SlideShare ist ein Scribd-Unternehmen logo

Wordpress Security & Hardening Steps

Als PPTX, PDF herunterladen
Plasterdog Web Design
Plasterdog Web Design

Steps to make a WordPress installation more secure

TechnologieBusiness
1 von 37
HARDENING A WORDPRESS SITE Jeff McNear Plasterdog Web Design 847/849-7060 jeff@plasterdog.com FOR MORE WORDPRESS INFO: http://jeffmcnear.com
WHILE A HACKING INCIDENT DOES SEEM APOCALYPTIC, IT IS SURVIVABLE, AND EVEN AVOIDABLE IF: You anticipate the destruction with backups You have some sort of early alert system You make your site more difficult to compromise than provided for by a default install
RESOURCES: CODEX: http://codex.wordpress.org/Hardening_WordPress CODE POET: “LOCKING DOWN WORDPRESS” http://build.codepoet.com/2012/07/10/locking-down-wordpress/ - Rachel Baker | Brad Williams | John Ford DIGGING INTO WORDPRESS: http://digwp.com/book/ - Chris Coyier & Jeff Starr THE TAO OF WORDPRESS: http://wp-tao.com/ - Jeff Starr .htaccess made easy: http://htaccessbook.com/ - Jeff Starr
TYPICAL PATHS OF INFECTION: The overwhelmingly vast majority of all attacks are automated Entry Via Login to the Site or Database Entry Via vulnerable files or folders TYPICAL POINTS OF ENTRY Insecure server configuration Poor password security practices Outdated code (WordPress core, Plugins & Themes, PHP version)
TYPICAL TYPES OF INFECTION: Roughly 85% of website attacks are Cross-Site Scripting (aka XSS)* Purpose is to inject links into the site itself May be simply spam links intended to fool search engines Can be malicious code that is used to embed coding into the visitor’s machine Intent is to steal information like passwords *Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. The more malicious infections are designed to breed and spread from machine to machine
WHAT ARE THE RISKS OF INFECTION? Unwelcome links inserted into your header or footer (very common: WordPress Pharma hack … only visible in search results!) Your site can become a cause for infection of those who visit it Visitors will be automatically re-directed to another website Search engines will detect insertions and will first publish warnings, and eventually de-list the site Individual ISPs will also detect insertions and will deny access to the site
FIRST LEVEL SECURITY: SIMPLE THINGS THAT ANY SITE OWNER CAN DO: Many hardening techniques do not require any special tools, knowledge or expertise … just some common sense
KEEP A CLEAN MACHINE Eventually we are all going to visit a virused website – have a regular scanning & anti-virus routine Remember that you too are vulnerable to inserted code that will monitor & record your keystrokes
TRANSFER FILES IN THE MOST SECURE MANNER AVAILABLE Ideally we should all be using SFTP rather than regular old FTP Some would even say that having an SSL for any website is a good idea At very least when uploading files use a secure connection
KEEP YOUR CODE CURRENT A significant portion of core update work has to do with security issues The WordPress project has made it dead easy to keep your code current There is no excuse! ALSO: Inactive Themes and Plugins can be vulnerable to infection … if you aren’t using them, there is no reason to keep them!
AVOID ALLOWING ACCESS WHEN NOT NECESSARY Shut down open registration If you’re not using comments and pingbacks deactivate them Eliminate inactive users Be selective about permission levels Do not allow shared logins Never use “admin” as a login name – most “brute-force” attacks on Wordpress will focus on the “admin” login name If you display author information DO NOT show the login name! Use complex and secure passwords!
PREPARE FOR THE WORST: Backup: Database The active theme .htaccess file wp-config.php robots.txt index.php Record the list of active plugins Register your site with WebMaster tools: GOOGLE: http://www.google.com/webmasters/tools BING: http://www.bing.com/toolbox SITE SCANNING TOOLS: http://sitecheck.sucuri.net/scanner/ https://www.stopbadware.org/clearinghouse/ search http://www.unmaskparasites.com/
THE REASONS WEBMASTER TOOL CONNECTION IS IMPERITIVE: You cannot communicate directly with Google or Bing without establishing the connection Diagnostic tools are made available Automatic alerts can be requested You can appeal for review and redemption
SECOND LEVEL SECURITY: Configuring the site correctly at the point of original install There are small adjustments that can: • Make it more difficult for an attacker to edit your files • Obscure the structure of your WordPress deployment • Lock down access to crucial files and directories
CHANGE THE DATABASE PREFIX
ELIMINATE A COUPLE OF FILES: (root)/readme.html ISSUE: relates information about the version of WordPress at point of install (root)/wp-admin/install.php ISSUE: if for some reason the connection between WordPress and the database are broken, then this file will activate and display the installation setup page
DISABLE THE FILE EDITOR As long as this is still enabled, anyone with admin access to your site will be able to modify files at will ADD TO THE wp-config.php file: //DISABLES FILE EDITING define('DISALLOW_FILE_EDIT', true);
DENY INFORMATION TO POTENTIAL ATTACKERS: IN THE ACTIVE THEME’S functions.php FILE: //REMOVES VERSION INFO remove_action('wp_head', 'wp_generator'); //OBSCURES LOGIN FAILURE MESSAGE add_filter('login_errors',create_function('$a', "ret urn null;"));
GIVE WORDPRESS A SEPARATE DIRECTORY: IF ALL OF THE CORE FILES ARE IN AN UN-EXPECTED PLACE THEY ARE LESS LIKELY TO BE FOUND: • Copy (NOT MOVE!) the index.php and .htaccess files from the directory into the root of your site • In your root directory's index.php Change the line that says: require('./wp-blog-header.php'); to require('./newdirectoryname/ wp-blog-header.php'); • Go to the General panel. In the box for Site address (URL): change the address to the root directory's URL
MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO THE WP-CONFIG FILE These security keys help encrypt the data that is stored in the cookies, which is data that helps WordPress identify your computer as one that is logged into your WordPress website as a certain user. If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies.
