My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)
4. #1 Setup WordPress properly
Use unique keys and salts to add
random elements for encryption!
https://api.wordpress.org/secret-key/1.1/salt/
Use a cryptic prefix to prevent
automated scripts and SQL injections.
$table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
5. #2 Protect your wp-config.php
<files wp-config.php>
order deny,allow
deny from all
</files>
This needs to go into your WP roots’
.htaccess file to prevent external access
Did you know this? Even better…
move wp-config.php outside of
„www“. Also do chmod 400/440
6. #3 Remove the default „admin“
Setup new user as admin; logout.
Login w/ new admin; delete old one.
Make sure to use a STRONG
password, pleeaaasssseeee!
http://www.random.org/passwords/
9. #5 Protect your Login (and wp-admin)
Don’t just put an .htaccess
to your /wp-admin/ for
basic passwd. protection.
It’s pure “hazzle”…
Recommended: Try the “Lockdown WP
Admin” plug-in to protect PHP files in wp-
admin as well as the login itself.
http://wordpress.org/extend/plugins/lockdown-wp-admin/
10. Or: Lockdown using a Secret URL?
http://wordpress.org/plugins/stealth-login-page/
Stealth Login Page
12. #6 Even better: Two-factor Verification
http://wordpress.org/plugins/google-authenticator/
Google Authenticator
13. #6 Even better: Two-factor Verification
Provide your login credentials
and get auth-code from your
mobile phones‘ G-Auth-App.
14. #7 SSL Logins & Administration
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
Set FORCE_SSL_LOGIN to “true” to
force all logins to happen over SSL.
(still allows non-SSL admin sessions)
Use FORCE_SSL_ADMIN to force all
logins and all admin sessions to
happen over SSL (can be slow…)
15. #8 Never EVER do this!
These sites are
more than worse…
16. A quick peak into some theme files…
16
LOL! „family friendly“
links – my a*s…
17. A quick peak into some theme files…
17
functions.php: This theme
won‘t be working without
those links…
18. #9 Always use TAC to do a pre-check!
http://builtbackwards.com/projects/tac/
Theme Authenticity
Checker (TAC)
19. It gets worse: base64 encoded footer
19
Are you really sure you want
to see that footer.php file?
22. #10 Remove Version & Login Message
add_filter('login_errors',create_function('$a', "return null;"));
function my_remove_version() { return ''; }
add_filter('the_generator', 'my_remove_version');
Remove error message from your login-
page. You don’t want to give away if either
user and / or password was (in-) correct.
You need to do it this way since removing
“wp_generator” will NOT get rid of the
version number in your RSS feed(s).
24. Or one for all: Harden your Settings
Secure WordPress
http://wordpress.org/extend/plugins/secure-wordpress/
Most important: Remove version
number from ALL components &
block malicious URL requests.
25. #12 Update your blogs regularly!
WP Updates Notifier to get emails
on out-dated components (core,
themes & plug-ins) for all blogs:
– http://wordpress.org/extend/plugins
/wp-updates-notifier/
ManageWP can do one-click mass
updates (core, themes, plug-ins
again) for all your blogs:
– http://managewp.com/features
26. #13 Keep your installation clean
26
Remove all inactive
plug-ins as well as themes!
27. #14 Scan your Theme daily
http://wordpress.org/extend/plugins/antivirus/
WP AntiVirus
28. Or try this one to scan for Exploits
http://wordpress.org/plugins/exploit-scanner/
Exploit Scanner
Caution: Use a good portion of
common sense when reviewing!
29. #15 Move the “wp-content” folder
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content');
define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content');
WP_CONTENT_DIR points to “new”
the full local path (no trailing slash)
WP_CONTENT_URL points to “new”
full URI (no trailing slash either)
30. #16 Fix File & Folder Permissions
http://wordpress.org/extend/plugins/wp-security-scan/
WP-Security Scan
Very important: chmod your
wp-config.php to be read-only!
31. #17 Disable File Editing
define('DISALLOW_FILE_EDIT', true);
Set DISALLOW_FILE_EDIT to “true” to
disable editing files from dashboard.
By default, admins are allowed to edit PHP files. Setting
the above is equivalent to removing the
'edit_themes', 'edit_plugins' and 'edit_files' capabilities
of all users.
32. #18 Delete Files & Disable Listings
Delete those files manually; also get rid of
“readme.html” in your WP root.
This needs to go into your WP roots’
.htaccess file disable all directory listings.
Options -Indexes
http://httpd.apache.org/docs/2.4/mod/core.html#options
33. If you’d change “last
modified” to “.php.bak” this
would then… ok, enough!