SlideShare ist ein Scribd-Unternehmen logo

WordPress Security Fundamentals - WordCamp Biratnagar 2018

Als PPTX, PDF herunterladen
Abul Khayer
Abul Khayer

This talk is all about the common security threads WordPress websites face. The audience will learn the type of attacks that WordPress websites get, how users will measure the security and how they will protect WordPress websites from the common security threads. The session easy suitable for any WordPress user, developer or enthusiast. It’s a 25 minutes session in the English language.

Technologie
1 von 49
WordPress Security Fundamentals
ABUL KHAYER CTO, Search English Limited Proprietor, Biggestech Deputy, WordPress Community Team Organizer, Dhaka WordPress Meetup About Me
Type of Attacks that are Threat to WordPress Sites
SQL Injection Attack Attack Types [1] Image Source: acunetix.com
Cross Site Scripting (XSS) Attack Types [2] Image Source: acunetix.com
Attack Types [3] Brute Force Attack Image Source: security.stackexchange.com
Attack Types [4] Session Hijacking Attack Image Source: geeksforgeeks.org
Cross Site Request Forgery (CSRF) Attack Attack Types [5] And more… Image Source: securityevaluators.com
Topics of Discussion
• General Measures of Security • Security Measures using Plugin while Developing a Website • Advance Security Measures while Developing Website with less dependency on Plugin • Advanced Security Measures while Developing Plugin/Theme Topics of Discussion!
General Measures of Security
General Measures of Security [1] • Quality Web Hosting – Always up to date – Backup provision – Web Application Firewall (WAF) provision – Get Virus Scanner, like ClamAV • SSL Certificate – Security through Data Encryption • Use CDN – A Layer in Internet Ecosystem
General Measures of Security [2] • Keep your Website up to Date – Get latest security updates – Stay safe from latest threats • Use Safe Theme/Plugin – Avoid Nulled or Cracked derivatives – Avoid Low Rated or Untested things – Remove unused Theme/Plugins
General Measures of Security [3] • Use Captcha in Login Forms – Stay away from Brute-Force Attack – Stay safe from Bot Attempts • Use Spam Protection Mechanism – Use Akismet, the best one – Use Antispam Bee
General Measures of Security [4] • Use Safer Password – Make it using Alphabet, Letter, Symbol – Make it Long – Never save it on a Open File or Browser • Hide the Admin Name – Don’t use default username “admin” – Rename the Nick and Profile Name of System Admin
General Measures of Security [5] • Change your Secret Keys in “wp-config.php” Generate: https://api.wordpress.org/secret-key/1.1/salt/ define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );
Security Measures using Plugin while Developing a Website
Security Measures using Plugin [1] • Creates Firewall • Real-time Monitoring • Stronger Login Practice • Repair Files by Overwriting • Scans Suspicious Contents • Block various type of Threats Attempts • Sends Alert on Vulnerability over Email • Scan Core, Plugins, Themes, and other Files • Finds Injections, Redirection Codes etc
Security Measures using Plugin [2] • Limits Login Attempts • Customize Login Page URL • Prevent Brute Force Attacks • Restrict Access from IP • Log Users Attempts • Block User on Prohibited Username Attempt • Adds reCaptcha • Disable Right Click • Removes Version Info from CSS/JS • Removes WP Generated Meta from HTML • Backup of Security Settings • Scheduled Database Backup All In One WP Security & Firewall
Security Measures using Plugin [3] • Track Post/Page/Tag/Comments Activities • Track Widget/Menu Change • Track Core and System Settings Change • Track User/Profile Changes • Track Forum, Ecommerce Shop Changes
Security Measures using Plugin [4] • Change Theme Style File-name • Change Plugins URL • Change Individual Plugin URLs • Custom Upload URL • Remove WordPress Version
Security Measures using Plugin [5] • SQL Injection Attack Prevention • XSS and CSRF Attack Prevention • Brute Force Attack Prevention • Blocks Direct Access to PHP Files • Disable Directory Listing • Minify CSS
Security Measures using Plugin [6] • Backup Database, Settings, Theme, Plugin, Images etc. • Download Backup as Zip or Tar • Run Schedule Backup as Daily / Weekly / Monthly • Store Backup on Remote FTP Server • Store Backup on Dropbox/Google Drive • Send Backup to Email Address
Security Measures using Plugin [7] • On-Change File Comparison to check Vulnerability • Can Expire Password to Reset new Password • Generates Strong Password with Salt • Two Factor Authentication • Malware Scanner • Login Captcha
Advance Security Measures while Developing Website with less dependency on Plugin
Advanced Security Measures without Plugin [1] Add an Extra Layer of Protection on Login Page: <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName "Private Access" AuthType Basic require user MySecretUsername </Files> MySecretUsername:$apr1$KW5IP d9r$/C4HkGhAX7WqaOrJ1k9my1 .htaccess .htpasswd Hash Pass Generator: http://www.htaccesstools.com/htpasswd-generator/
