SlideShare ist ein Scribd-Unternehmen logo

Complete Wordpress Security By CHETAN SONI - Cyber Security Expert

Chetan Soni
Chetan Soni

This document provides tips for securing a WordPress website. It lists 27 steps including disabling custom HTML, removing default posts and comments, deleting installation files, hiding indexes, blocking directories, securing the admin page, limiting login attempts, scanning for malware, creating custom secret keys, changing the database prefix, protecting configuration files, monitoring the site, hiding the login page, checking for content copying, scanning for exploits, using email as the login key, keeping logs of errors, activating the Akismet plugin, using maintenance mode, restricting admin access by IP, banning users, preventing access to folders, protecting individual files, disabling hotlinking, stopping spam, and optimizing the database. The document recommends using various WordPress security plugins and provides

BildungTechnologie
1 von 11
Downloaden Sie, um offline zu lesen
CHETAN SONI – Security Specialist Wordpress Security 1. Disable custom HTML when possible Added this code in wp-config.php File define( 'DISALLOW_UNFILTERED_HTML', true ); 2. Remove all Default posts and Comments Remove all default posts and comments. If malicious hackers find those on your site, it may indicate to them you have a new Wordpress site, and brand new sites are often easier to crack into. Just to this file “wp-includes/general-template.php” function the_generator( $type ) { echo apply_filters('the_generator', get_the_generator($type), $type) . "n"; } After Security function the_generator( $type ) { #echo apply_filters('the_generator', get_the_generator($type), $type) . "n"; } Make sure a hash is applied next to the “echo” command so that it looks like this: 3. Delete wp-admin/install.php and wp-admin/upgrade.php Be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every Wordpress installation or upgrade. 4. Hide indexes Just open .htaccess file and type this code Options –indexes 5. Block Some Crucial directories Secugenius Security Solutions Page 1
CHETAN SONI – Security Specialist Your site's wp-includes/ directory is the most important one to block. Find the .htaccess file there and insert RewriteRule ^(wp-includes)/.*$ ./ [NC,R=301,L] If there are subdirectories, then use this code RewriteRule ^(wp-includes|subdirectory-name-here)/.*$ ./ [NC,R=301,L] 6. Secure your Admin page with YUBICO http://www.yubico.com/ = PAID Plugin 7. Limit Login Attempts Limit the number of login attempts possible both through normal login as well as using auth cookies. http://wordpress.org/extend/plugins/limit-login-attempts/ OR http://wordpress.org/extend/plugins/login-lockdown/ Secugenius Security Solutions Page 2
CHETAN SONI – Security Specialist 8. Server Side Scanning Online FREE Web-malware continues to evolve making it challenging to detect using only HTTP fingerprinting techniques, such as the ones Site Check is restricted to. http://sitecheck.sucuri.net/scanner/ http://wordpress.org/extend/plugins/better-wp-security/ 9. Create Custom Secret Keys All of the confidential details for your Wordpress site are stored in the wp-config.php in your Wordpress root directory. Change these codes as according you like. For Random Secret Keys, https://api.wordpress.org/secret-key/1.1/salt/ Secugenius Security Solutions Page 3
CHETAN SONI – Security Specialist 10. Change the default database Prefix. 11. Protect your wp-config file As wp-config.php file contains all the confidential details of your site. So it‟s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server. <Files wp-config.php> order allow,deny deny from all </Files> 12. Protect your .htaccess file You just need to place below code in your .htaccess file. <Files .htaccess> order allow,deny deny from all </Files> 13. Hide your Wordpress Version To do this you need to place below code in function.php of your active theme. remove_action('wp_head', 'wp_generator'); You can go one step further and additionally remove it from RSS feeds using this: function wpt_remove_version() { return ''; } add_filter('the_generator', 'wpt_remove_version'); Secugenius Security Solutions Page 4
CHETAN SONI – Security Specialist 14. Install Wordpress Security Scan Plugin This is a good plugin which scans your Wordpress installation and give the suggestion accordingly. This plugin will check for below things:  Passwords  File Permissions  Database Security  Wordpress Admin protection http://wordpress.org/extend/plugins/wp-security-scan/ 15. Ask Apache Password Protect You can protect your site with 401 authorization in easy steps. http://wordpress.org/extend/plugins/askapache-password-protect/ 16. Automatically Backup your site http://wordpress.org/extend/plugins/backwpup/ 17. Two Factor Authenticator The Google Authenticator plugin for Wordpress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. http://wordpress.org/extend/plugins/google-authenticator/ 18. Using .htaccess file as a FIREWALL RedirectMatch 403 [ 19. 5G Firewall Beta http://perishablepress.com/5g-firewall-beta/ 20. Allow some IPs Dashboard from your home or office, this method will help a lot. AuthType Basic order deny,allow deny from all # your home IP address allow from xxx.xxx.xxx.xxx # your office IP address allow from yy.yyy.yyy.yyy Secugenius Security Solutions Page 5
CHETAN SONI – Security Specialist 21. Protect wp-includes Directory If you go to http://www.your-site.com/wp-includes, you will see an open folder and this is definitely not safe. You need to create a redirect file in order to forward visitors who access that URL to your main home page. If you ask yourself, who in the world would access that URL? Well, hackers would? To redirect visitors away from that URL, simply create a new file named index.html and put this code in it: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv="REFRESH" content="0;url=http://www.your-site.com/"></HEAD> <BODY></BODY> </HTML> 22. Change your permissions Make sure you change your files permissions to 0744 which means they are read-only to everyone except you. This makes sure that other people are not able to change any of the files on your server. Set file permissions at 644 and 755 for folders. 23. Install Antivirus for Wordpress Use this antivirus http://wpantivirus.com/ 24. Block Access to wp-content Folder To block access to your wp-content folder create a new htaccess file and save this at the root level of your wp-content folder. Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> 25. Hide Login Error Messages There is a login page hook to access to remove any error message from the login page. Copy the following in your functions.php file. add_filter('login_errors',create_function('$a', "return null;")); Secugenius Security Solutions Page 6
