SlideShare una empresa de Scribd logo

Security 101: Improving WordPress Security

Manifest Creative
Manifest Creative

Security 101 provides tips for improving WordPress security in 3 sentences: 1) It discusses why websites are hacked, common security issues in WordPress like outdated plugins, and recommendations for strong passwords and access controls. 2) The document recommends securing your host, backing up your site regularly, and using security plugins and tools to scan for vulnerabilities. 3) Developers are advised to follow best practices for coding securely and users are given resources for securing their WordPress installations.

Tecnología
1 de 24
Descargar para leer sin conexión
Security 101 ~ Improving the security of your WordPress installation ~ @manifestphil manifestbozeman.com
Why would anyone hack me? It's not personal, but there are several motivating factors… ■ For attention ■ Profit scams ■ Own one, own them all… ■ To steal information "All I wanted was to sell my cupcakes online!" Most website hacks are performed by automated computer programs, and are not directed at your website personally. However, the bigger you are, the more worthwhile it becomes for a hacker to invest time, energy and resources.
Favorite WordPress Security Breaches There are certain types of hacks that target WordPress specifically: ■ Defacement / Hacktavism ■ SEO Hijacking ■ Affiliate/Malicious Redirects ■ Backdoors ■ Drive-by Downloads Don't become a Canadian pharmacy!
What is security, exactly? ■ Security is about risk reduction. There is no silver bullet. ■ Security is never absolute. ■ To think you will never be Security is all about not being an easy target. infected is like saying you'll never be sick. ■ Detection is the key! Sometimes security means simply having a plan for what we will do in a worst case scenario… Play "what if?" Security means different things for different types of organizations. Like tourists, it's best avoid being "that guy".
So what's the problem? ■ The ecosystem/environment ■ Access control ■ Software vulnerabilities ■ Extensibility Keeping your installation current is the easiest security improvement you can make. Feature The Wordpress core is in fact very v3.5.1 Security secure. When an issue arises, the core team is quick to patch the vulnerability, and push that to end Major users.
Start by securing your own computer… ■ Good, up-to-date antivirus software ■ Keep your own software up to date ■ Know where you're surfing the web And getting a good web host. ■ Not much you can do if you're using a shared host. ■ Consider a dedicated / VPS environment or go with a managed host. ● What security does my host use? ● What kind of reputation do they have? ● What will they do if you get hacked? A managed WordPress host doesn't mean you'll be any safer, but it does mean you'll have resources to lean on.
Change your passwords… like yesterday. ■ Hard to guess. Hard for a brute force attack to succeed. ■ Avoid any combination of your name, company name, username, etc. ■ Don't use dictionary words; in any language. ■ Stop using the same password for everything. Email, DB, Admin, FTP. My daughter is Emery. 07152013 She likes dogs! MdiE.07152013Sld! 1Password KeyPassX
You need a backup plan. Or two. ■ Clean backups mean you never need to start from scratch. ■ Backup your database, content, themes. ○ Specialized installations may need more, e.g. custom plugins, .htaccess, etc. ■ Backup to multiple locations. ○ Backups stored on your primary server cannot be trusted. ○ Hard drives fail. Homes burn down. Offices are burglarized. ■ Backup frequency ○ Depends on how much work or information you stand to lose. ■ Manual vs. Automatic Backup Buddy - $75 VaultPress - $15/mo. WP to Dropbox - FREE
Control the access to your site. ■ Connect using sFTP, SSH or FTP-SSL. ■ Login to wp-admin using SSL (https: Reading //mydomain.com/wp-admin) Recommendation ■ Your FTP username/password should Check out the eBook, Locking Down not be the same as your WordPress WordPress, by Michael admin username/password. Pick. ■ Least Privileged It's available as a free download at CodePoet. ○ Everyone doesn't need to be an admin. com ○ Every user should have own access. What's in a free ○ You don't need to log in as admin theme? ○ The focus is on the role, not their name When you search Google ○ Kill generic accounts for free or cheap themes you're probably going to ■ Blacklist known bad bots and users create a security vulnerability. Go with more reputable sources.
Setting up your WordPress installation ■ Turn off directory listings Maintainability Tips ■ Kill PHP execution If you have plugins installed that you do not use, delete them! ■ Deny access to wp-config.php Did you purchase or download ■ Ensure file permissions are correct a theme? Use child themes to allow the main theme to be updated without breaking your ○ Directories should be 755 layout. ○ Files should be 644 ■ Properly configure wp-config Developer Tips ○ Disable theme/plugin editing via admin Following WordPress code standards when developing a ○ Force SSL for admin login and use theme will ensure that client updates don't break the site. ○ Add secret keys Because you're a ninja-coder, ■ Remove the admin account you can confidently allow your customer access to keep WordPress updated. ■ Change the database table prefix Help your clients setup ■ Use trusted sources for themes and plugins automatic backups, please!
Turn off Directory Listings Where does it go? What does it do? /.htaccess Prevents the Apache web server from displaying a list of all the files in a directory. Should be added to the . htaccess file in your WordPress root directory.
Kill PHP Execution Where does it go? What does it do? /wp-content/uploads/.htaccess Prevents PHP code from being executed in these two /wp-includes/.htaccess directories. Many backdoor access scripts disguise themselves in these locations. If neither of these locations has an existing .htaccess file, you may need to create it. Full instructions »
Deny access to wp-config.php Where does it go? What does it do? /.htaccess Prevents any direct access by users to the wp-config.php file. Full instructions » For the extra cautious You can also use Apache's .htaccess file to "whitelist" only certain IP addresses that should be allowed to access your /wp-admin directory. Here's directions on how!
Disable editing via WP admin Where does it go? What does it do? /wp-config.php Removes the ability to edit theme or plugin files via the WordPress admin panel.
Setup Unique Keys & Salts Where does it go? What does it do? /wp-config.php Ensures better encryption of information stored in your browser's cookies. How do I get these keys? Use the online generator and copy-paste them into your file.
Force SSL use for wp-admin Where does it go? What does it do? /wp-config.php Forces all WP Admin connections to be routed through SSL.
Hide login error messages Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing whether the username or password is incorrect.
Remove the WP version number Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Removes the WordPress version number from the HTML generated by your website. (And the RSS feed too!) While you're at it… Delete the readme.txt file and wp-config-sample.php files in your WordPress root directory. You can safely delete the install.php file located in your wp-admin folder as well.
Remove author username from comments Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing the username of the post author.
Remove the admin account Steps 1. Create a new user. The e-mail address associated with each user must be unique. 2. Click delete on the admin account. You'll be presented with this screen. 3. Assign all of the posts to the new user that you created and confirm the deletion. 4. If needed, change your email address back to your primary contact. Not geeky enough? Alternatively, create a new user and run the following SQL command.
Change your database table prefix Why you should care Many SQL injection attacks assume that your database prefix will be wp_ Don't make the hacker's job easy! On a new installation WordPress allows you to set the table prefix when installing a new site. On existing sites You'll either need to change things in the database and wp-config.php directly, or use a plugin to help you. For heaven's sake Make a backup of your site database before trying to change table prefix names.
WordPress powers 22% of new active websites, in the U.S. It powers 17% of the top million websites in the world. Use the power of this vast community and keep WordPress updated! @manifestphil manifestbozeman.com
Site Security Tools Documentation, etc. ■ Securi Site Scanner ■ WP Codex ■ Google Safe Browsing ■ Perishable Press 5G Blacklist ■ Bots vs. Browsers ■ How anyone can hack your WP site in less than 5 minutes ■ iSecLab.org - Wepawet (and what you can do…) ■ Unmask Parasites ■ Protecting /wp-admin using Apache ■ Smashing Magazine ■ What to do if you're hacked Plugin Recommendations ■ Limit Login Attempts ■ WP Security Scan ■ Duo Two-Factor Authentication ■ WP File Monitor Plus ■ Theme Check ■ Akismet
Resources for theme and plugin developers ■ Data validation and sanitization in WordPress ■ Andrew Nacin: Y U No Code Well ■ Understanding WordPress Capabilities and Nonces ■ WordPress Plugin Development Best Practices ■ StackExchange: WordPress Answers ■ WP Hackers Mailing List

Recomendados

Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 Dre Armeda
 

Recomendados

Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 Dre Armeda
 
Taller De Blogs
Taller De BlogsTaller De Blogs
Taller De BlogsAster
 
QuiéN Soy
QuiéN SoyQuiéN Soy
QuiéN SoyAster
 
Las mejores fotos del 2007
Las mejores fotos del 2007Las mejores fotos del 2007
Las mejores fotos del 2007nicoh
 
Ma
MaMa
MaAster
 
Subiendo ImáGenes A Una Entrada
Subiendo ImáGenes A Una EntradaSubiendo ImáGenes A Una Entrada
Subiendo ImáGenes A Una EntradaAster
 
Las Mejores Fotos
Las Mejores FotosLas Mejores Fotos
Las Mejores FotosPromociones Mexico Marketing
 
Creando Un Blog
Creando Un BlogCreando Un Blog
Creando Un BlogAster
 
Elliot standard presentation
Elliot standard presentationElliot standard presentation
Elliot standard presentationelliotproject
 
Gem fall 2016 (2)
Gem fall 2016 (2)Gem fall 2016 (2)
Gem fall 2016 (2)Beatrice Watson
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpressPrabesh Thapa
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte SecureMichele Butcher-Jones
 
Why WordPress Works
Why WordPress WorksWhy WordPress Works
Why WordPress Worksbekee
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?Michele Butcher-Jones
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
INTERNET SAFETY FOR KIDS
INTERNET SAFETY FOR KIDSINTERNET SAFETY FOR KIDS
INTERNET SAFETY FOR KIDSCamille Hazellie
 

Más contenido relacionado

Destacado

Taller De Blogs
Taller De BlogsTaller De Blogs
Taller De BlogsAster
 
QuiéN Soy
QuiéN SoyQuiéN Soy
QuiéN SoyAster
 
Las mejores fotos del 2007
Las mejores fotos del 2007Las mejores fotos del 2007
Las mejores fotos del 2007nicoh
 
Subiendo ImáGenes A Una Entrada
Subiendo ImáGenes A Una EntradaSubiendo ImáGenes A Una Entrada
Subiendo ImáGenes A Una EntradaAster
 
Creando Un Blog
Creando Un BlogCreando Un Blog
Creando Un BlogAster
 
Elliot standard presentation
Elliot standard presentationElliot standard presentation
Elliot standard presentationelliotproject
 

Destacado (9)

Taller De Blogs
Taller De BlogsTaller De Blogs
Taller De Blogs
 
QuiéN Soy
QuiéN SoyQuiéN Soy
QuiéN Soy
 
Las mejores fotos del 2007
Las mejores fotos del 2007Las mejores fotos del 2007
Las mejores fotos del 2007
 
Ma
MaMa
Ma
 
Subiendo ImáGenes A Una Entrada
Subiendo ImáGenes A Una EntradaSubiendo ImáGenes A Una Entrada
Subiendo ImáGenes A Una Entrada
 
Las Mejores Fotos
Las Mejores FotosLas Mejores Fotos
Las Mejores Fotos
 
Creando Un Blog
Creando Un BlogCreando Un Blog
Creando Un Blog
 
Elliot standard presentation
Elliot standard presentationElliot standard presentation
Elliot standard presentation
 
Gem fall 2016 (2)
Gem fall 2016 (2)Gem fall 2016 (2)
Gem fall 2016 (2)
 

Similar a Security 101: Improving WordPress Security

Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
Why WordPress Works
Why WordPress WorksWhy WordPress Works
Why WordPress Worksbekee
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress security & sanitation for beginners
WordPress security & sanitation for beginnersWordPress security & sanitation for beginners
WordPress security & sanitation for beginnersD'nelle Dowis
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsBastian Grimm
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 

Similar a Security 101: Improving WordPress Security (20)

Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Why WordPress Works
Why WordPress WorksWhy WordPress Works
Why WordPress Works
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your website
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
INTERNET SAFETY FOR KIDS
INTERNET SAFETY FOR KIDSINTERNET SAFETY FOR KIDS
INTERNET SAFETY FOR KIDS
 
WordPress security & sanitation for beginners
WordPress security & sanitation for beginnersWordPress security & sanitation for beginners
WordPress security & sanitation for beginners
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 

Último

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Último (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Security 101: Improving WordPress Security

  • 1. Security 101 ~ Improving the security of your WordPress installation ~ @manifestphil manifestbozeman.com
  • 2. Why would anyone hack me? It's not personal, but there are several motivating factors… ■ For attention ■ Profit scams ■ Own one, own them all… ■ To steal information "All I wanted was to sell my cupcakes online!" Most website hacks are performed by automated computer programs, and are not directed at your website personally. However, the bigger you are, the more worthwhile it becomes for a hacker to invest time, energy and resources.
  • 3. Favorite WordPress Security Breaches There are certain types of hacks that target WordPress specifically: ■ Defacement / Hacktavism ■ SEO Hijacking ■ Affiliate/Malicious Redirects ■ Backdoors ■ Drive-by Downloads Don't become a Canadian pharmacy!
  • 4. What is security, exactly? ■ Security is about risk reduction. There is no silver bullet. ■ Security is never absolute. ■ To think you will never be Security is all about not being an easy target. infected is like saying you'll never be sick. ■ Detection is the key! Sometimes security means simply having a plan for what we will do in a worst case scenario… Play "what if?" Security means different things for different types of organizations. Like tourists, it's best avoid being "that guy".
  • 5. So what's the problem? ■ The ecosystem/environment ■ Access control ■ Software vulnerabilities ■ Extensibility Keeping your installation current is the easiest security improvement you can make. Feature The Wordpress core is in fact very v3.5.1 Security secure. When an issue arises, the core team is quick to patch the vulnerability, and push that to end Major users.
  • 6. Start by securing your own computer… ■ Good, up-to-date antivirus software ■ Keep your own software up to date ■ Know where you're surfing the web And getting a good web host. ■ Not much you can do if you're using a shared host. ■ Consider a dedicated / VPS environment or go with a managed host. ● What security does my host use? ● What kind of reputation do they have? ● What will they do if you get hacked? A managed WordPress host doesn't mean you'll be any safer, but it does mean you'll have resources to lean on.
  • 7. Change your passwords… like yesterday. ■ Hard to guess. Hard for a brute force attack to succeed. ■ Avoid any combination of your name, company name, username, etc. ■ Don't use dictionary words; in any language. ■ Stop using the same password for everything. Email, DB, Admin, FTP. My daughter is Emery. 07152013 She likes dogs! MdiE.07152013Sld! 1Password KeyPassX
  • 8. You need a backup plan. Or two. ■ Clean backups mean you never need to start from scratch. ■ Backup your database, content, themes. ○ Specialized installations may need more, e.g. custom plugins, .htaccess, etc. ■ Backup to multiple locations. ○ Backups stored on your primary server cannot be trusted. ○ Hard drives fail. Homes burn down. Offices are burglarized. ■ Backup frequency ○ Depends on how much work or information you stand to lose. ■ Manual vs. Automatic Backup Buddy - $75 VaultPress - $15/mo. WP to Dropbox - FREE
  • 9. Control the access to your site. ■ Connect using sFTP, SSH or FTP-SSL. ■ Login to wp-admin using SSL (https: Reading //mydomain.com/wp-admin) Recommendation ■ Your FTP username/password should Check out the eBook, Locking Down not be the same as your WordPress WordPress, by Michael admin username/password. Pick. ■ Least Privileged It's available as a free download at CodePoet. ○ Everyone doesn't need to be an admin. com ○ Every user should have own access. What's in a free ○ You don't need to log in as admin theme? ○ The focus is on the role, not their name When you search Google ○ Kill generic accounts for free or cheap themes you're probably going to ■ Blacklist known bad bots and users create a security vulnerability. Go with more reputable sources.
  • 10. Setting up your WordPress installation ■ Turn off directory listings Maintainability Tips ■ Kill PHP execution If you have plugins installed that you do not use, delete them! ■ Deny access to wp-config.php Did you purchase or download ■ Ensure file permissions are correct a theme? Use child themes to allow the main theme to be updated without breaking your ○ Directories should be 755 layout. ○ Files should be 644 ■ Properly configure wp-config Developer Tips ○ Disable theme/plugin editing via admin Following WordPress code standards when developing a ○ Force SSL for admin login and use theme will ensure that client updates don't break the site. ○ Add secret keys Because you're a ninja-coder, ■ Remove the admin account you can confidently allow your customer access to keep WordPress updated. ■ Change the database table prefix Help your clients setup ■ Use trusted sources for themes and plugins automatic backups, please!
  • 11. Turn off Directory Listings Where does it go? What does it do? /.htaccess Prevents the Apache web server from displaying a list of all the files in a directory. Should be added to the . htaccess file in your WordPress root directory.
  • 12. Kill PHP Execution Where does it go? What does it do? /wp-content/uploads/.htaccess Prevents PHP code from being executed in these two /wp-includes/.htaccess directories. Many backdoor access scripts disguise themselves in these locations. If neither of these locations has an existing .htaccess file, you may need to create it. Full instructions »
  • 13. Deny access to wp-config.php Where does it go? What does it do? /.htaccess Prevents any direct access by users to the wp-config.php file. Full instructions » For the extra cautious You can also use Apache's .htaccess file to "whitelist" only certain IP addresses that should be allowed to access your /wp-admin directory. Here's directions on how!
  • 14. Disable editing via WP admin Where does it go? What does it do? /wp-config.php Removes the ability to edit theme or plugin files via the WordPress admin panel.
  • 15. Setup Unique Keys & Salts Where does it go? What does it do? /wp-config.php Ensures better encryption of information stored in your browser's cookies. How do I get these keys? Use the online generator and copy-paste them into your file.
  • 16. Force SSL use for wp-admin Where does it go? What does it do? /wp-config.php Forces all WP Admin connections to be routed through SSL.
  • 17. Hide login error messages Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing whether the username or password is incorrect.
  • 18. Remove the WP version number Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Removes the WordPress version number from the HTML generated by your website. (And the RSS feed too!) While you're at it… Delete the readme.txt file and wp-config-sample.php files in your WordPress root directory. You can safely delete the install.php file located in your wp-admin folder as well.
  • 19. Remove author username from comments Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing the username of the post author.
  • 20. Remove the admin account Steps 1. Create a new user. The e-mail address associated with each user must be unique. 2. Click delete on the admin account. You'll be presented with this screen. 3. Assign all of the posts to the new user that you created and confirm the deletion. 4. If needed, change your email address back to your primary contact. Not geeky enough? Alternatively, create a new user and run the following SQL command.
  • 21. Change your database table prefix Why you should care Many SQL injection attacks assume that your database prefix will be wp_ Don't make the hacker's job easy! On a new installation WordPress allows you to set the table prefix when installing a new site. On existing sites You'll either need to change things in the database and wp-config.php directly, or use a plugin to help you. For heaven's sake Make a backup of your site database before trying to change table prefix names.
  • 22. WordPress powers 22% of new active websites, in the U.S. It powers 17% of the top million websites in the world. Use the power of this vast community and keep WordPress updated! @manifestphil manifestbozeman.com
  • 23. Site Security Tools Documentation, etc. ■ Securi Site Scanner ■ WP Codex ■ Google Safe Browsing ■ Perishable Press 5G Blacklist ■ Bots vs. Browsers ■ How anyone can hack your WP site in less than 5 minutes ■ iSecLab.org - Wepawet (and what you can do…) ■ Unmask Parasites ■ Protecting /wp-admin using Apache ■ Smashing Magazine ■ What to do if you're hacked Plugin Recommendations ■ Limit Login Attempts ■ WP Security Scan ■ Duo Two-Factor Authentication ■ WP File Monitor Plus ■ Theme Check ■ Akismet
  • 24. Resources for theme and plugin developers ■ Data validation and sanitization in WordPress ■ Andrew Nacin: Y U No Code Well ■ Understanding WordPress Capabilities and Nonces ■ WordPress Plugin Development Best Practices ■ StackExchange: WordPress Answers ■ WP Hackers Mailing List