Restrict visiting Admin Panel by IP: # Block Access to WP-Admin order deny, allow allow from 172.0.0.1 deny from all .htaccess Advanced Security Measures without Plugin [2]
Disable Directory Listing: Options All -Indexes .htaccess Advanced Security Measures without Plugin [3]
Show Error Page while User is trying Unknown URLs/Pages: # Way One ErrorDocument 404 "<H1>Page not found</H1>" # Way Two ErrorDocument 404 /not-found/ .htaccess Advanced Security Measures without Plugin [4]
Restrict visiting WordPress Configuration File: # PROTECT CONFIG FILE <files wp-config.php> Order deny, allow Deny from all </files> .htaccess Advanced Security Measures without Plugin [5]
Restrict Execution of PHP Code in “Uploads” Directory: # Kill PHP EXECUTION <Files ~ ".ph(?:p[345]?|t|tml)$"> deny from all </Files> .htaccess Advanced Security Measures without Plugin [5]
Implement Security using “mod_rewrite”, the Module Enable HTTP Strict Transport Security Enable (XSS) Filter Hide Server Application Information Restrict Visiting Open Directories Block Access to Hidden Files And, many more… Source: http://htaccess.DB-Dzine.com/en-us Advanced Security Measures without Plugin [6]
Disable File Editing in the WordPress Dashboard/Panel Force Admin to use https:// (SSL Certificate enabled Path) # Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true); wp-config.php Advanced Security Measures without Plugin [7] # Force Admin to use SSL define('FORCE_SSL_ADMIN', true); wp-config.php
If Host has the Provision, then allow FTPS If Host has the Provision, then allow SFTP # Enable FTPS define('FTP_SSL', true); wp-config.php Advanced Security Measures without Plugin [7] # Enable SFTP define('FS_METHOD', 'ssh2'); wp-config.php
Disable Creating Error Log Disable Showing Error Log # Disable Debug Mode define('WP_DEBUG', false); wp-config.php Advanced Security Measures without Plugin [8] # Disable Front-end Error Logging define('WP_DEBUG_DISPLAY', false); wp-config.php
Enable Auto WordPress Version Update Get Security Updates and more… Stay safe… # Enable Auto WordPress Update define('WP_AUTO_UPDATE_CORE', true); wp-config.php Advanced Security Measures without Plugin [8]
Advanced Security Measures while Developing Plugin/Theme
Follow the Important Rules Don’t Trust any Data Rely on the WordPress API Keep your codes Up to Date Security while Developing Plugins/Themes [1]
Validate your Data using PHP Functions Security while Developing Plugins/Themes [2] Functions Description isset() , empty() Value has or not mb_strlen() , strlen() Identify whether String length is valid or not preg_match() , strpos() Find certain characters inside String in_array() Find whether your element exists in the Array or not strip_tags() Removes HTML Tags from your String filter_var() Identify Email, URL, Variable Type etc. md5() , sha1() Secure your Password
Validate your Data using WordPress Functions Security while Developing Plugins/Themes [2] Functions Description is_user_logged_in() Whether current user is Logged-in or Not username_exists() , email_exists() Whether Username or Email exists or not term_exists() Whether a Tag, Category or Term exists or not validate_file() Whether a File Path valid or not is_admin_bar_showing() Whether Admin Bar is visible or not
Secure your Input Data (Sanitize) using WordPress Functions Security while Developing Plugins/Themes [3] Functions Description sanitize_email() Filters Email Address sanitize_file_name() Filters File Name sanitize_key() Filters the Internal Keys sanitize_user() Filters the Username sanitize_text_field() Filters the Input Fields sanitize_title() Filters the Title sanitize_sql_orderby() Filters Order By Clauses of SQL Queries Sample Code: sanitize_####( $email );
Secure your Output Data (Escape) using WordPress Functions Security while Developing Plugins/Themes [4] Functions Description esc_html() Prints safe HTML code, Removes Tags esc_url() Prints safe URL, Removes unsafe Characters esc_js() Helps executing PHP codes inside JavaScript, escaping Single Quotes, HTML Special Characters and fixing Line Endings esc_sql() Helps to filter the Strings within SQL Queries esc_attr() Helps to filter the Attributes inside HTML tags for keeping XSS Safe Sample Code: <h2><?php echo esc_####( $url ); ?></h2>
Use “Nonces” to Prevent CSRF Attacks Security while Developing Plugins/Themes [4] Helps to add a Token while moving from an URL to another
Avoid writing Traditional Query Security while Developing Plugins/Themes [5] Unsafe
Avoid writing Traditional Query You can hide Database Errors for Safety Security while Developing Plugins/Themes [5] Safe
Avoid using Deprecated Codes Test your WordPress Website Online Security while Developing Plugins/Themes [6] https://developer.wordpress.org/reference/ https://wpscans.com/
• General Measures of Security • Security Measures using Plugin while Developing a Website • Advance Security Measures while Developing Website with less dependency on Plugin • Advanced Security Measures while Developing Plugin/Theme Recap
Any Question?
www.abulkhayer.com www.facebook.com/MyselfKhayer +8801683551692 info@abulkhayer.com ThankYou