CHETAN SONI – Security Specialist 26. Disable Theme and plugin Editor If you want to stop the editor links from appearing in the admin area you can add the following to your wp-config.php file so people cannot edit the theme directly in the admin area. define( 'DISALLOW_FILE_EDIT', true); 27. Security from SQL Injection To avoid that, you can try to secure your files using Apache with a code like this in your .htaccess file: <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|ê|"|;|?|*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>||{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> 28. Clean out Old Unneeded Core Files Clean out old unneeded core files with help from this free Wordpress plugin: http://wordpress.org/extend/plugins/old-core-files/ 29. Activate Akismet Plugin To block the comment spam automatically using Akismet Which a Wordpress plugin. Secugenius Security Solutions Page 7
CHETAN SONI – Security Specialist 30. Monitoring Your Wordpress http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/ 31. Hide Your Login Page http://wordpress.org/extend/plugins/hide-login/ 32. Content Security Try checking http://copyscape.com/ 33. Check for Exploits http://wordpress.org/extend/plugins/exploit-scanner/ 34. Select Email Address as Your Login Key http://wordpress.org/extend/plugins/wp-email-login/ 35. Change Database Prefix Plugin http://wordpress.org/extend/plugins/db-prefix-change/ 36. Keep a log of Wordpress PHP and Database Errors http://wordpress.org/extend/plugins/error-log-monitor/ 37. Outstanding Security Plugin http://wordpress.org/extend/plugins/login-dongle/ http://wordpress.org/extend/plugins/better-wp-security/ http://wordpress.org/extend/plugins/wordfence/ 38. Website Defender Plugin http://wordpress.org/extend/plugins/websitedefender-wordpress-security/ 39. Maintenance Mode Plugin http://wordpress.org/extend/plugins/maintenance-mode/ 40. Admin Access from your IP Only You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder. Secugenius Security Solutions Page 8
CHETAN SONI – Security Specialist order deny,allow allow from 202.090.21.1 (replace with your IP address) deny from all 41. Banning Bad Users You can ban this person using .htaccess with this simple snippet: <Limit GET POST> order allow,deny deny from 202.090.21.1 allow from all </Limit> 42. Prevent Access to Wp-content Create a custom .htaccess file in wp-content directory Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> 43. Individual File Protection There are certain files you might want to protect individually rather than blocking a whole folder or selection. The example snippet shows how you would prevent access to the .htaccess file and will throw a 403 if accessed by anyone. The file name can be changed to whatever file you wish to protect: # Protect the .htaccess <files .htaccess=""> order allow,deny deny from all </files> 44. Disable Hotlinking Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as „hotlinking‟. To disable this you can add these lines to the .htaccess #disable hotlinking of images with forbidden or custom image option RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC] Secugenius Security Solutions Page 9
CHETAN SONI – Security Specialist #RewriteRule .(gif|jpg)$ – [F] RewriteRule .(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L] 45. Stop Spammers Like hotlinking, spammers are notorious to use up your site‟s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with „no referrer‟. Spammers use bots to post comments on blogs and they come from „nowhere‟. Add these lines to stop the spammers RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post.php* RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] 46. Database Optimization http://wordpress.org/extend/plugins/wp-optimize/ FOR MORE INFO - > http://www.hongkiat.com/blog/hardening- wordpress-security/ Secugenius Security Solutions Page 10
CHETAN SONI – Security Specialist Wordpress Security Basics Checklist 1. Rename user Admin to something else. 2. Change the ID field on the first user from 1 to something else. 3. Enforce strong password requirements for all system users 4. Don‟t let anybody but admins see available WP updates. 5. Remove the ability for non-admins to modify theme files. 6. Tweak the database so tables aren‟t prefixed with wp_. 7. Don‟t use the MySQL root user to access the database. 8. Limit the MySQL account used to the site database only. 9. Restrict the MySQL account so it can‟t perform destructive actions (i.e. DROP, etc.) 10. Give the MySQL account a very long, randomised password. 11. Don‟t allow the server‟s root user access via SSH. Use an account with SUDO privileges instead. 12. Ensure all the secret key fields in wp-config.php are completed with 16-bit SHA keys. 13. Disallow indexes on all site folders. 14. Hide the admin area. 15. Rename the wp-content directory to something else. 16. Block bad hosts and agents with blacklists. 17. Make any .htaccess files and wp-config.php non-writeable. 18. Make the admin area inaccessible outside of work hours (handle this one with care) 19. Schedule regular database backups. 20. Restrict the length of allowed URLs to 255 characters or less. 21. Require SSL connections on the admin area (if possible; this one has an on-cost attached) 22. If possible, install and run server-side antivirus software such as ClamAV. 23. Consider restricting the server‟s FTP service to only accept connections from certain, whitelisted IP addresses (only applicable if you have at least one static IP). 24. When deploy complete, consider stopping the server‟s FTP service completely. You can always temporarily switch it on again if required. 25. If your web server is allowing proxying (for example, if you‟re load-balancing), ensure it‟s not configured as an open HTTP proxy. 26. Remove any open SMTP proxies on your server. Secugenius Security Solutions Page 11

