SlideShare una empresa de Scribd logo

WordPress Security - 12 WordPress Security Fundamentals

F
findingsimple

WordPress Security Presentation by Jason Conroy (from Finding Simple - http://findingsimple.com) for the March 2013 WordPress Canberra Meetup (http://wpcanberra.com.au)

Tecnología
1 de 54
WordPress Security 12 WordPress Security Fundamentals
Why Security? • SEO / Google rankings • Downtime - Decreased Revenue • Website / Business / Personal Credibility • Increased Costs with cleaning up the mess ( Potentially Law Suits ) • Lose everything - no site :-(
“How do I completely secure my site?”
It’s all about “risk”
“The probability that a particular security threat will exploit a particular vulnerability” ISC 2
Threat = A potential danger
Vulnerability = A Weakness
Weak Spots (Examples) • WordPress (Core, Themes & Plugins) ‣ Bugs/Vulnerabilities in the code itself • Hosting (Web & Database Server/s) ‣ Poor File Permissions • You ‣ Weak Password Choice
There are some simple things you can do to reduce the risk
1. Update WordPress • Simple
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
• If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. • This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
• REMOVE unused themes and plugins (or at least keep them up to date as well). Even when not activated, a vulnerable plugin or theme can be used to attack a site.
2. Rename “admin” account • Make it hard for an attacker. If they already know your username that’s half the battle • As of 3.0 WordPress asks upfront during installation for an admin account name - don't use "admin" and I recommend not using anything related to the domain.
• If you do happen to have an “admin” account there are a few options: ‣ Admin Renamer Extender - http://wordpress.org/ extend/plugins/admin-renamer-extended/ ‣ Create another administrator user and then login as new administrator user and delete "admin" user. ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
3. Change your table_prefix • My what? Its a database thing... • Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. • Changing this can block at least some SQL injection attacks. • Good news - WordPress now asks upfront during installation for you to specify a table prefix - so don’t use “wp”.
• If you haven’t changed your prefix: ‣ Change Table Prefix (http://wordpress.org/extend/ plugins/change-table-prefix/) ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly (remember to update your wp-config.php file as well)
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
4. Setup Security Keys • Often referred to as Salts - they add random elements to your password when encrypting information in cookies ( that are used during the WordPress login process ) • They live in your sites wp-config.php and can be changed at any time • https://api.wordpress.org/secret-key/1.1/salt/
• WordPress now generates the salts for you if none are provided - but it’s better to be safe than sorry.
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
5. Use Strong Passwords • Weak passwords leave your site vulnerable to: ‣ Brute Force Attacks ‣ Dictionary Attacks • Please use a strong password • Don’t reuse passwords • WordPress has a built in strength meter (don’t ignore it)
Password1
jvYM89xwyzH?ah
• Try a password safe/generator like: ‣ 1Password (https://agilebits.com/onepassword) ‣ KeePass (http://keepass.info/)
6. Limit login attempts • Restrict number of failed attempts using a plugin like: ‣ Login Lockdown - http://wordpress.org/extend/ plugins/login-lockdown/ ‣ Simple Login Lockdown - http://wordpress.org/ extend/plugins/simple-login-lockdown/
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
7. Use SFTP or FTPS • FTP transmits all data in the clear - including passwords • If you need to regularly connect or upload files to your site use SFTP or FTPS (especially if you are using public wifi)
8. Check File Permissions • Tricky to get right (especially in shared hosting where it is more important to get it right) • A good rule of thumb is to set file and folder permissions at 644 for files and 755 for folders
• http://codex.wordpress.org/Changing_File_Permissions
9. Move wp-config.php • wp-config.php is the main configuration file for your site • WordPress automatically checks the parent directory if a wp- config.php file is not found in your root directory • Recommended that it is moved up one level (to the parent directory) to make sure only your account and the server can read the file
• If WordPress is located here: ‣ /public_html/mysite/wp-config.php • You can move wp-config.php to here: ‣ /public_html/wp-config.php
• This makes it much more difficult for anyone to access your wp-config.php file as it now resides outside of your sites root directory
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
10. Run Backups • Hosts may provide backups • However often... ‣ they don’t back up the right things ‣ they don’t back up regularly enough ‣ they don’t know WordPress ‣ they may charge you to restore your site
VaultPress - http://vaultpress.com/
Backup Buddy - http://ithemes.com/purchase/backupbuddy/
• Or just plain old... ‣ WP-DB-Backup - http://wordpress.org/extend/ plugins/wp-db-backup/ ‣ WordPress Export (note the export doesn’t contain your uploaded or options)
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
11. Choose hosting wisely • In my experience you get what you pay for • Look for hosts that have ‣ Good backup regime ‣ WordPress Expertise (tougher than you think) ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
12. Be Security Minded • Keep your own machine clean • Don’t share or reuse passwords • If you use public computers be sure to log out of WP • If you use public networks ‣ avoid using ftp (that's the insecure one) ‣ avoid logging into WP if your not using HTTPS
There’s a plugin for that • There are also range of “all in one” solutions that will cover most of the above as well as things like: ‣ Remove the WordPress version/generator tag ‣ Remove update notifications ‣ Remove login error messages ‣ Change location of login urls
• http://wordpress.org/extend/plugins/better-wp-security/ • http://wordpress.org/extend/plugins/secure-wordpress/ • http://wordpress.org/extend/plugins/bulletproof-security/ • http://wordpress.org/extend/plugins/wp-security-scan/
Extra Resources • http://codex.wordpress.org/Hardening_WordPress • http://build.codepoet.com/2012/07/10/locking-down- wordpress/ (E-book) • http://codex.wordpress.org/Changing_File_Permissions • http://sucuri.net/ (Malware Scanner)
Summary 1. Update WordPress 7. Use SFTP or FTPS 2. Rename “admin” user 8. Check File Permissions 3. Change the table_prefix 9. Move wp-config.php 4. Setup Security Keys 10. Run Backups 5. Use Strong Passwords 11. Choose Hosting Wisely 6. Limit Login Attempts 12. Be Security Minded
Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress

Recomendados

Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHP
Rupesh Kumar
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
Marko Heijnen
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
Peter Baylies
 
Realtime with-websockets-2015
Realtime with-websockets-2015Realtime with-websockets-2015
Realtime with-websockets-2015
ColdFusionConference
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
William Earnhardt
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress
GovLoop
 

Recomendados

Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHP
Rupesh Kumar
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
Marko Heijnen
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
Peter Baylies
 
Realtime with-websockets-2015
Realtime with-websockets-2015Realtime with-websockets-2015
Realtime with-websockets-2015
ColdFusionConference
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
William Earnhardt
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress
GovLoop
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
Kayleigh Thorpe
 
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
Amazon Web Services
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
WordCamp Cape Town
 
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 PlatformRapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Amazon Web Services
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
Amazon Web Services
 
Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications Online
ColdFusionConference
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
Ronan Dunne, CEH, SSCP
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Ivan Storck
 
Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...
ColdFusionConference
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPress
Micah Wood
 
How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)
Cloudways
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
cfjedimaster
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Document
mobi fly
 
Sexy, Powerful, Exciting
Sexy, Powerful, ExcitingSexy, Powerful, Exciting
Sexy, Powerful, Exciting
Robert Senktas
 
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Vlad Lasky
 
Optimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp HoustonOptimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp Houston
Chris Olbekson
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
WordCamp Cape Town
 
AWS Customer Presentation - Mediafed
AWS Customer Presentation - MediafedAWS Customer Presentation - Mediafed
AWS Customer Presentation - Mediafed
Amazon Web Services
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
Otto Kekäläinen
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 

Más contenido relacionado

La actualidad más candente

(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
Amazon Web Services
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
cfjedimaster
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
WordCamp Cape Town
 

La actualidad más candente (20)

Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
 
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
 
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 PlatformRapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
 
Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications Online
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPress
 
How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Document
 
Sexy, Powerful, Exciting
Sexy, Powerful, ExcitingSexy, Powerful, Exciting
Sexy, Powerful, Exciting
 
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
 
Optimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp HoustonOptimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp Houston
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
 
AWS Customer Presentation - Mediafed
AWS Customer Presentation - MediafedAWS Customer Presentation - Mediafed
AWS Customer Presentation - Mediafed
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 

Similar a WordPress Security - 12 WordPress Security Fundamentals

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012
Ben Metcalfe
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 

Similar a WordPress Security - 12 WordPress Security Fundamentals (20)

Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
The WordPress Way
The WordPress WayThe WordPress Way
The WordPress Way
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp Hamilton
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right Way
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core Safely
 
Backup and Security Lite WCPHX13
Backup and Security Lite WCPHX13Backup and Security Lite WCPHX13
Backup and Security Lite WCPHX13
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