Empfohlen

Capture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaCapture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaVito Flavio Lorusso
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessWildan Maulana
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 

Empfohlen

Capture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaCapture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaVito Flavio Lorusso
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessWildan Maulana
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Exploring, understanding and monitoring macOS activity with osquery
Exploring, understanding and monitoring macOS activity with osqueryExploring, understanding and monitoring macOS activity with osquery
Exploring, understanding and monitoring macOS activity with osqueryZachary Wasserman
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksLucidworks
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryBreach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryUptycs
 
Secure your site
Secure your siteSecure your site
Secure your siteMatthew Farina
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache serviceprajeeshprathap
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Globus toolkit4installationguide
Globus toolkit4installationguideGlobus toolkit4installationguide
Globus toolkit4installationguideAdarsh Patil
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
Java secure development part 3
Java secure development part 3Java secure development part 3
Java secure development part 3Rafel Ivgi
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
 
WordPress Security by Nirjhor Anjum
WordPress Security by Nirjhor AnjumWordPress Security by Nirjhor Anjum
WordPress Security by Nirjhor AnjumAbul Khayer
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 

Weitere ähnliche Inhalte

Was ist angesagt?

Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Exploring, understanding and monitoring macOS activity with osquery
Exploring, understanding and monitoring macOS activity with osqueryExploring, understanding and monitoring macOS activity with osquery
Exploring, understanding and monitoring macOS activity with osqueryZachary Wasserman
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksLucidworks
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryBreach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryUptycs
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache serviceprajeeshprathap
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Globus toolkit4installationguide
Globus toolkit4installationguideGlobus toolkit4installationguide
Globus toolkit4installationguideAdarsh Patil
 
Java secure development part 3
Java secure development part 3Java secure development part 3
Java secure development part 3Rafel Ivgi
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
 

Was ist angesagt? (20)

Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Exploring, understanding and monitoring macOS activity with osquery
Exploring, understanding and monitoring macOS activity with osqueryExploring, understanding and monitoring macOS activity with osquery
Exploring, understanding and monitoring macOS activity with osquery
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryBreach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
 
Secure your site
Secure your siteSecure your site
Secure your site
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache service
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal Site
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
 
Globus toolkit4installationguide
Globus toolkit4installationguideGlobus toolkit4installationguide
Globus toolkit4installationguide
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
 
Java secure development part 3
Java secure development part 3Java secure development part 3
Java secure development part 3
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should Know
 

Ähnlich wie WordPress Security Fundamentals - WordCamp Biratnagar 2018

WordPress Security by Nirjhor Anjum
WordPress Security by Nirjhor AnjumWordPress Security by Nirjhor Anjum
WordPress Security by Nirjhor AnjumAbul Khayer
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemAzharul Haque Shohan
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singhguest4fe370
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 

