You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
5. Hardening WordPress
• Difficult password
• VPN access to home is required to login as
super admin
• Files can’t be changed by PHP
• define('DISALLOW_FILE_MODS', true);
• Renamed wp-content folder
6. Other positive effects
• A lot of functionality is custom written
• PHP FPM with Opcache requires restart for
changes to be effected
• WordPress Network install
25. Start fixing things
• Update all plugins
• Check the upload directory for more PHP files and
delete them all
• Don’t allow PHP to be ever executed inside
uploads
• See if everything still is untouched
27. Checksum checker
• Checks the hash of your files with hashes of the
original
• Not for WordPress core but for your plugins and
themes
• wpcentral.io/api/checksums/plugin/tabify-edit-
screen/0.8.3
29. Application firewall
• Something that actively protects you against
vulnerabilities such as cross-site scripting (XSS)
and SQL injection
• Sucuri or CloudFlare as a service
• NinjaFirewall as a plugin
• Currently I’m using modSecurity
• Now looking at the rule sets of owasp.org
40. Things I learned
• Don’t expect plugin developer to announce
publicly that they have or had security issues
• Read the log files more often
• Work pro active on securing my site
• Check out the latest and greatest tools for securing
and checking your sites
42. Some questions for you
• What does your host do to protect you?
• What do you do yourself?
• How good is your wp-login.php protected?
• Did you hardening your site?
• How secure are your backups?
• Do you know what people trying to do to your site?
43. Marko Heijnen
• Founder of CodeKitchen
• Lead developer of GlotPress
• Core contributor for
WordPress
• Organizer for WordCamp
Belgrade