Empfohlen

Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
Chetan Soni
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
Rupesh Kumar
 
Things to keep in mind while creating a word press plugin from scratch
Things to keep in mind while creating a word press plugin from scratchThings to keep in mind while creating a word press plugin from scratch
Things to keep in mind while creating a word press plugin from scratch
Elsner Technologies Pvt Ltd
 
Seo pressor unlimited-license-v4.0
Seo pressor unlimited-license-v4.0Seo pressor unlimited-license-v4.0
Seo pressor unlimited-license-v4.0
Sarit Cohen
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 

Empfohlen

Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
Chetan Soni
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
Rupesh Kumar
 
Things to keep in mind while creating a word press plugin from scratch
Things to keep in mind while creating a word press plugin from scratchThings to keep in mind while creating a word press plugin from scratch
Things to keep in mind while creating a word press plugin from scratch
Elsner Technologies Pvt Ltd
 
Seo pressor unlimited-license-v4.0
Seo pressor unlimited-license-v4.0Seo pressor unlimited-license-v4.0
Seo pressor unlimited-license-v4.0
Sarit Cohen
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
webhostingguy
 
Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial en
forkgrown
 
Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themes
Otto Kekäläinen
 
Making Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichMaking Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph Ruepprich
Enkitec
 
Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016
Raghav Bisht
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentation
webhostingguy
 
Installation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPPInstallation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPP
Rupesh Kumar
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5
RaGaZoMe
 
Create dynamic sites with PHP & MySQL
Create dynamic sites with PHP & MySQLCreate dynamic sites with PHP & MySQL
Create dynamic sites with PHP & MySQL
kangaro10a
 
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLITake Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Diana Thompson
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Open Mic - IBM Sametime Proxy Clustering
Open Mic - IBM Sametime Proxy ClusteringOpen Mic - IBM Sametime Proxy Clustering
Open Mic - IBM Sametime Proxy Clustering
jayeshpar2006
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
amiable_indian
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
Francis Alexander
 
