2. • Use complex usernames & passwords
• Check file permissions have minimum access
• Update software often & regularly
• Use security firewalls & scan regularly
• Consider using 2-factor authentication
• Stick to reputable theme providers
• Uninstall unused code/themes/plugins
• Lock all doors, windows & switch off Internet!
@DeveloperWil #wpsyd
TL;DR
3. • Chinese General
• Military Strategist
• Philosopher
• Born ~512BC
Book: The Art of War
http://www.classicly.com/read-the-art-of-war-online-free/page/1
@DeveloperWil #wpsyd
Introducing Sun Tzu
4. “Victorious warriors win first and then
go to war, while defeated warriors go to
war first and then seek to win.”
Don’t wait until your site gets hacked
first. Lock it down today and get
ready to defend it!
@DeveloperWil #wpsyd
Sun Tzu Says…
5. “To know your Enemy, you
must become your Enemy”
Learn how hackers try to get into your
site so you can pre-emptively fix it
and be ready for what is to come.
@DeveloperWil #wpsyd
Sun Tzu Says…
6. “Even the finest sword plunged into
salt water will eventually rust.”
Just because your site is secure today,
doesn’t mean it can’t get hacked
tomorrow, next month or next year.
Review & update regularly.
@DeveloperWil #wpsyd
Sun Tzu Says…
7. YOU ARE AT WAR
WITH MULTIPLE
UNKNOWN
ENEMIES
@DeveloperWil #wpsyd
8. There is always a current threat
The worst type of threats are those you
don’t know about
You need to understand your weaknesses
You need to build a solid defence
You need to have a plan of attack
@DeveloperWil #wpsyd
SO BE PREPARED
Security Is Cyclic
9. Locked in a deep dark basement
No internet connection
No user interaction
Switched off!
= Pretty useless website
= There is a balance to be had
@DeveloperWil #wpsyd
Ultimate Secure Site
10. Everything is Hackable
@DeveloperWil #wpsyd
Best we can do is make our site
less attractive than others to hack
into.
Would you attempt to break into
this car?
https://www.youtube.com/watch?v=aLhWzMOccTg
Before We Start
11. The most vulnerable part of your
website is…
YOU
Buy this book!
@DeveloperWil #wpsyd
Before We Start
12. Do not leave new WordPress sites in “setup
mode”. Complete the entire setup process.
Hackers can find WordPress setup pages and
install their own site – aka “WPSetup Attack”
Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/
@DeveloperWil #wpsyd
New WP Installations
Fundamentals
13. Beware when ordering a new SSL certificate
for a brand new WordPress website.
Hackers monitor SSL certificate transparency
report +30mins after new certificate being
issued.
They can take over your new site before you
complete the installation process.
Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/
@DeveloperWil #wpsyd
New Sites & SSLs
Fundamentals
15. Don’t replace letters with numbers or symbols.
Simple character substitution is weak.
butterfly → 8utt3rfly
This no longer works and takes
just a few days to crack!
Ref: https://pages.nist.gov/800-63-3/sp800-63b.html
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
16. Avoid personal / social information
• Name and memorable bates: DoB, Marriage
• Fav footie club name, car rego, house
number
Examples of Bad Passwords
Bob1976 Swans2017 !2Nancy
The Password Paradox And Why Our
Personalities Will Get Us Hacked
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
17. 1) Use a random 16 (at least) character password
UPPER, lower, d1g1ts, punctuat!on
b9G#Z4YVemTN^X6S
2) Use 4 random words stringed together:
correct horse battery staple
correcthorsebatterystaple
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
18. Random character & multi-word passwords
= difficult for you to remember
= difficult for hackers to guess ☺
Try to avoid reusing the same password on
multiple sites.
Read The Real Life Risks Of Re Using The Same
Passwords
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
19. Use a password service such as LastPass
Local 256-bit encryption, SSL data
transfer, 2-factor authentication
Free 14-day Last Pass Trial
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
20. Consider forcing users to have a strong
password
Force Strong Passwords plugin.
http://wordpress.org/plugins/force-strong-
passwords/
Gives more flexibility than built-in WordPress
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
21. Only allow one login per device.
Restrict logins under same username on
multiple devices (i.e. username/pass sharing)
WordPress Bouncer plugin
http://wordpress.org/plugins/wp-bouncer/
@DeveloperWil #wpsyd
Usernames & Passwords
Fundamentals
22. Change the default WordPress salt keys in wp-
config.php
WordPress uses cookies to store session
information. These are hashed with MD5 +
salt keys in the wp-config.php file
https://api.wordpress.org/secret-key/1.1/salt/
@DeveloperWil #wpsyd
Session Safety: Salk Keys
Fundamentals
23. Restrict the number of users with the
Administrator role.
