Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

WordCamp Finland 2015 - WordPress Security

4.001 visualizaciones

Publicado el

Slides for the presentation in WordCamp Finland 2015 about WordPress Security.

Publicado en: Software
  • Follow the link, new dating source: ♥♥♥ ♥♥♥
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Sex in your area is here: ❤❤❤ ❤❤❤
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Sé el primero en recomendar esto

WordCamp Finland 2015 - WordPress Security

  1. 1. WordPress Security How to not get hacked WordCamp Finland - Tiia Rantanen
  2. 2. What is security? - no unauthorized modification of information without detection - information must be available when required - information must be accurate and trustworthy - verified transactions Source: Wikipedia
  3. 3. Possible threats - injection - cross site scripting (XSS) - security misconfiguration - sensitive data exposure - missing function level access control - cross site request forgery (CSRF) - using components with known vulnerabilities and also.. - brute force Some according to WordPress White Paper & OWASP
  4. 4. What can I do? ..on the server-side - correct user permissions (directory 755, files 644) - limit access and change the url to wp-admin - track file changes (version control, git) - use public/private keys for server login - enable firewall - monitor your server (New Relic, Boundary, Cloud Flare, OSSEC) - update
  5. 5. What can I do? ..on the server-side - use SSL - deny direct PHP execution in directories (with caution) - block access to directories and files (wp-config, xmlrpc, author archives, wp-config, readme, license etc.) - block PHP files in uploads - Remove or change unwanted headers (Server, X- Powered-By)
  6. 6. wp-config file - obscurity - change database table prefix - disallow file edit (WordPress code editor) - authentication keys - disallow plugin, update and theme installations - move to core parent (up one folder)
  7. 7. theme functions - remove unnecessary wp head information - remove the generator-meta tag - hide the version number in enqueued js files - disable xmlrpc - overwrite login errors - disable unnecessary feeds - remove x-pingback from header - remove version revealing html comments from plugins if possible
  8. 8. WordPress admin - force strong passwords - user privileges - don’t use ‘admin’-username - security enhancing plugins with logging
  9. 9. Security plugins - iThemes Security - Wordfence - Bulletproof Security - Sucuri Security - Google Authenticator (for two-factor authentication) ...and lots more, For backups - VaultPress - BackUp Buddy
  10. 10. Is my WordPress safe? - WPScan - Audit the source code - Update - Monitor - Read WordPress Core and plugin related news (,,
  11. 11. No matter what you do, you can still get hacked Always backup your files
  12. 12. I got hacked :( - if you have backups, use them - if you use version control or some other tool that checks altered files, use that - if none of the above, you’re in for a lot of work going through the modified dates - always find out why you were hacked - make sure your WordPress is safe by taking the precautions mentioned
  13. 13. Thank you for listening! Any questions?