

Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nlJoomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
 
SEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog: Wordpress SEO with Joost de ValkSEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog: Wordpress SEO with Joost de Valk
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 edition
 
Don't sh** in the Pool
Don't sh** in the PoolDon't sh** in the Pool
Don't sh** in the Pool
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
WhiteHat SEO for Blog Owner
WhiteHat SEO for Blog OwnerWhiteHat SEO for Blog Owner
WhiteHat SEO for Blog Owner
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
 
Introduction to WordPress Class 4
Introduction to WordPress Class 4Introduction to WordPress Class 4
Introduction to WordPress Class 4
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
Introduction to WordPress Class 2
Introduction to WordPress Class 2Introduction to WordPress Class 2
Introduction to WordPress Class 2
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Website security
Website securityWebsite security
Website security
 
Earn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free trafficEarn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free traffic
 
Joomla! Plugin Development
Joomla! Plugin DevelopmentJoomla! Plugin Development
Joomla! Plugin Development
 
So i have a website now what?
So i have a website now what?So i have a website now what?
So i have a website now what?
 
WordPress Hardening
WordPress HardeningWordPress Hardening
WordPress Hardening
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 

Similar a Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 

Similar a Hardening WordPress - SAScon Manchester 2013 (WordPress Security) (20)

WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Advanced WordPress Optimization - iGaming Supershow 2012
Advanced WordPress Optimization - iGaming Supershow 2012Advanced WordPress Optimization - iGaming Supershow 2012
Advanced WordPress Optimization - iGaming Supershow 2012
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 

Más de Bastian Grimm

Más de Bastian Grimm (20)

Migration Best Practices - Peak Ace on Air
Migration Best Practices - Peak Ace on AirMigration Best Practices - Peak Ace on Air
Migration Best Practices - Peak Ace on Air
 
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secretsSEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
 
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AGTechnical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
 
Advanced data-driven technical SEO - SMX London 2019
Advanced data-driven technical SEO - SMX London 2019Advanced data-driven technical SEO - SMX London 2019
Advanced data-driven technical SEO - SMX London 2019
 
Migration Best Practices - SMX West 2019
Migration Best Practices - SMX West 2019Migration Best Practices - SMX West 2019
Migration Best Practices - SMX West 2019
 
Migration Best Practices - Search Y 2019, Paris
Migration Best Practices - Search Y 2019, ParisMigration Best Practices - Search Y 2019, Paris
Migration Best Practices - Search Y 2019, Paris
 
Migration Best Practices - SEOkomm 2018
Migration Best Practices - SEOkomm 2018Migration Best Practices - SEOkomm 2018
Migration Best Practices - SEOkomm 2018
 
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
 
The need for Speed: Advanced #webperf - SEOday 2018
The need for Speed: Advanced #webperf - SEOday 2018The need for Speed: Advanced #webperf - SEOday 2018
The need for Speed: Advanced #webperf - SEOday 2018
 
OK Google, Whats next? - OMT Wiesbaden 2018
OK Google, Whats next? - OMT Wiesbaden 2018OK Google, Whats next? - OMT Wiesbaden 2018
OK Google, Whats next? - OMT Wiesbaden 2018
 
Super speed around the globe - SearchLeeds 2018
Super speed around the globe - SearchLeeds 2018Super speed around the globe - SearchLeeds 2018
Super speed around the globe - SearchLeeds 2018
 
Migration Best Practices - SMX London 2018
Migration Best Practices - SMX London 2018Migration Best Practices - SMX London 2018
Migration Best Practices - SMX London 2018
 
Welcome to a new reality - DeepCrawl Webinar 2018
Welcome to a new reality - DeepCrawl Webinar 2018Welcome to a new reality - DeepCrawl Webinar 2018
Welcome to a new reality - DeepCrawl Webinar 2018
 
Web Performance Madness - brightonSEO 2018
Web Performance Madness - brightonSEO 2018Web Performance Madness - brightonSEO 2018
Web Performance Madness - brightonSEO 2018
 
Digitale Assistenzsysteme - SMX München 2018
Digitale Assistenzsysteme - SMX München 2018Digitale Assistenzsysteme - SMX München 2018
Digitale Assistenzsysteme - SMX München 2018
 
AMP - SMX München 2018
AMP - SMX München 2018AMP - SMX München 2018
AMP - SMX München 2018
 
How fast is fast enough - SMX West 2018
How fast is fast enough - SMX West 2018How fast is fast enough - SMX West 2018
How fast is fast enough - SMX West 2018
 
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
Whats Next in SEO & CRO - 3XE Conference 2018 DublinWhats Next in SEO & CRO - 3XE Conference 2018 Dublin
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
 
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
 
Digitale Assistenten - OMX 2017
Digitale Assistenten - OMX 2017Digitale Assistenten - OMX 2017
Digitale Assistenten - OMX 2017
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