You do need at least 1 Admin user to
administer the site – do you need any more
than that?
Editor role is sufficient for somebody to manage
90% of all the site’s day-to-day content.
@DeveloperWil #wpsyd
Admin & Editor Users
Fundamentals
24. Understanding Linux file permissions is key
@DeveloperWil #wpsyd
Linux File Permissions
Files & Perms
25. Each file and directory has three user based
permission groups:
• u – the user who owns the file or directory (owner)
• g - the group to which the user belongs
• o - all other users on the system (not owner or
user’s group), this is the permission group that you
want to watch the most.
@DeveloperWil #wpsyd
Permission Groups
Files & Perms
26. Each file or directory has three basic
permission types:
• r - a user's capability to read the contents of the file
• w - a user's capability to write or modify a file or
directory
• x - a user's capability to execute (run) a file or view
the contents of a directory.
@DeveloperWil #wpsyd
Permission Types
Files & Perms
27. In general…
WordPress folders/directories = 755
WordPress files = 644
Some hosting companies may insist you set
/wp-content/uploads to 777
Move to another hosting company!
@DeveloperWil #wpsyd
Files, Folders & Permissions
Files & Perms
28. Probably your three most important sys files are:
.htaccess (Apache Web Server)
= permalinks, redirects, error files, directory pswds, etc
This should be locked down to CHMOD 444
php.ini
= PHP version, extensions, remote opens, file uploads, etc
wp-config.php
= WordPress DB username & password, Salts
These should be locked down to CHMOD 440
@DeveloperWil #wpsyd
Config Files & Permissions
Files & Perms
29. Malware can be hidden in Themes, Plugins &
other server scripts
Sucuri detects and cleans malware on servers
De-blacklists your server/site
Notify by SMS, Email, Private Twitter etc
http://sucuri.net/ USD $199.99 per site per
year
@DeveloperWil #wpsyd
Malware Clean Server
Files & Perms
30. Update WordPress Core, Themes and Plugins
regularly = at least weekly
ManageWP service good for multiple sites
https://managewp.com
@DeveloperWil #wpsyd
Update Regularly
WordPress
31. Automatic Updates are in WordPress core for
point releases only by default.
For more control, in wp-config.php
define( 'WP_AUTO_UPDATE_CORE', true );
• true - Development, minor, and major updates are all
enabled
• false - Development, minor, and major updates are all
disabled
• 'minor’ - Minor updates are enabled, development, and
major updates are disabled
@DeveloperWil #wpsyd
Update Regularly
WordPress
32. In your theme’s functions.php
add_filter( 'auto_update_plugin', '__return_true’ );
add_filter( 'auto_update_theme', '__return_true’ );
For specific plugin & theme updates see:
https://codex.wordpress.org/Configuring_Automatic_Background_Updates
@DeveloperWil #wpsyd
Update Plugins & Themes
WordPress
33. Especially “free” themes and torrents
– Likely to contain spam links & malware
– Malware can read your wp-config.php file and
email it to the hacker = you’re screwed
– Don’t use themes or plugins from torrent sites!
– Always try to download from original source
Read: http://premium.wpmudev.org/blog/free-wordpress-
themes-ultimate-guide/
@DeveloperWil #wpsyd
Beware “Free” Premium Downloads
34. Search through files for:
Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authenticity Checker
http://wordpress.org/plugins/tac/
Exploit Scanner
http://wordpress.org/plugins/exploit-scanner/
@DeveloperWil #wpsyd
Beware “Free” Premium Downloads
35. Not all Base64_decode function calls are evil!
WordPress uses the function extensively
throughout the core.
Should be easy to decode and work out if good
or bad in plugins or themes.
@DeveloperWil #wpsyd
What is Base64?
36. In general
• Not being maintained
• No security issues being fixed
• Uses outdated/flawed functions/practices
• Known exploit vectors available on Interwebs
@DeveloperWil #wpsyd
Avoid Old Plugins
WordPress
37. Popular image/thumbnail resizing script
Bundled in many older themes and plugins
Responsible for many many WordPress
security breaches
“The ability for a site visitor to load content from a
remote website and to make the web server write that
remote content to a web accessible directory is the cause
of the vulnerability in timthumb.php.”
Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
@DeveloperWil #wpsyd
Beware of TimThumb
WordPress
38. Script was “fixed” of exploits however old
versions still lurk out there.
Search for TimThumb and check you are using
the “fixed” version 2.8.14
https://code.google.com/p/timthumb/
@DeveloperWil #wpsyd
Beware of TimThumb
WordPress
39. The nature of TimThumb still makes it
potentially very dangerous to have on your
site.
TimThumb is no longer supported or
maintained as of Sept 2014
http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
Read this:
https://zeropointdevelopment.com/timthumb-is-evil/
@DeveloperWil #wpsyd
Beware of TimThumb
WordPress
40. Won’t make your site “secure” from hacks
Will encrypt the data transmitted between
computer and server
More on SSL certificates at
https://letsencrypt.org/docs/faq/
@DeveloperWil #wpsyd
SSL Certificates
41. If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.php
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
@DeveloperWil #wpsyd
HTTPS Dashboard
WordPress
42. Gives additional level of security.
WordFence plugin is recommended:
http://www.wordfence.com/
Scans for…
malware, TimThumb, differences in core/plugin/theme files from
repository, new available updates, login limiter, force strong
passwords, trojans, SQL injection, DNS changes, files outside
WordPress folder, hide login errors, prevent creating ‘admin’
user, country blocking*, cell phone sign-in*, advanced scheduled
scans*, Cryptocurrency miners
*premium functions
@DeveloperWil #wpsyd
Software Firewalls
WordPress
43. New breed of malware (ref: The rise of cryptocurrency miners as
malware).
JS cryptocurrency miner (mostly Coinhive).
Runs in browser when visitor opens infected
page.
Uses 100% of your computer’s CPU power.
Grey area between legit use & as malware:
• Some firewall & malware scanners look past
mining code
• Wordfence detects known miner scripts
@DeveloperWil #wpsyd
Cryptocurrency Miners
New Threat
44. Brute force attacks try to repeatedly guess
username & password.
Block IP address after X number of
unsuccessful login attempts within a time
period.
Limit Login Attempts Reloaded plugin
https://wordpress.org/plugins/limit-login-attempts-reloaded/
@DeveloperWil #wpsyd
Prevent Login Attempts
WordPress
45. Don’t give the hackers a
helping hand
Remove that info!
Add this to functions.php
add_filter(‘login_errors', '__return_null');
@DeveloperWil #wpsyd
Don’t Show Login Errors
WordPress
46. There is NO EXCUSE not to back up your
entire site frequently (real-time, hourly, daily,
weekly).
Back up to email https://wordpress.org/plugins/updraftplus/
Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/
Backup Buddy https://ithemes.com/purchase/backupbuddy/
VaultPress http://vaultpress.com/
Set your retention frequency.
Can you restore from an issue that’s been happening for 2
months?
Check your backup files – do a test restore!
@DeveloperWil #wpsyd
Back Your Site Up
WordPress
48. Using another device to generate an
authentication code e.g. Mobile phone app
WP Login Details + Authenticator Code = 2FA
Google Authenticator
@DeveloperWil #wpsyd
Two Factor/Two Step Authentication
49. WordPress stores user passwords in the database as
salted MD5 hashes using Portable PHP password
hashing framework
e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP.
Passwords themselves are not stored in the DB
Password can be replaced in DB with MD5 hash.
After login it’s replaced by a salted MD5 hash.
@DeveloperWil #wpsyd
PASSWORD TYPE
PASSWORD HASH
WordPress Password Storage
50. MD5 hash designed for high volume, not security.
“collision resistance” ~264 MD5 has been broken
but not resistance to preimages or second-
preimages.
MD5 + salts still poor choice as it’s designed to be
fast. Modern GPUs generate billions of candidate
passwords per second i.e. brute force
Ref: https://en.wikipedia.org/wiki/MD5
Ref: https://en.wikipedia.org/wiki/Collision_attack
Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-
1996
@DeveloperWil #wpsyd
Is MD5 Insecure?
51. Bcrypt is an adaptive hashing algorithm.
Bcrypt intentionally takes a relatively long time
to be calculated; over time, the iteration count
can be increased to make it even slower.