MAKE SURE FOLDER & FILE PERMISSIONS ARE SET CORRECTLY TYPICALLY THEY ARE GIVEN THE PROPER SETTINGS UPON DEPLOYMENT, BUT IT DOESN’T HURT TO CHECK FILE PERMISSION = 644 FOLDER PERMISSION = 755
THIRD LEVEL SECURITY: TIGHTENING DOWN SERVER SETTINGS VIA .htaccess FILES “The ability to include .htaccess files in specific directories gives you more control of your site’s configuration, optimization, and security.” -Jeff Starr While hosting in an environment optimized for WordPress is ideal … it is not always available….
BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE AN .htaccess FILE ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT WITH THIS CODE ONLY: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /”site-folder-name”/ RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L] </IfModule> # END WordPress
NEXT: INCLUDE THE FOLLOWING (outside the WP generated code) #PROTECT HTACCESS FILE <files .htaccess> order allow,deny deny from all </files> # SECURE WP-CONFIG.PHP <Files wp-config.php> Order Deny,Allow Deny from all </Files> # BLOCK THE INCLUDE-ONLY FILES. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
AN ADDITIONAL RULE WORTH ADDING: # CANONICAL FAVICONS - A COMMON POINT OF ATTACK <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC] RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC] RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L] </IfModule>
SPECIFIC .HTACCESS TO PROTECT WP-CONTENT protects php files | allows access to images, CSS, java-script and XML files, but denies for any other type # PREVENT ACCESS TO WP-CONTENT Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS /wp-content/uploads/.htaccess /wp-includes/.htaccess <Files *.php> deny from all </Files>
SOME ADDITIONAL .htaccess RULES: LOCATION: UPLOADS DIRECTORY # secure uploads directory <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$"> Order Deny,Allow Allow from all </FilesMatch> => issue: blocks ability to access pdf related URLs by link
LOCATION: WP-ADMIN DIRECTORY # SECURE WP-ADMIN FILES <FilesMatch "*.*"> Order Deny,Allow Deny from all Allow from 123.456.789 <= the allowed address </FilesMatch> => issue: restricting by IP address is not practical in many cases
LOCATION: ROOT DIRECTORY #Denies “hotlinking” of images <IfModule mod_rewrite.c> RewriteEngine on # ultimate hotlink protection RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org) [NC] RewriteRule .(gif|jpe?g?|png)$ - [F,NC,L] </ifModule> => issue: this disables the theme screenshot display so I don’t use it
LOCATION: ROOT DIRECTORY # MAKES EXPLICIT LOCATION OF ROBOTS.TXT <IfModule mod_rewrite.c> RewriteBase / RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC] RewriteCond %{REQUEST_URI} robots.txt [NC] RewriteRule .* http://example.com/robots.txt [R=301,L] </IfModule> => issue: seems like overkill # MAKES EXPLICIT LOCATION OF SITEMAP <IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$ http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$ http://example.com/sitemap.xml.gz</IfModule> => seems like overkill
WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE, IT WILL PREVENT FILES YOU WANT SECURED FROM BEING INDEXED User-agent: * Disallow: /cgi-bin/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: /tag/ Disallow: /trackback/ Disallow: */trackback/ Disallow: /index.php # separate directive for the main script file of WP Disallow: /*.php$ Disallow: /*.js$ Disallow: /*.inc$ Disallow: /*.css$ Allow: /wp-content/uploads/ Sitemap: http://SITEURL/sitemap_index.xml * *(SEO by Yoast generates a relilable sitemap)
PLUGINS OF NOTE: SITE SCANNERS wp security scan http://wordpress.org/plugins/wp-security-scan Sucuri Security - SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner WordPress File Monitor Plus http://wordpress.org/plugins/wordpress-file-monitor-plus Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. wordpress exploit scanner http://wordpress.org/plugins/exploit-scanner This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. secure wordpress http://wordpress.org/plugins/secure-wordpress
PLUGINS OF NOTE: MORE SCANNERS Wordfence http://wordpress.org/plugins/wordfence/ Better WP Security http://wordpress.org/plugins/better-wp-security/ BulletProof Security http://wordpress.org/plugins/bulletproof-security/
PLUGINS OF NOTE: BACKUP vaultpress http://wordpress.org/plugins/vaultpress/ (subscription) backup buddy http://ithemes.com/purchase/backupbuddy/ (paid) WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid) backwpup http://wordpress.org/plugins/backwpup/ backup to dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/ WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/ WP-DBManager http://wordpress.org/plugins/wp-dbmanager/ BackUpWordPress http://wordpress.org/plugins/backupwordpress/
PLUGINS OF NOTE: LOGIN LIMITATION limit login attempts http://wordpress.org/plugins/limit-login-attempts/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ Stealth Login Page http://wordpress.org/plugins/stealth-login-page/ PLUGINS OF NOTE: CHANGE LOGIN LOCATION lockdown wp-admin http://wordpress.org/plugins/lockdown-wp-admin/ Simple Login Lockdown http://wordpress.org/plugins/simple-login-lockdown/ Login Security Solution http://wordpress.org/plugins/login-security-solution/
PLUGINS OF NOTE: MIXED BAG theme authenticity checker http://wordpress.org/plugins/tac/ Theme-Check http://wordpress.org/plugins/theme-check/ Theme Test Drive http://wordpress.org/plugins/theme-test-drive/ block bad queries http://wordpress.org/plugins/block-bad-queries/ **jeff starr plugin antivirus http://wordpress.org/plugins/antivirus/
NOTHING IS 100% HACK-PROOF, BUT YOU CAN MAKE IT MORE DIFFICULT Keep your code current and work in a clean environment Restrict access to WordPress admin Block access to crucial files Backup crucial files on a regular basis Have a strategy to re-build if the easy solutions elude you

Empfohlen

WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 

Empfohlen

WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
Chetan Soni
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
Angela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Vlad Lasky
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
Shady A. Sharaf
 
Word Press Security
Word Press SecurityWord Press Security
Word Press Security
Randall Rode
 
Denk Modulair, Denk Lego
Denk Modulair, Denk LegoDenk Modulair, Denk Lego
Denk Modulair, Denk Lego
Ide Koops
 
UNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentUNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and Development
Wayne Dunn
 

Weitere ähnliche Inhalte

Was ist angesagt?

WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 

Was ist angesagt? (20)

Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Website security
Website securityWebsite security
Website security
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
Word Press Security
Word Press SecurityWord Press Security
Word Press Security
 

Andere mochten auch

UNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentUNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and Development
Wayne Dunn
 
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Miguel Muñoz de Morales
 
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Cámara de Comercio de Bilbao
 
How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.
Tomislav Korman
 
Danile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorageDanile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorage
OpenCity Community
 

Andere mochten auch (20)

Denk Modulair, Denk Lego
Denk Modulair, Denk LegoDenk Modulair, Denk Lego
Denk Modulair, Denk Lego
 
UNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and DevelopmentUNDP Round Table on Indigenous Trade and Development
UNDP Round Table on Indigenous Trade and Development
 
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
Wiss: Terveyden ja hyvinvoinnin edistäminen toisen asteen oppilaitoksissa - T...
 
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
Teatro de la sensacion taller de expresion integral creatividad y desarrollo ...
 
Digitális költések okosan
Digitális költések okosanDigitális költések okosan
Digitális költések okosan
 
CSR-friendly tax policy: Unlocking value and aligning interests
CSR-friendly tax policy: Unlocking value and aligning interestsCSR-friendly tax policy: Unlocking value and aligning interests
CSR-friendly tax policy: Unlocking value and aligning interests
 
Kudavi 1.24.2016
Kudavi 1.24.2016Kudavi 1.24.2016
Kudavi 1.24.2016
 
D_tpassat
D_tpassatD_tpassat
D_tpassat
 
Стань членом Клуба Традо!
Стань членом Клуба Традо!Стань членом Клуба Традо!
Стань членом Клуба Традо!
 
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21Egoera: La economía de Bizkaia - Marzo 2016 - nº21
Egoera: La economía de Bizkaia - Marzo 2016 - nº21
 
How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.How to communicate? Go online! Web is awesome, politics can be too.
How to communicate? Go online! Web is awesome, politics can be too.
 
Kudavi 1.28.2016
Kudavi 1.28.2016Kudavi 1.28.2016
Kudavi 1.28.2016
 
Notam 05 02-16
Notam 05 02-16Notam 05 02-16
Notam 05 02-16
 
Celebrate Alice! 2011
Celebrate Alice! 2011Celebrate Alice! 2011
Celebrate Alice! 2011
 
Программы здоровья ТРАДО
Программы здоровья ТРАДО Программы здоровья ТРАДО
Программы здоровья ТРАДО
 
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukenaSormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
Sormunen: Sähköinen hyvinvointikertomus kunnan strategisen johtamisen tukena
 
Juveline Crime in Bulgaria
Juveline Crime in BulgariaJuveline Crime in Bulgaria
Juveline Crime in Bulgaria
 
Multimedia01
Multimedia01Multimedia01
Multimedia01
 
Danile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorageDanile lee -open stackblocklevelstorage
Danile lee -open stackblocklevelstorage
 
Conversation01
Conversation01Conversation01
Conversation01
 

Ähnlich wie Wordpress Security & Hardening Steps

Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 

Ähnlich wie Wordpress Security & Hardening Steps (20)

Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordPress Security is like a HHAM Sandwich
WordPress Security is like a HHAM SandwichWordPress Security is like a HHAM Sandwich
WordPress Security is like a HHAM Sandwich
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress security
WordPress securityWordPress security
WordPress security
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101
 

Mehr von Plasterdog Web Design

Mehr von Plasterdog Web Design (7)

full-site-editing-theme-presentation.pptx
full-site-editing-theme-presentation.pptxfull-site-editing-theme-presentation.pptx
full-site-editing-theme-presentation.pptx
 
Build and save your own Gutenberg Block Patterns
Build and save your own Gutenberg Block PatternsBuild and save your own Gutenberg Block Patterns
Build and save your own Gutenberg Block Patterns
 
Wordpress overview
Wordpress overviewWordpress overview
Wordpress overview
 
Pantheon basics
Pantheon basicsPantheon basics
Pantheon basics
 
Basic wordpress editing
Basic wordpress editingBasic wordpress editing
Basic wordpress editing
 
Youtube Basics
Youtube BasicsYoutube Basics
Youtube Basics
 
Wordpress multisite
Wordpress multisiteWordpress multisite
Wordpress multisite
 

Kürzlich hochgeladen

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Wordpress Security & Hardening Steps