Wordpress development: A Modern Approach
Wordpress development: A Modern ApproachWordpress development: A Modern Approach
Wordpress development: A Modern Approach
Alessandro Fiore
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHP
Rupesh Kumar
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
WP Engine
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
"Mystery Of Bermuda Triangle"
"Mystery Of Bermuda Triangle""Mystery Of Bermuda Triangle"
"Mystery Of Bermuda Triangle"
ali khan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial en
forkgrown
 
Making Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichMaking Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph Ruepprich
Enkitec
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentation
webhostingguy
 
Create dynamic sites with PHP & MySQL
Create dynamic sites with PHP & MySQLCreate dynamic sites with PHP & MySQL
Create dynamic sites with PHP & MySQL
kangaro10a
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
amiable_indian
 

Was ist angesagt? (20)

Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
 
Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial en
 
Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themes
 
Making Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichMaking Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph Ruepprich
 
Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentation
 
Installation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPPInstallation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPP
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5
 
Create dynamic sites with PHP & MySQL
Create dynamic sites with PHP & MySQLCreate dynamic sites with PHP & MySQL
Create dynamic sites with PHP & MySQL
 
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLITake Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Open Mic - IBM Sametime Proxy Clustering
Open Mic - IBM Sametime Proxy ClusteringOpen Mic - IBM Sametime Proxy Clustering
Open Mic - IBM Sametime Proxy Clustering
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Wordpress development: A Modern Approach
Wordpress development: A Modern ApproachWordpress development: A Modern Approach
Wordpress development: A Modern Approach
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHP
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 

Andere mochten auch

Andere mochten auch (9)

WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
"Mystery Of Bermuda Triangle"
"Mystery Of Bermuda Triangle""Mystery Of Bermuda Triangle"
"Mystery Of Bermuda Triangle"
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress Security
 
Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017
 
WordPress SEO & Optimisation
WordPress SEO & OptimisationWordPress SEO & Optimisation
WordPress SEO & Optimisation
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 

Ähnlich wie Complete Wordpress Security By CHETAN SONI - Cyber Security Expert

LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
Amit Kejriwal
 

Ähnlich wie Complete Wordpress Security By CHETAN SONI - Cyber Security Expert (20)

WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcodeWordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
 
Security Function
Security FunctionSecurity Function
Security Function
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress development
 

Kürzlich hochgeladen

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Kürzlich hochgeladen (20)

Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 

Complete Wordpress Security By CHETAN SONI - Cyber Security Expert

  • 1. CHETAN SONI – Security Specialist Wordpress Security 1. Disable custom HTML when possible Added this code in wp-config.php File define( 'DISALLOW_UNFILTERED_HTML', true ); 2. Remove all Default posts and Comments Remove all default posts and comments. If malicious hackers find those on your site, it may indicate to them you have a new Wordpress site, and brand new sites are often easier to crack into. Just to this file “wp-includes/general-template.php” function the_generator( $type ) { echo apply_filters('the_generator', get_the_generator($type), $type) . "n"; } After Security function the_generator( $type ) { #echo apply_filters('the_generator', get_the_generator($type), $type) . "n"; } Make sure a hash is applied next to the “echo” command so that it looks like this: 3. Delete wp-admin/install.php and wp-admin/upgrade.php Be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every Wordpress installation or upgrade. 4. Hide indexes Just open .htaccess file and type this code Options –indexes 5. Block Some Crucial directories Secugenius Security Solutions Page 1
  • 2. CHETAN SONI – Security Specialist Your site's wp-includes/ directory is the most important one to block. Find the .htaccess file there and insert RewriteRule ^(wp-includes)/.*$ ./ [NC,R=301,L] If there are subdirectories, then use this code RewriteRule ^(wp-includes|subdirectory-name-here)/.*$ ./ [NC,R=301,L] 6. Secure your Admin page with YUBICO http://www.yubico.com/ = PAID Plugin 7. Limit Login Attempts Limit the number of login attempts possible both through normal login as well as using auth cookies. http://wordpress.org/extend/plugins/limit-login-attempts/ OR http://wordpress.org/extend/plugins/login-lockdown/ Secugenius Security Solutions Page 2
  • 3. CHETAN SONI – Security Specialist 8. Server Side Scanning Online FREE Web-malware continues to evolve making it challenging to detect using only HTTP fingerprinting techniques, such as the ones Site Check is restricted to. http://sitecheck.sucuri.net/scanner/ http://wordpress.org/extend/plugins/better-wp-security/ 9. Create Custom Secret Keys All of the confidential details for your Wordpress site are stored in the wp-config.php in your Wordpress root directory. Change these codes as according you like. For Random Secret Keys, https://api.wordpress.org/secret-key/1.1/salt/ Secugenius Security Solutions Page 3
  • 4. CHETAN SONI – Security Specialist 10. Change the default database Prefix. 11. Protect your wp-config file As wp-config.php file contains all the confidential details of your site. So it‟s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server. <Files wp-config.php> order allow,deny deny from all </Files> 12. Protect your .htaccess file You just need to place below code in your .htaccess file. <Files .htaccess> order allow,deny deny from all </Files> 13. Hide your Wordpress Version To do this you need to place below code in function.php of your active theme. remove_action('wp_head', 'wp_generator'); You can go one step further and additionally remove it from RSS feeds using this: function wpt_remove_version() { return ''; } add_filter('the_generator', 'wpt_remove_version'); Secugenius Security Solutions Page 4
  • 5. CHETAN SONI – Security Specialist 14. Install Wordpress Security Scan Plugin This is a good plugin which scans your Wordpress installation and give the suggestion accordingly. This plugin will check for below things:  Passwords  File Permissions  Database Security  Wordpress Admin protection http://wordpress.org/extend/plugins/wp-security-scan/ 15. Ask Apache Password Protect You can protect your site with 401 authorization in easy steps. http://wordpress.org/extend/plugins/askapache-password-protect/ 16. Automatically Backup your site http://wordpress.org/extend/plugins/backwpup/ 17. Two Factor Authenticator The Google Authenticator plugin for Wordpress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. http://wordpress.org/extend/plugins/google-authenticator/ 18. Using .htaccess file as a FIREWALL RedirectMatch 403 [ 19. 5G Firewall Beta http://perishablepress.com/5g-firewall-beta/ 20. Allow some IPs Dashboard from your home or office, this method will help a lot. AuthType Basic order deny,allow deny from all # your home IP address allow from xxx.xxx.xxx.xxx # your office IP address allow from yy.yyy.yyy.yyy Secugenius Security Solutions Page 5
  • 6. CHETAN SONI – Security Specialist 21. Protect wp-includes Directory If you go to http://www.your-site.com/wp-includes, you will see an open folder and this is definitely not safe. You need to create a redirect file in order to forward visitors who access that URL to your main home page. If you ask yourself, who in the world would access that URL? Well, hackers would? To redirect visitors away from that URL, simply create a new file named index.html and put this code in it: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv="REFRESH" content="0;url=http://www.your-site.com/"></HEAD> <BODY></BODY> </HTML> 22. Change your permissions Make sure you change your files permissions to 0744 which means they are read-only to everyone except you. This makes sure that other people are not able to change any of the files on your server. Set file permissions at 644 and 755 for folders. 23. Install Antivirus for Wordpress Use this antivirus http://wpantivirus.com/ 24. Block Access to wp-content Folder To block access to your wp-content folder create a new htaccess file and save this at the root level of your wp-content folder. Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> 25. Hide Login Error Messages There is a login page hook to access to remove any error message from the login page. Copy the following in your functions.php file. add_filter('login_errors',create_function('$a', "return null;")); Secugenius Security Solutions Page 6
  • 7. CHETAN SONI – Security Specialist 26. Disable Theme and plugin Editor If you want to stop the editor links from appearing in the admin area you can add the following to your wp-config.php file so people cannot edit the theme directly in the admin area. define( 'DISALLOW_FILE_EDIT', true); 27. Security from SQL Injection To avoid that, you can try to secure your files using Apache with a code like this in your .htaccess file: <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|ê|"|;|?|*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>||{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> 28. Clean out Old Unneeded Core Files Clean out old unneeded core files with help from this free Wordpress plugin: http://wordpress.org/extend/plugins/old-core-files/ 29. Activate Akismet Plugin To block the comment spam automatically using Akismet Which a Wordpress plugin. Secugenius Security Solutions Page 7
  • 8. CHETAN SONI – Security Specialist 30. Monitoring Your Wordpress http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/ 31. Hide Your Login Page http://wordpress.org/extend/plugins/hide-login/ 32. Content Security Try checking http://copyscape.com/ 33. Check for Exploits http://wordpress.org/extend/plugins/exploit-scanner/ 34. Select Email Address as Your Login Key http://wordpress.org/extend/plugins/wp-email-login/ 35. Change Database Prefix Plugin http://wordpress.org/extend/plugins/db-prefix-change/ 36. Keep a log of Wordpress PHP and Database Errors http://wordpress.org/extend/plugins/error-log-monitor/ 37. Outstanding Security Plugin http://wordpress.org/extend/plugins/login-dongle/ http://wordpress.org/extend/plugins/better-wp-security/ http://wordpress.org/extend/plugins/wordfence/ 38. Website Defender Plugin http://wordpress.org/extend/plugins/websitedefender-wordpress-security/ 39. Maintenance Mode Plugin http://wordpress.org/extend/plugins/maintenance-mode/ 40. Admin Access from your IP Only You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder. Secugenius Security Solutions Page 8
  • 9. CHETAN SONI – Security Specialist order deny,allow allow from 202.090.21.1 (replace with your IP address) deny from all 41. Banning Bad Users You can ban this person using .htaccess with this simple snippet: <Limit GET POST> order allow,deny deny from 202.090.21.1 allow from all </Limit> 42. Prevent Access to Wp-content Create a custom .htaccess file in wp-content directory Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> 43. Individual File Protection There are certain files you might want to protect individually rather than blocking a whole folder or selection. The example snippet shows how you would prevent access to the .htaccess file and will throw a 403 if accessed by anyone. The file name can be changed to whatever file you wish to protect: # Protect the .htaccess <files .htaccess=""> order allow,deny deny from all </files> 44. Disable Hotlinking Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as „hotlinking‟. To disable this you can add these lines to the .htaccess #disable hotlinking of images with forbidden or custom image option RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC] Secugenius Security Solutions Page 9
  • 10. CHETAN SONI – Security Specialist #RewriteRule .(gif|jpg)$ – [F] RewriteRule .(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L] 45. Stop Spammers Like hotlinking, spammers are notorious to use up your site‟s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with „no referrer‟. Spammers use bots to post comments on blogs and they come from „nowhere‟. Add these lines to stop the spammers RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post.php* RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] 46. Database Optimization http://wordpress.org/extend/plugins/wp-optimize/ FOR MORE INFO - > http://www.hongkiat.com/blog/hardening- wordpress-security/ Secugenius Security Solutions Page 10
  • 11. CHETAN SONI – Security Specialist Wordpress Security Basics Checklist 1. Rename user Admin to something else. 2. Change the ID field on the first user from 1 to something else. 3. Enforce strong password requirements for all system users 4. Don‟t let anybody but admins see available WP updates. 5. Remove the ability for non-admins to modify theme files. 6. Tweak the database so tables aren‟t prefixed with wp_. 7. Don‟t use the MySQL root user to access the database. 8. Limit the MySQL account used to the site database only. 9. Restrict the MySQL account so it can‟t perform destructive actions (i.e. DROP, etc.) 10. Give the MySQL account a very long, randomised password. 11. Don‟t allow the server‟s root user access via SSH. Use an account with SUDO privileges instead. 12. Ensure all the secret key fields in wp-config.php are completed with 16-bit SHA keys. 13. Disallow indexes on all site folders. 14. Hide the admin area. 15. Rename the wp-content directory to something else. 16. Block bad hosts and agents with blacklists. 17. Make any .htaccess files and wp-config.php non-writeable. 18. Make the admin area inaccessible outside of work hours (handle this one with care) 19. Schedule regular database backups. 20. Restrict the length of allowed URLs to 255 characters or less. 21. Require SSL connections on the admin area (if possible; this one has an on-cost attached) 22. If possible, install and run server-side antivirus software such as ClamAV. 23. Consider restricting the server‟s FTP service to only accept connections from certain, whitelisted IP addresses (only applicable if you have at least one static IP). 24. When deploy complete, consider stopping the server‟s FTP service completely. You can always temporarily switch it on again if required. 25. If your web server is allowing proxying (for example, if you‟re load-balancing), ensure it‟s not configured as an open HTTP proxy. 26. Remove any open SMTP proxies on your server. Secugenius Security Solutions Page 11