This is done intentionally to resist brute force
attacks as computational power increases.
Ref: https://en.wikipedia.org/wiki/Bcrypt
@DeveloperWil #wpsyd
Bcrypt Alternative
53. Is two factor authentication
not enough for you?
Biometric authentication uses part of our own
body as the second verification part.
This is going to be the normal way of
authenticating with systems in the not-so-
distant future.
@DeveloperWil #wpsyd
Biometric Authentication
54. @DeveloperWil #wpsyd
Fingerprint via mobile phone
https://wordpress.org/plugins/rapid-secure-login/
Fingerprint and facial recognition via mobile phone
https://wordpress.org/plugins/launchkey/
Biometric Authentication
55. Move the wp-content folder to a new location.
Add the following into wp-config.php before
the line: /* That's all, stop editing! Happy blogging. */
define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');
define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');
Warning: badly developed plugins & themes
may have hard-coded wp-content location.
@DeveloperWil #wpsyd
Move wp-content Folder
56. Use .htaccess to protect your wp-config.php
file
<files wp-config.php>
order allow,deny
deny from all
</files>
Nobody can access the wp-config.php file now
except for the web server owner.
@DeveloperWil #wpsyd
Protect wp-config.php
57. Use .htaccess to stop SQL injection attacks on
form fields and URLs.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Any requests or changes to global variables
containing <script> gets blocked.
@DeveloperWil #wpsyd
SQL Injection Protection
58. Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsing
Options –Indexes
@DeveloperWil #wpsyd
Prevent Directory Browsing
59. Password protect wp-admin folder using
cPanel and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-
wordpress-admin-wp-admin-directory/
@DeveloperWil #wpsyd
Secure wp-admin Folder
60. Open the .htaccess file located in your /wp-
admin/ folder (NOT the main .htaccess in root).
In the wp-admin .htaccess file, paste the
following code:
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
@DeveloperWil #wpsyd
Allow Admin Ajax
61. Remove the WordPress dashboard Editor
for themes and plugins
Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
@DeveloperWil #wpsyd
Disable User File Editor
62. Default MySQL DB table prefix is wp_
Change before installing new WordPress
sites.
Add to wp-config.php
$table_prefix = ‘mynewprefix_';
Existing websites – use WP Prefix Changer
https://wordpress.org/plugins/wp-prefix-changer/
@DeveloperWil #wpsyd
Change Default Table Prefix
63. Does nothing to enhance security.
Once an attacker has access to your DB they
can easily find the table prefix.
@DeveloperWil #wpsyd
SELECT DISTINCT SUBSTRING(`TABLE_NAME`
FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) )
FROM information_schema.TABLES
WHERE `TABLE_NAME` LIKE '%postmeta';
Output: wp_
Ref: Changing WordPress' default table prefix does nothing to enhance
security
Change Default Table Prefix
64. Monitor who does what on your WordPress
site.
Stream: http://wp-stream.com/
@DeveloperWil #wpsyd
Be “Big Brother”
65. Using .htaccess
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:
http://www.mywebsite.com/login
@DeveloperWil #wpsyd
Change wp-login.php
67. Add to .htaccess:
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:
http://www.mysite.com/secret-folder/
@DeveloperWil #wpsyd
Change /wp-admin/ - Step 2
68. Add to .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Replace 123.123.123.123 with your own computer’s
IP if you use the WordPress mobile app. Remove line
5 to completely block all XML-RCP requests to your
site.
Note: this will stop Jetpack, official WP mobile app,
trackbacks and pingbacks from working.
@DeveloperWil #wpsyd
Disable XML-RPC
69. Known as DoS or DDoS (distributed).
Consider using Cloudflare.
@DeveloperWil #wpsyd
Attack Without Cloudflare Attack With Cloudflare
Denial of Service Attacks
70. Stay up to date with these additional security
resources.
National Vulnerability Database (WordPress)
Wordfence Blog and Free Security Scan
Sucuri Blog
Hardening WordPress from wordpress.org
WPScan Vulnerability Database
Zero Point Development Blog
@DeveloperWil #wpsyd
More Resources
71. Get my free eBook.
Yours to keep
forever.
@DeveloperWil #wpsyd
Get My eBook
goo.gl/k5brQE
Free Ebook
72. Did I miss anything?
Tweet to @DeveloperWil
@DeveloperWil #wpsyd
All Done!