Ähnlich wie WordPress Security Fundamentals - WordCamp Biratnagar 2018 (20)

WordPress Security by Nirjhor Anjum
WordPress Security by Nirjhor AnjumWordPress Security by Nirjhor Anjum
WordPress Security by Nirjhor Anjum
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress Installation
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login System
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singh
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
 

Mehr von Abul Khayer

Speed Up WordPress
Speed Up WordPressSpeed Up WordPress
Speed Up WordPressAbul Khayer
 
WordPress Theme Development by Sharif Mohammad Eunus
WordPress Theme Development by Sharif Mohammad EunusWordPress Theme Development by Sharif Mohammad Eunus
WordPress Theme Development by Sharif Mohammad EunusAbul Khayer
 
Hosting for WordPress by Saleh Ahmed
Hosting for WordPress by Saleh AhmedHosting for WordPress by Saleh Ahmed
Hosting for WordPress by Saleh AhmedAbul Khayer
 
Blogging and WordPress by Razib Ahmed and Anu Sarkar
Blogging and WordPress by Razib Ahmed and Anu SarkarBlogging and WordPress by Razib Ahmed and Anu Sarkar
Blogging and WordPress by Razib Ahmed and Anu SarkarAbul Khayer
 
Popular e-Commerce CMS
Popular e-Commerce CMSPopular e-Commerce CMS
Popular e-Commerce CMSAbul Khayer
 
e-Commerce Web Development & Management
e-Commerce Web Development & Managemente-Commerce Web Development & Management
e-Commerce Web Development & ManagementAbul Khayer
 

Mehr von Abul Khayer (6)

Speed Up WordPress
Speed Up WordPressSpeed Up WordPress
Speed Up WordPress
 
WordPress Theme Development by Sharif Mohammad Eunus
WordPress Theme Development by Sharif Mohammad EunusWordPress Theme Development by Sharif Mohammad Eunus
WordPress Theme Development by Sharif Mohammad Eunus
 
Hosting for WordPress by Saleh Ahmed
Hosting for WordPress by Saleh AhmedHosting for WordPress by Saleh Ahmed
Hosting for WordPress by Saleh Ahmed
 
Blogging and WordPress by Razib Ahmed and Anu Sarkar
Blogging and WordPress by Razib Ahmed and Anu SarkarBlogging and WordPress by Razib Ahmed and Anu Sarkar
Blogging and WordPress by Razib Ahmed and Anu Sarkar
 
Popular e-Commerce CMS
Popular e-Commerce CMSPopular e-Commerce CMS
Popular e-Commerce CMS
 
e-Commerce Web Development & Management
e-Commerce Web Development & Managemente-Commerce Web Development & Management
e-Commerce Web Development & Management
 

Kürzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

WordPress Security Fundamentals - WordCamp Biratnagar 2018

  • 2. ABUL KHAYER CTO, Search English Limited Proprietor, Biggestech Deputy, WordPress Community Team Organizer, Dhaka WordPress Meetup About Me
  • 3. Type of Attacks that are Threat to WordPress Sites
  • 4. SQL Injection Attack Attack Types [1] Image Source: acunetix.com
  • 5. Cross Site Scripting (XSS) Attack Types [2] Image Source: acunetix.com
  • 6. Attack Types [3] Brute Force Attack Image Source: security.stackexchange.com
  • 7. Attack Types [4] Session Hijacking Attack Image Source: geeksforgeeks.org
  • 8. Cross Site Request Forgery (CSRF) Attack Attack Types [5] And more… Image Source: securityevaluators.com
  • 10. • General Measures of Security • Security Measures using Plugin while Developing a Website • Advance Security Measures while Developing Website with less dependency on Plugin • Advanced Security Measures while Developing Plugin/Theme Topics of Discussion!
  • 12. General Measures of Security [1] • Quality Web Hosting – Always up to date – Backup provision – Web Application Firewall (WAF) provision – Get Virus Scanner, like ClamAV • SSL Certificate – Security through Data Encryption • Use CDN – A Layer in Internet Ecosystem
  • 13. General Measures of Security [2] • Keep your Website up to Date – Get latest security updates – Stay safe from latest threats • Use Safe Theme/Plugin – Avoid Nulled or Cracked derivatives – Avoid Low Rated or Untested things – Remove unused Theme/Plugins
  • 14. General Measures of Security [3] • Use Captcha in Login Forms – Stay away from Brute-Force Attack – Stay safe from Bot Attempts • Use Spam Protection Mechanism – Use Akismet, the best one – Use Antispam Bee
  • 15. General Measures of Security [4] • Use Safer Password – Make it using Alphabet, Letter, Symbol – Make it Long – Never save it on a Open File or Browser • Hide the Admin Name – Don’t use default username “admin” – Rename the Nick and Profile Name of System Admin
  • 16. General Measures of Security [5] • Change your Secret Keys in “wp-config.php” Generate: https://api.wordpress.org/secret-key/1.1/salt/ define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );
  • 17. Security Measures using Plugin while Developing a Website
  • 18. Security Measures using Plugin [1] • Creates Firewall • Real-time Monitoring • Stronger Login Practice • Repair Files by Overwriting • Scans Suspicious Contents • Block various type of Threats Attempts • Sends Alert on Vulnerability over Email • Scan Core, Plugins, Themes, and other Files • Finds Injections, Redirection Codes etc
  • 19. Security Measures using Plugin [2] • Limits Login Attempts • Customize Login Page URL • Prevent Brute Force Attacks • Restrict Access from IP • Log Users Attempts • Block User on Prohibited Username Attempt • Adds reCaptcha • Disable Right Click • Removes Version Info from CSS/JS • Removes WP Generated Meta from HTML • Backup of Security Settings • Scheduled Database Backup All In One WP Security & Firewall
  • 20. Security Measures using Plugin [3] • Track Post/Page/Tag/Comments Activities • Track Widget/Menu Change • Track Core and System Settings Change • Track User/Profile Changes • Track Forum, Ecommerce Shop Changes
  • 21. Security Measures using Plugin [4] • Change Theme Style File-name • Change Plugins URL • Change Individual Plugin URLs • Custom Upload URL • Remove WordPress Version
  • 22. Security Measures using Plugin [5] • SQL Injection Attack Prevention • XSS and CSRF Attack Prevention • Brute Force Attack Prevention • Blocks Direct Access to PHP Files • Disable Directory Listing • Minify CSS
  • 23. Security Measures using Plugin [6] • Backup Database, Settings, Theme, Plugin, Images etc. • Download Backup as Zip or Tar • Run Schedule Backup as Daily / Weekly / Monthly • Store Backup on Remote FTP Server • Store Backup on Dropbox/Google Drive • Send Backup to Email Address
  • 24. Security Measures using Plugin [7] • On-Change File Comparison to check Vulnerability • Can Expire Password to Reset new Password • Generates Strong Password with Salt • Two Factor Authentication • Malware Scanner • Login Captcha
  • 25. Advance Security Measures while Developing Website with less dependency on Plugin
  • 26. Advanced Security Measures without Plugin [1] Add an Extra Layer of Protection on Login Page: <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName "Private Access" AuthType Basic require user MySecretUsername </Files> MySecretUsername:$apr1$KW5IP d9r$/C4HkGhAX7WqaOrJ1k9my1 .htaccess .htpasswd Hash Pass Generator: http://www.htaccesstools.com/htpasswd-generator/
  • 27. Restrict visiting Admin Panel by IP: # Block Access to WP-Admin order deny, allow allow from 172.0.0.1 deny from all .htaccess Advanced Security Measures without Plugin [2]
  • 28. Disable Directory Listing: Options All -Indexes .htaccess Advanced Security Measures without Plugin [3]