WordPress Security - 12 WordPress Security Fundamentals

  • 1. WordPress Security 12 WordPress Security Fundamentals
  • 2. Why Security? • SEO / Google rankings • Downtime - Decreased Revenue • Website / Business / Personal Credibility • Increased Costs with cleaning up the mess ( Potentially Law Suits ) • Lose everything - no site :-(
  • 3. “How do I completely secure my site?”
  • 4.
  • 5. It’s all about “risk”
  • 6. “The probability that a particular security threat will exploit a particular vulnerability” ISC 2
  • 7. Threat = A potential danger
  • 8.
  • 9.
  • 10.
  • 11. Vulnerability = A Weakness
  • 12.
  • 13. Weak Spots (Examples) • WordPress (Core, Themes & Plugins) ‣ Bugs/Vulnerabilities in the code itself • Hosting (Web & Database Server/s) ‣ Poor File Permissions • You ‣ Weak Password Choice
  • 14. There are some simple things you can do to reduce the risk
  • 16. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 17. • If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. • This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
  • 18. • REMOVE unused themes and plugins (or at least keep them up to date as well). Even when not activated, a vulnerable plugin or theme can be used to attack a site.
  • 19. 2. Rename “admin” account • Make it hard for an attacker. If they already know your username that’s half the battle • As of 3.0 WordPress asks upfront during installation for an admin account name - don't use "admin" and I recommend not using anything related to the domain.
  • 20. • If you do happen to have an “admin” account there are a few options: ‣ Admin Renamer Extender - http://wordpress.org/ extend/plugins/admin-renamer-extended/ ‣ Create another administrator user and then login as new administrator user and delete "admin" user. ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly
  • 21. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 22. 3. Change your table_prefix • My what? Its a database thing... • Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. • Changing this can block at least some SQL injection attacks. • Good news - WordPress now asks upfront during installation for you to specify a table prefix - so don’t use “wp”.
  • 23. • If you haven’t changed your prefix: ‣ Change Table Prefix (http://wordpress.org/extend/ plugins/change-table-prefix/) ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly (remember to update your wp-config.php file as well)
  • 24. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 25. 4. Setup Security Keys • Often referred to as Salts - they add random elements to your password when encrypting information in cookies ( that are used during the WordPress login process ) • They live in your sites wp-config.php and can be changed at any time • https://api.wordpress.org/secret-key/1.1/salt/
  • 26.
  • 27. • WordPress now generates the salts for you if none are provided - but it’s better to be safe than sorry.
  • 28. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 29. 5. Use Strong Passwords • Weak passwords leave your site vulnerable to: ‣ Brute Force Attacks ‣ Dictionary Attacks • Please use a strong password • Don’t reuse passwords • WordPress has a built in strength meter (don’t ignore it)
  • 32. • Try a password safe/generator like: ‣ 1Password (https://agilebits.com/onepassword) ‣ KeePass (http://keepass.info/)
  • 33. 6. Limit login attempts • Restrict number of failed attempts using a plugin like: ‣ Login Lockdown - http://wordpress.org/extend/ plugins/login-lockdown/ ‣ Simple Login Lockdown - http://wordpress.org/ extend/plugins/simple-login-lockdown/
  • 34. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 35. 7. Use SFTP or FTPS • FTP transmits all data in the clear - including passwords • If you need to regularly connect or upload files to your site use SFTP or FTPS (especially if you are using public wifi)
  • 36. 8. Check File Permissions • Tricky to get right (especially in shared hosting where it is more important to get it right) • A good rule of thumb is to set file and folder permissions at 644 for files and 755 for folders
  • 37.
  • 39. 9. Move wp-config.php • wp-config.php is the main configuration file for your site • WordPress automatically checks the parent directory if a wp- config.php file is not found in your root directory • Recommended that it is moved up one level (to the parent directory) to make sure only your account and the server can read the file
  • 40. • If WordPress is located here: ‣ /public_html/mysite/wp-config.php • You can move wp-config.php to here: ‣ /public_html/wp-config.php
  • 41. • This makes it much more difficult for anyone to access your wp-config.php file as it now resides outside of your sites root directory
  • 42. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 43. 10. Run Backups • Hosts may provide backups • However often... ‣ they don’t back up the right things ‣ they don’t back up regularly enough ‣ they don’t know WordPress ‣ they may charge you to restore your site
  • 45. Backup Buddy - http://ithemes.com/purchase/backupbuddy/
  • 46. • Or just plain old... ‣ WP-DB-Backup - http://wordpress.org/extend/ plugins/wp-db-backup/ ‣ WordPress Export (note the export doesn’t contain your uploaded or options)
  • 47. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 48. 11. Choose hosting wisely • In my experience you get what you pay for • Look for hosts that have ‣ Good backup regime ‣ WordPress Expertise (tougher than you think) ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
  • 49. 12. Be Security Minded • Keep your own machine clean • Don’t share or reuse passwords • If you use public computers be sure to log out of WP • If you use public networks ‣ avoid using ftp (that's the insecure one) ‣ avoid logging into WP if your not using HTTPS
  • 50. There’s a plugin for that • There are also range of “all in one” solutions that will cover most of the above as well as things like: ‣ Remove the WordPress version/generator tag ‣ Remove update notifications ‣ Remove login error messages ‣ Change location of login urls
  • 51. http://wordpress.org/extend/plugins/better-wp-security/ • http://wordpress.org/extend/plugins/secure-wordpress/ • http://wordpress.org/extend/plugins/bulletproof-security/ • http://wordpress.org/extend/plugins/wp-security-scan/
  • 52. Extra Resources • http://codex.wordpress.org/Hardening_WordPress • http://build.codepoet.com/2012/07/10/locking-down- wordpress/ (E-book) • http://codex.wordpress.org/Changing_File_Permissions • http://sucuri.net/ (Malware Scanner)
  • 53. Summary 1. Update WordPress 7. Use SFTP or FTPS 2. Rename “admin” user 8. Check File Permissions 3. Change the table_prefix 9. Move wp-config.php 4. Setup Security Keys 10. Run Backups 5. Use Strong Passwords 11. Choose Hosting Wisely 6. Limit Login Attempts 12. Be Security Minded
  • 54. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress