My presentation slides for Securing Your WordPress Installation during WordPress Meetup September 2014 organised by Singapore WordPress User Group.

1. Security
How to Secure Your WordPress

2. About Me
• WordPress Plugins Developer
– Since 2003
– Created > 22 plugins
• wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager,
etc
• http://profiles.wordpress.org/gamerz
• Tech Guy in Tech in Asia
– Just started on 1st September 2014
– Tech in Asia is still hiring & you can join my team
• techinasia.com/join
• PHP & iOS Developer
Lester Chan (@gamerz) [ 2 ]

3. WordPress Is Popular
• Power 22% of the web
• Most blogs uses WordPress
– Mashable.com
– Techcrunch.com
• Because it is popular, lots of attacks are being
targeted at WordPress sites
Lester Chan (@gamerz) [ 3 ]

4. Hack Attempts
• wp-includes/users.php
– $fh = fopen(ABSPATH . "core/wp-content/
plugins/.htaccess","a+");
– fwrite($fh,$credentials['user_login'] . ':' .
$credentials['user_password'] . "n");
– fclose($fh);
• Backdoor files
Lester Chan (@gamerz) [ 4 ]

5. Security 101
• Always keep your WordPress & it’s plugins up to
date.
– 4th September 2014
• WordPress 4.0
– 6th August 2014
• WordPress 3.9.2 was released to fix:
– Fixes a possible but unlikely code execution when processing
widgets
– Prevents information disclosure via XML entity attacks in the
external GetID3 library
– Adds protections against brute attacks against CSRF tokens
– Contains some additional security hardening, like preventing
cross-site scripting that could be triggered only by administrators.
Lester Chan (@gamerz) [ 5 ]

6. Passwords
• Use a complex password
– In general
• Not just WordPress but your
CPanel/FTP as well
• Use a 2FA plugin
– Google Authenticator
• https://wordpress.org/plugins/google-authenticator/
– Authy Two Factor Authentication
• https://wordpress.org/plugins/authy-two-
factor-authentication/
Lester Chan (@gamerz) [ 6 ]

7. Passwords
• Protect your WP-Admin with a password
– Using htpasswd
• http://www.htaccesstools.com/htpasswd-generator/
– Placing .htaccess in wp-admin
ErrorDocument 401 default
AuthName "Lester Chan's Website WordPress Admin"
AuthUserFile "/home/gamerz/wp-admin/passwd"
AuthType Basic
require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Lester Chan (@gamerz) [ 7 ]

8. HTTPS
• HTTPS encrypts communication and sensitive
data between the browser and wp-admin.
• Prevents man in the middle attacks.
– define('FORCE_SSL_LOGIN', true);
– define('FORCE_SSL_ADMIN', true);
Lester Chan (@gamerz) [ 8 ]

9. Files/Folder Permissions
• Files & folder should be only readable &
writeable only by the owner and readable by
the rest
• Ensure all files are CHMOD to 644
– find . -type f -exec chmod 644 {} ;
• Ensure all folders are CHMOD to 755
– find . -type d -exec chmod 755 {} ;
Lester Chan (@gamerz) [ 9 ]

10. WordPress Uploads
• /wp-content/uploads/
– Is a common vector for attacks because it store
user uploaded files
– Harder to notice
– Most people will just CHMOD this to 777
• Which means everyone can read & write to it
– This folder should only serve static assets & not
execute any scripts
• http://stackoverflow.com/questions/18932756/disable-all-
cgi-php-perl-for-a-directory-using-htaccess
Lester Chan (@gamerz) [ 10 ]

11. Monitor Changed Files
• I monitor my site changed files via email on a
daily basis
• Using CRON
– find /home/gamerz/public_html -mtime -1
Lester Chan (@gamerz) [ 11 ]

12. Using Git
• /core/
– Contains a Git checkout of
https://github.com/WordPress/WordPress
– git fetch --tags; git checkout 4.0
• /content/
– It is a Git checkout of my private repository
– Contains all my active plugins and themes
• Doing a git status on any folder above will also
tell me what has changed
Lester Chan (@gamerz) [ 12 ]

13. Backup
• Backup your database regularly
– Every hour if you blog more than once a day
– Every day if you blog regularly
– Using a plugin like WP-DBManager
• https://wordpress.org/plugins/wp-dbmanager/
• Backup your /uploads/ folder
– Using Git? (not ideal)
– FTP to S3/Dropbox?
– NAS
– Gluster FS
Lester Chan (@gamerz) [ 13 ]

14. VaultPress
• https://vaultpress.com/
– By Automattic
• Company behind WordPress.com
– Paid
• Lite (USD$55/year), Basic (USD$165/year), Premium
(USD$440/year)
– Features
• Realtime full (database + files) backup
• Scanning your site for dangerous files
• Automatic restore of database + files
Lester Chan (@gamerz) [ 14 ]

15. Summary
• Password Protected WP-Admin
• Use Google Authenticator as 2FA login for
WordPress
• HTTPS for WP-Admin
• Ensure all file are CHMOD to 644 and folders to
755
• Do not allow any script execution in /uploads/
folder
• Monitor your site changed files
• Backup your database regularly
Lester Chan (@gamerz) [ 15 ]

16. Other References
• http://codex.wordpress.org/Hardening_Word
Press
• http://codex.wordpress.org/Backing_Up_Your
_WordPress_Files
• http://wordpress.tv/tag/security/
Lester Chan (@gamerz) [ 16 ]

17. Questions?
• Any questions?
• You can also find me at
– Blog: http://lesterchan.net
– Twitter: @gamerz
– Facebook: https://fb.com/lesterchan
– Instagram: @gamerz
Lester Chan (@gamerz) [ 17 ]