10 Tips to Hardening WordPress in 10 Minutes

WordCamp Europe 2016
June 24-26, Vienna, Austria

Ten tips
in ten minutes
@miziomon #wceu

Ten tips
to sleep better
at night
@miziomon #wceu

DOWNLOAD LINK
FOR THIS PRESENTATION
http://bit.do/10tips10minutes
@miziomon #wceuhttp://bit.do/10tips10minutes

About me
Maurizio Pelizzone
Born in the 70’s
Partner @ mavida.com
PHP Developer
WordPress Solutions Architect
Co-Organizer @ WordCamp Torino
Active Member @ WordPress Meetup torino
WordPress proud user
maurizio@mavida.com
http://www.mavida.com
http://maurizio.mavida.com
https://twitter.com/miziomon
http://www.slideshare.net/miziomon
http://www.linkedin.com/in/mauriziopelizzone

What is «hardening» ?

hardening is the process of securing a system by
reducing its surface of vulnerability

Why do we need
«hardening» ?

All systems are vulnerable
Fully Secure Systems Don’t Exist

http://w3techs.com/technologies/overview/content_management/all
@miziomon #wceu
Usage of content management systems for websites
http://bit.do/10tips10minutes

Dangers

Human errors
a.k.a. things we forget to do…
1/5

Exploitation
2/5

Social engineering
3/5

Brute force attack
4/5

Write and execution
permission
5/5

the solution

my approach

we are not all security experts,
but anyone can reduce some vulnerability

Keeping your Site
Updated

TEST YOUR
BACKUP
10 09 08 07 06 05 04 03 02 01

PREVENT USER
ENUMERATION
10 09 08 07 06 05 04 03 02 01

www.yourwebsite.com/?author=1

RewriteCond %{QUERY_STRING} (^|&)author=
RewriteRule . http://%{SERVER_NAME}/? [L]

USER
PERMISSION
10 09 08 07 06 05 04 03 02 01

HIDE YOUR
LOGIN
10 09 08 07 06 05 04 03 02 01

RewriteRule ^mylogin$ wp-login.php?key=123&redirect_to=http://%{SERVER_NAME}/wp-
admin/index.php [L]
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/login
RewriteCond %{QUERY_STRING} !^key=123
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login.php http://%{SERVER_NAME}/? [R,L]

<files xmlrpc.php>
Order allow,deny
Deny from all
</files>

DON’T SHOW
ERRORS
(and all unnecessary information)
10 09 08 07 06 05 04 03 02 01

// login errors / message
add_filter('login_errors', '__return_false');
add_filter('login_messages', '__return_false');

// remove version information
remove_action('wp_head', 'wp_generator');

<files readme.html>
Order allow,deny
Deny from all
</files>

DENY
PHP EXECUTION
10 09 08 07 06 05 04 03 02 01

Order Allow,Deny
Deny from all
<Files ~
".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn
g|gif|jpg|ico|js|css|kmz|ttf|woff|woff
2)$">
Allow from all
</Files>

TRASHABLE
PLUGINS
10 09 08 07 06 05 04 03 02 01

How to shrink plugins number
1. Remove inactive plugins
2. Remove useless plugins
3. Integrate a plugin functionality inside the your (child) themes

How to disallow
plugins installation and updates?

//Disable the Plugin and Theme Editor
define('DISALLOW_FILE_EDIT', true);
// Disable Plugin and Theme Update and Installation
define('DISALLOW_FILE_MODS',true);

USE SECURE
PASSWORD
10 09 08 07 06 05 04 03 02 01

Insecure Password
• matt1984
• password
• 123456
• qwerty
• matrix
Secure Password
• D7u8hI928FJYusx
• Z5BLl20T8by1524
• TLv7p64P63V5Hr1
• 6b83668I15qRP2I
• Um2d4Ejd9T1ExPr
http://strongpasswordgenerator.com/

TIPS FOR MEMORIZABLE AND
UNFORGETABLE PASSWORD
my son likes playing with his red ball
mSlPwHrB
(I’m) Addicted to WordPress
@ddict3d.2.WordPr3ss
Phrase + Numbers + Symbol

CUSTOM
DIRECTORY
10 09 08 07 06 05 04 03 02 01

- WP-ADMIN
- WP-INCLUDE
- WP-CONTENT
STANDARD WORDPRESS STRUCTURE

- APPLICATION
--- WP-ADMIN
--- WP-INCLUDES
- PUBLIC
--- WP-CONTENT
- UPLOADS
CUSTOM WORDPRESS STRUCTURE

define('WP_CONTENT_DIR', dirname(__FILE__) . '/public);
define('WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/public');
define( 'WP_UPLOADS_DIR', dirname(__FILE__) . '/uploads' );
define('WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/application');
define('WP_HOME', 'http://' . $_SERVER['SERVER_NAME']);

BLACKHOLE
10 09 08 07 06 05 04 03 02 01

BLACKHOLE
http://perishablepress.com/blackhole-bad-bots/

TOOLS
(for lazy peoples)

https://it.wordpress.org/plugins/sucuri-scanner/
https://it.wordpress.org/plugins/wordfence/
https://it.wordpress.org/plugins/better-wp-security/

References
• http://codex.wordpress.org/Hardening_WordPress
• http://codex.wordpress.org/Administration_Over_SSL
• http://codex.wordpress.org/Editing_wp-config.php
• https://www.wordfence.com/learn/how-to-harden-wordpress-sites/

@miziomon #wceu
Thank you
Maurizio Pelizzone
@miziomon
maurizio@mavida.com
http://maurizio.mavida.com

10 Tips to Hardening WordPress in 10 Minutes

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (10)

Similar a 10 Tips to Hardening WordPress in 10 Minutes

Similar a 10 Tips to Hardening WordPress in 10 Minutes (20)

Más de Maurizio Pelizzone

Más de Maurizio Pelizzone (15)

Último

Último (20)

10 Tips to Hardening WordPress in 10 Minutes

Notas del editor