This document outlines a presentation given by Maurizio Pelizzone on hardening WordPress sites. It provides tips over the course of 10 minutes in 10 slides, covering topics like keeping sites updated, testing backups, hiding logins, removing unnecessary plugins, using secure passwords, customizing directories, and using security tools. The presentation encourages attendees that security measures can be taken by anyone, not just experts, to reduce vulnerabilities. It concludes by thanking the audience and providing contact details for Maurizio.
4. DOWNLOAD LINK
FOR THIS PRESENTATION
http://bit.do/10tips10minutes
@miziomon #wceuhttp://bit.do/10tips10minutes
5. About me
Maurizio Pelizzone
Born in the 70’s
Partner @ mavida.com
PHP Developer
WordPress Solutions Architect
Co-Organizer @ WordCamp Torino
Active Member @ WordPress Meetup torino
WordPress proud user
maurizio@mavida.com
http://www.mavida.com
http://maurizio.mavida.com
https://twitter.com/miziomon
http://www.slideshare.net/miziomon
http://www.linkedin.com/in/mauriziopelizzone
@miziomon #wceuhttp://bit.do/10tips10minutes
37. Order Allow,Deny
Deny from all
<Files ~
".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn
g|gif|jpg|ico|js|css|kmz|ttf|woff|woff
2)$">
Allow from all
</Files>
@miziomon #wceuhttp://bit.do/10tips10minutes
39. How to shrink plugins number
1. Remove inactive plugins
2. Remove useless plugins
3. Integrate a plugin functionality inside the your (child) themes
@miziomon #wceuhttp://bit.do/10tips10minutes
40. How to disallow
plugins installation and updates?
@miziomon #wceuhttp://bit.do/10tips10minutes
41. //Disable the Plugin and Theme Editor
define('DISALLOW_FILE_EDIT', true);
// Disable Plugin and Theme Update and Installation
define('DISALLOW_FILE_MODS',true);
@miziomon #wceuhttp://bit.do/10tips10minutes
44. TIPS FOR MEMORIZABLE AND
UNFORGETABLE PASSWORD
my son likes playing with his red ball
mSlPwHrB
(I’m) Addicted to WordPress
@ddict3d.2.WordPr3ss
Phrase + Numbers + Symbol
@miziomon #wceuhttp://bit.do/10tips10minutes
WordPress Hardening is an underestimated problem for many people and even when you keep your system updated you are never completely risk free. Many projects, after golive, are left in the lurch without love… I’d like to share some small improvements that are achievable with very little effort and can make the difference.
Welcome everybody - Thanks to been here. This is my first talk in english and I hope that you «takeaway» some nice ideas
Now I want to talk you about my method to “sleep better” during the night, with no calls, regarding hacked website.
Here is the link to download my presentation for preview
Just a quick word about me.My name is Maurizio Pelizzone and I’m a very - proud - WordPress developer (develoooper)
So, before starting, lets take a step backwards and ask ourselves - what - is - «hardening» ?
If someone doesn’t know the meening of this word, this is a definition from wikipedia:
I think that WordPress Hardening is an underestimated problem and many projects - after golive - are left in the lurch without love…
So, the next topic is why.
Why do we need «hardening» ?
The answer for me is very simple.
All systems are vulnerable (vulneraaabol)
Fully secure Systems - Dont’t Exist
Another important thing to remember is that the biggest used platform is going to be the biggest target to attack
So now lets look the dangers (dengers)
I'm going to start with my list of - what I think - are the five most important dangers (dengers)
Number oneHuman Errors (in most cases the things we forget to do)
Such as forget to remove the admin user or move your old password to strong passwordSuch as forget to update your system
Number two
Expoitation
The technique to use a sequence of command to take advantage of a vulnerability to penetrate in your website
Number three
Social engineering
The Technique to collect your personal information ad use it against you
Number 4Brute forse attack
You need to know that many automated systems exixst that try to access to your login.Any damned day.Belive me….. ---- or look at your access log
Number 5
White permissionIf you dont want that anyone is allowed to put a backdoor in your wordpress installation:
Ask yourself . Do you really need to have all your directory 777?
Now let move to the solutions…Ok. Ok. Maybe this is non the right solution…
I think is better to say «my approch»
Some simple «life saves» improvements that are achievable (arcivebol) with very little effort and can really make the difference
A wise man could sum up my approach in this sentence:
We are not all security experts, but anyone can reduce some vulnerability (vuolneraaaBiliti)
One word yet before begin: - the most important thing – Remember to keep your WordPress Updated
Becouse without care all tips are useless.
