WordPress Security Tips By Catch Internet:
http://catchinternet.com
This slide will cover WordPress Hosting Servers, Example of Link Injection Hacks, How to Secure your WordPress site basics and WordPress Security Plugins
Powerpoint exploring the locations used in television show Time Clash
WordPress Security Tips
1. WordPress
Mini Word Camp 7
Basic WordPress Security Tips
By Catch Internet Pvt. Ltd.
2. WordPress Security
• WordPress popularity and usage brings
in new threat
• WordPress basic security is necessary
for all the users
• Most hackers in the internet are looking
for the easy way
3. Purpose of the Presentation
Is to Scare the crap out of you!
Image by http://blog.mysanantonio.com
4. Purpose of the Presentation
And then make everyone feel better
5. What We Will Cover
• WordPress Hosting Servers
• Example of Link Injection Hacks
• How to Secure your WordPress site
basics
• WordPress Security Plugins
6. Do I Really Need To Secure WP
• There is nothing valuable on my site
• I only have limited visitors on my site
• I thought I already was secured
• Who is going to hack my site
• I already turned off the comments for
security
7. Yes You Have to Secure Your WP
Check your Hosting:
Well Known, Customer Service,
Secure, Review Check, Linux
Based, Control Panel, Backup
Server Minimum Requirements
• PHP 5.2.4 or greater
•MySQL 5.0 or greater
• The mod_rewrite Apache module
9. Hidden Link Injection Hacks
• Upload/ Plugin/ Themes (TimThumb)/Core
Wordpress/Multi WordPress
• Uses css to hide it in style. Display:none;
• Mostly used for get your SEO Ranking
• Mostly initiated by basicpills.com and many other
domains located at 212.117.161.190
• Another easy hacks
10. Hidden Link Injection Hacks
•These are some of the links you will see in an infected site:
<a href="http://basicpills .
com/">online prescription drugs without a prescription..
<a href="http://generic-ed-pharmacy . com/">Buy Generic Viagra Onlin.
<a href="http://getrxpills . com/buy/levitra.html”>levitra 10 mg..
•Mostly these spam links are all related to pharmacy products
leading you to one of the following domains:
antibioticsordrer.com, antibiotics-shop.com, basicpills.com,
buynolvadexcheap.com, cheappillsonline.net, dacompliasale.com
dlevitraonline.com, dzithromaxsbuy.com, generic-ed-pharmacy.com,
getrxpills.com, kamagrasorder.com, onlineacompliacheap.com,
onlinecialischeap.net, onlinelevitracheap.com, onlinelevitracheap.net,
onlineviagracheap.com, onlineviagracheap.net, peampicillinonline.com,
rx-prices.com, sclomidbuy.com, sdoxycyclinebuy.com, sviagrarbuy.com,
vicialisabuy.com, wpropecianonline.com
11. How to Secure your WP Site basics
• Keep your Core WordPress, Theme, Plugins
Updated.
• No Admin user account
• Use Secure Username and Password
(http://goodpassword.com/)
• Folder Permission: Rule of Thumb, file 644,
folder 755
12. How to Secure your WP Site basics
•Remove WordPress Version from Header
//Removing wp version
generatorremove_action('wp_head',
'wp_generator');
•Use a Secret Key in wp-config.php
https://api.wordpress.org/secret-key/1.1/salt/
•Change WP Table Prefix in wp-config.php
$table_prefix = 'yourtable_12';
13. How to Secure your WP Site basics
•Directories should not be left open for
public browsing
.htaccess
Options All –Indexes
•Nobody should be allowed to search your
entire server.
Do not use this search code in your search
form <?php echo $_SERVER ['PHP_SELF']; ?> and
use this instead <?phpbloginfo (‘home’); ?>
14. How to Secure your WP Site basics
•Block WP-folder from being indexed by
Search Engine.
Best way to block, add the following code in
your robots.txt file
Disallow: /wp-*
• Prevent Unnecessary Info From Being
Displayed
Add the following filter in function.php
add_filter('login_errors',create_function('$a', "return null;"));
15. How to Secure your WP Site basics
•Protect WordPress Admin:
Use .htaccess and allow only specific IP address
(http://whatismyip.com)
AuthUserFile/dev/null
AuthGroupFile/dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET>
order deny, allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</LIMIT>
16. How to Secure your WP Site basics
• Restrict File Access to wp-content
WordPress doesn’t access the PHP files in the
plugins and theme directory via HHTP.
The Only request from web browser are for
images, havascripts and css.
In .htaccess file in wp-content
Oder Allow, Deny
Deny From all <Files ~ ".(css|jpe?g|png|gif|js)$">
Allow from all
</files>
17. How to Secure your WP Site basics
• Protect from Script Injections
Protect from script injections and any attempt to
modify the PHP GLOBALS and
_REQUESTvariables.
In .htaccess file in wp-content
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
18. How to Secure your WP Site basics
• Fight Back Against Content Scrapers
Protect you site against hot-linking and content
scrapers
Add the following code in your .htaccess file
RewriteEngine On
#Replace ?mysite.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+.)?mysite.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
19. How to Secure your WP Site basics
• Protect your wp-config.php file
During the server problem, wp-config.php might
be shown
• To Make it secure by adding the following
code in .htaccess at root
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
• Backup Your Database and Files
Schedule backup your Database and File. You can use the following
plugins:
•VaultPress
•BAckupBuddy
25. WordPress Security Basics
Thanks you
For more visit our site
Catchintenet.com
http://catchinternet.com/blog/wordpress-security-tips/
My personal Blog
Sakinshrestha.com
http://sakinshrestha.com/wordpress/fix-if-your-wordpress-
site-is-hacked/
http://sakinshrestha.com/wordpress/wordpress-security-tips/