  • 29. Show Error Page while User is trying Unknown URLs/Pages: # Way One ErrorDocument 404 "<H1>Page not found</H1>" # Way Two ErrorDocument 404 /not-found/ .htaccess Advanced Security Measures without Plugin [4]
  • 30. Restrict visiting WordPress Configuration File: # PROTECT CONFIG FILE <files wp-config.php> Order deny, allow Deny from all </files> .htaccess Advanced Security Measures without Plugin [5]
  • 31. Restrict Execution of PHP Code in “Uploads” Directory: # Kill PHP EXECUTION <Files ~ ".ph(?:p[345]?|t|tml)$"> deny from all </Files> .htaccess Advanced Security Measures without Plugin [5]
  • 32. Implement Security using “mod_rewrite”, the Module Enable HTTP Strict Transport Security Enable (XSS) Filter Hide Server Application Information Restrict Visiting Open Directories Block Access to Hidden Files And, many more… Source: http://htaccess.DB-Dzine.com/en-us Advanced Security Measures without Plugin [6]
  • 33. Disable File Editing in the WordPress Dashboard/Panel Force Admin to use https:// (SSL Certificate enabled Path) # Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true); wp-config.php Advanced Security Measures without Plugin [7] # Force Admin to use SSL define('FORCE_SSL_ADMIN', true); wp-config.php
  • 34. If Host has the Provision, then allow FTPS If Host has the Provision, then allow SFTP # Enable FTPS define('FTP_SSL', true); wp-config.php Advanced Security Measures without Plugin [7] # Enable SFTP define('FS_METHOD', 'ssh2'); wp-config.php
  • 35. Disable Creating Error Log Disable Showing Error Log # Disable Debug Mode define('WP_DEBUG', false); wp-config.php Advanced Security Measures without Plugin [8] # Disable Front-end Error Logging define('WP_DEBUG_DISPLAY', false); wp-config.php
  • 36. Enable Auto WordPress Version Update Get Security Updates and more… Stay safe… # Enable Auto WordPress Update define('WP_AUTO_UPDATE_CORE', true); wp-config.php Advanced Security Measures without Plugin [8]
  • 37. Advanced Security Measures while Developing Plugin/Theme
  • 38. Follow the Important Rules Don’t Trust any Data Rely on the WordPress API Keep your codes Up to Date Security while Developing Plugins/Themes [1]
  • 39. Validate your Data using PHP Functions Security while Developing Plugins/Themes [2] Functions Description isset() , empty() Value has or not mb_strlen() , strlen() Identify whether String length is valid or not preg_match() , strpos() Find certain characters inside String in_array() Find whether your element exists in the Array or not strip_tags() Removes HTML Tags from your String filter_var() Identify Email, URL, Variable Type etc. md5() , sha1() Secure your Password
  • 40. Validate your Data using WordPress Functions Security while Developing Plugins/Themes [2] Functions Description is_user_logged_in() Whether current user is Logged-in or Not username_exists() , email_exists() Whether Username or Email exists or not term_exists() Whether a Tag, Category or Term exists or not validate_file() Whether a File Path valid or not is_admin_bar_showing() Whether Admin Bar is visible or not
  • 41. Secure your Input Data (Sanitize) using WordPress Functions Security while Developing Plugins/Themes [3] Functions Description sanitize_email() Filters Email Address sanitize_file_name() Filters File Name sanitize_key() Filters the Internal Keys sanitize_user() Filters the Username sanitize_text_field() Filters the Input Fields sanitize_title() Filters the Title sanitize_sql_orderby() Filters Order By Clauses of SQL Queries Sample Code: sanitize_####( $email );
  • 42. Secure your Output Data (Escape) using WordPress Functions Security while Developing Plugins/Themes [4] Functions Description esc_html() Prints safe HTML code, Removes Tags esc_url() Prints safe URL, Removes unsafe Characters esc_js() Helps executing PHP codes inside JavaScript, escaping Single Quotes, HTML Special Characters and fixing Line Endings esc_sql() Helps to filter the Strings within SQL Queries esc_attr() Helps to filter the Attributes inside HTML tags for keeping XSS Safe Sample Code: <h2><?php echo esc_####( $url ); ?></h2>
  • 43. Use “Nonces” to Prevent CSRF Attacks Security while Developing Plugins/Themes [4] Helps to add a Token while moving from an URL to another
  • 44. Avoid writing Traditional Query Security while Developing Plugins/Themes [5] Unsafe
  • 45. Avoid writing Traditional Query You can hide Database Errors for Safety Security while Developing Plugins/Themes [5] Safe
  • 46. Avoid using Deprecated Codes Test your WordPress Website Online Security while Developing Plugins/Themes [6] https://developer.wordpress.org/reference/ https://wpscans.com/
  • 47. • General Measures of Security • Security Measures using Plugin while Developing a Website • Advance Security Measures while Developing Website with less dependency on Plugin • Advanced Security Measures while Developing Plugin/Theme Recap