OK. Now let's move to my ten-step countdown…
TEST YOUR BACKUP
The key point is TEST your backup because is obsiuve (ovius) you have a backup
You need to test before a distasterYou have to do it in fast way
You must be shure to have all you need to recover
If you dont have a backup you can use one of these (thiiis)
if you don’t want to use one of this plugin it’s not a problems. Do it by hand, --- ask your sysadmin or your provider.
But you must have a backup ad test a complete restore
PREVENT USER ENUMERATION
The keyword is PREVENT WordPress to show username information for the user that have a login in your website. (ofcourse unless you need to have a user page)
Try to write in your browser one of this links…
If in URL you can read a username maybe you have a problem.
In this way now anyone can know all the user is able to login in your system
You can stop it wiht this 2 lines to put in your htaccess
USER PERMISSION
The key is to LIMIT the ROLE to absolute minimum.Not all users have to be as administrator
WordPress has many build in role definition such as contributor, author, and editor
Remember to assign (assain) only the necessary role-- nota: gestualità
Here I want to show that we can set No permission for user than don’t need it Standard «admin» username can be set to null
HIDE YOUR LOGIN
The majorit of site dont need have a public login page
So you can hide tha access and move it to custom url like «this-is-my-login-page»
Here is an example of how you can do it
Put this code in your htaccess and remember to change the key…
Wp-login.php unluckily is not the only way to login in your system
After reading an access log maybe you will find a lot of access to xmlrpc.phpif you don’t use WordPress.com o WordPress mobile app you can forbid to use in this way with this code to put in your htaccess
DON’T SHOW ERRORS
When you can’t hide login maybe you can hide some error information…
Here the key is «don’t show» unnececessary info
When you digit a wrong username i dont need to kwon if the error is the username or the password…
In you page you don’t need to know witch WordPress version is running
In your site you don’t need to keep the readme page visible and in the same way as xmlrpc we can forbid access to readme.html
Deny (denai) PHP Execution.I think that in upload direcotry php execution is not important.
In upload directory there should be only media file like Image, documents, fonts. NOT PHP FILE
NOT PHP BACKDOOR FILE
Put this file inside your upload direcory and php will no longer be executed
I told a little lie…In this code we non deny php execution but allow only some kind (caind) of file like image, docs and fonts…
TRASHABLE PLUGINS
Trash, remove, delete plugins is a good practice: - Less is more -
This is my checklist:
Remove inactive plugins
Remove useless (or duplicate) plugins
For the bravest you can try to integrate same plugin functionality inside your theme
Remember this mantra: : - Less is more - - Less is more -
But when a «wannabe» user is able to install new plugins while you sleep…your breakfast is NOT gonna be so greet. (greit)
For this reason, if you want to keep controooll, - you can disallow automatic installation
Here the lines to put in your wp-config
USE SECURE PASSWORD
Password is a problem
Password is always a big problem
Normal people hate passoword
But in a normal word we must not be lazy and be brave to use very strong password
This is a tips FOR MEMORIZABLE (memoraisabol) AND UNFORGETABLE (unforgettebol) PASSWORD
You have to use Phase , Numbers and Symbol - And mix upper case and lower case
Custom direcotory
Other unknown awesome (osom) WordPress feature
Custom directoy is a defence line to hide your structure
I explain better whit an exsample…
This is standard structure with the login page always in the same place…
What happens if I move my WordPress installation in this way?
the first achievement ( accivment) is that the automatic bot that tries to use brute force attack will fail…
Another thig is that stucture is more lovely and you can do more efficent (effiscent) deploy
Here the code to put in wp-config
The last one BLACKHOLE
One of my Favourites tips - Blackhole is a way to set a trap for common url
One simple exsample: Have you moved your login page from wp-login.php to custom-login-url ?
Well. - Who is it - that keeps on going to - wp-login.php ?
Maybe it’s someone who - should not to be there…
How does it work?
The blackhole watch some candy link (wp-login, wp-admin, phpmyadmin, ecc)Log the ip, and block next access
The implementation is a little bit technical but you can find more info at - perishablepress.com (perishibolpress)
Are you still alive ? (pausa) Greit
For those of you - who don’t like - to put your hand hunder the hood - here a «Ready made» plugins that can do the dirty work for you –
but now you can use them with more undesting about what they do
Sucuri Security / WordFence / Ithemes Security
Ok. I have to go…
Last but not least some link to delve deeper
Thank you for listening and being (been) so patient with my terrible English