  • 1. Bastian Grimm, Managing Partner - Grimm Digital Hardening WordPress at WP Luvfest: “Maximising WordPress for Search” http://gdig.de/sascon13 Manchester, June 2013
  • 2. About me 2 @basgr SEO Trainings, Seminars & Strategy Consulting WordPress Security, Consulting & Development Berlin-based Full-Service Performance Marketing Agency
  • 4. #1 Setup WordPress properly Use unique keys and salts to add random elements for encryption! https://api.wordpress.org/secret-key/1.1/salt/ Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
  • 5. #2 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Did you know this? Even better… move wp-config.php outside of „www“. Also do chmod 400/440
  • 6. #3 Remove the default „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
  • 7. Credits: http://bit.ly/T8wMwO Make absolutely sure you only use plug-ins from trusted authors!
  • 8. #4 Lock-out multiple failed logins http://wordpress.org/extend/plugins/limit-login-attempts/ Limit Login Attempts
  • 9. #5 Protect your Login (and wp-admin) Don’t just put an .htaccess to your /wp-admin/ for basic passwd. protection. It’s pure “hazzle”… Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wp- admin as well as the login itself. http://wordpress.org/extend/plugins/lockdown-wp-admin/
  • 10. Or: Lockdown using a Secret URL? http://wordpress.org/plugins/stealth-login-page/ Stealth Login Page
  • 11. #6 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
  • 12. #6 Even better: Two-factor Verification http://wordpress.org/plugins/google-authenticator/ Google Authenticator
  • 13. #6 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.
  • 14. #7 SSL Logins & Administration define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
  • 15. #8 Never EVER do this! These sites are more than worse…
  • 16. A quick peak into some theme files… 16 LOL! „family friendly“ links – my a*s…
  • 17. A quick peak into some theme files… 17 functions.php: This theme won‘t be working without those links…
  • 18. #9 Always use TAC to do a pre-check! http://builtbackwards.com/projects/tac/ Theme Authenticity Checker (TAC)
  • 19. It gets worse: base64 encoded footer 19 Are you really sure you want to see that footer.php file?
  • 21. PLEASE… stay away from “free” WordPress themes – they’re not free, really!
  • 22. #10 Remove Version & Login Message add_filter('login_errors',create_function('$a', "return null;")); function my_remove_version() { return ''; } add_filter('the_generator', 'my_remove_version'); Remove error message from your login- page. You don’t want to give away if either user and / or password was (in-) correct. You need to do it this way since removing “wp_generator” will NOT get rid of the version number in your RSS feed(s).
  • 23. #11 Block malicious URL requests http://wordpress.org/plugins/block-bad-queries/ BBQ: Block Bad Queries
  • 24. Or one for all: Harden your Settings Secure WordPress http://wordpress.org/extend/plugins/secure-wordpress/ Most important: Remove version number from ALL components & block malicious URL requests.
  • 25. #12 Update your blogs regularly!  WP Updates Notifier to get emails on out-dated components (core, themes & plug-ins) for all blogs: – http://wordpress.org/extend/plugins /wp-updates-notifier/  ManageWP can do one-click mass updates (core, themes, plug-ins again) for all your blogs: – http://managewp.com/features
  • 26. #13 Keep your installation clean 26 Remove all inactive plug-ins as well as themes!
  • 27. #14 Scan your Theme daily http://wordpress.org/extend/plugins/antivirus/ WP AntiVirus
  • 28. Or try this one to scan for Exploits http://wordpress.org/plugins/exploit-scanner/ Exploit Scanner Caution: Use a good portion of common sense when reviewing!
  • 29. #15 Move the “wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) WP_CONTENT_URL points to “new” full URI (no trailing slash either)
  • 30. #16 Fix File & Folder Permissions http://wordpress.org/extend/plugins/wp-security-scan/ WP-Security Scan Very important: chmod your wp-config.php to be read-only!
  • 31. #17 Disable File Editing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
  • 32. #18 Delete Files & Disable Listings Delete those files manually; also get rid of “readme.html” in your WP root. This needs to go into your WP roots’ .htaccess file disable all directory listings. Options -Indexes http://httpd.apache.org/docs/2.4/mod/core.html#options
  • 33. If you’d change “last modified” to “.php.bak” this would then… ok, enough!
  • 34. #19 Backup Database & Files BackWPup http://wordpress.org/extend/plugins/backwpup/
  • 35. 13.10.2011 35 OMCap 2011 - Online Marketing Konferenz Berlin And that’s it! …
  • 36. #20 Some more WordPress Knowledge http://gdig.de/slides
  • 37. Bastian Grimm, Managing Partner - Grimm Digital Thanks! Questions? mail@grimm-digital.com twitter.com/basgr linkedin.com/in/bastiangrimm facebook.com/grimm.digital http://gdig.de/sascon13