  • 1. HARDENING A WORDPRESS SITE Jeff McNear Plasterdog Web Design 847/849-7060 jeff@plasterdog.com FOR MORE WORDPRESS INFO: http://jeffmcnear.com
  • 2. WHILE A HACKING INCIDENT DOES SEEM APOCALYPTIC, IT IS SURVIVABLE, AND EVEN AVOIDABLE IF: You anticipate the destruction with backups You have some sort of early alert system You make your site more difficult to compromise than provided for by a default install
  • 3. RESOURCES: CODEX: http://codex.wordpress.org/Hardening_WordPress CODE POET: “LOCKING DOWN WORDPRESS” http://build.codepoet.com/2012/07/10/locking-down-wordpress/ - Rachel Baker | Brad Williams | John Ford DIGGING INTO WORDPRESS: http://digwp.com/book/ - Chris Coyier & Jeff Starr THE TAO OF WORDPRESS: http://wp-tao.com/ - Jeff Starr .htaccess made easy: http://htaccessbook.com/ - Jeff Starr
  • 4. TYPICAL PATHS OF INFECTION: The overwhelmingly vast majority of all attacks are automated Entry Via Login to the Site or Database Entry Via vulnerable files or folders TYPICAL POINTS OF ENTRY Insecure server configuration Poor password security practices Outdated code (WordPress core, Plugins & Themes, PHP version)
  • 5. TYPICAL TYPES OF INFECTION: Roughly 85% of website attacks are Cross-Site Scripting (aka XSS)* Purpose is to inject links into the site itself May be simply spam links intended to fool search engines Can be malicious code that is used to embed coding into the visitor’s machine Intent is to steal information like passwords *Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. The more malicious infections are designed to breed and spread from machine to machine
  • 6. WHAT ARE THE RISKS OF INFECTION? Unwelcome links inserted into your header or footer (very common: WordPress Pharma hack … only visible in search results!) Your site can become a cause for infection of those who visit it Visitors will be automatically re-directed to another website Search engines will detect insertions and will first publish warnings, and eventually de-list the site Individual ISPs will also detect insertions and will deny access to the site
  • 7. FIRST LEVEL SECURITY: SIMPLE THINGS THAT ANY SITE OWNER CAN DO: Many hardening techniques do not require any special tools, knowledge or expertise … just some common sense
  • 8. KEEP A CLEAN MACHINE Eventually we are all going to visit a virused website – have a regular scanning & anti-virus routine Remember that you too are vulnerable to inserted code that will monitor & record your keystrokes
  • 9. TRANSFER FILES IN THE MOST SECURE MANNER AVAILABLE Ideally we should all be using SFTP rather than regular old FTP Some would even say that having an SSL for any website is a good idea At very least when uploading files use a secure connection
  • 10. KEEP YOUR CODE CURRENT A significant portion of core update work has to do with security issues The WordPress project has made it dead easy to keep your code current There is no excuse! ALSO: Inactive Themes and Plugins can be vulnerable to infection … if you aren’t using them, there is no reason to keep them!
  • 11. AVOID ALLOWING ACCESS WHEN NOT NECESSARY Shut down open registration If you’re not using comments and pingbacks deactivate them Eliminate inactive users Be selective about permission levels Do not allow shared logins Never use “admin” as a login name – most “brute-force” attacks on Wordpress will focus on the “admin” login name If you display author information DO NOT show the login name! Use complex and secure passwords!
  • 12. PREPARE FOR THE WORST: Backup: Database The active theme .htaccess file wp-config.php robots.txt index.php Record the list of active plugins Register your site with WebMaster tools: GOOGLE: http://www.google.com/webmasters/tools BING: http://www.bing.com/toolbox SITE SCANNING TOOLS: http://sitecheck.sucuri.net/scanner/ https://www.stopbadware.org/clearinghouse/ search http://www.unmaskparasites.com/
  • 13. THE REASONS WEBMASTER TOOL CONNECTION IS IMPERITIVE: You cannot communicate directly with Google or Bing without establishing the connection Diagnostic tools are made available Automatic alerts can be requested You can appeal for review and redemption
  • 14. SECOND LEVEL SECURITY: Configuring the site correctly at the point of original install There are small adjustments that can: • Make it more difficult for an attacker to edit your files • Obscure the structure of your WordPress deployment • Lock down access to crucial files and directories
  • 16. ELIMINATE A COUPLE OF FILES: (root)/readme.html ISSUE: relates information about the version of WordPress at point of install (root)/wp-admin/install.php ISSUE: if for some reason the connection between WordPress and the database are broken, then this file will activate and display the installation setup page
  • 17. DISABLE THE FILE EDITOR As long as this is still enabled, anyone with admin access to your site will be able to modify files at will ADD TO THE wp-config.php file: //DISABLES FILE EDITING define('DISALLOW_FILE_EDIT', true);
  • 18. DENY INFORMATION TO POTENTIAL ATTACKERS: IN THE ACTIVE THEME’S functions.php FILE: //REMOVES VERSION INFO remove_action('wp_head', 'wp_generator'); //OBSCURES LOGIN FAILURE MESSAGE add_filter('login_errors',create_function('$a', "ret urn null;"));
  • 19. GIVE WORDPRESS A SEPARATE DIRECTORY: IF ALL OF THE CORE FILES ARE IN AN UN-EXPECTED PLACE THEY ARE LESS LIKELY TO BE FOUND: • Copy (NOT MOVE!) the index.php and .htaccess files from the directory into the root of your site • In your root directory's index.php Change the line that says: require('./wp-blog-header.php'); to require('./newdirectoryname/ wp-blog-header.php'); • Go to the General panel. In the box for Site address (URL): change the address to the root directory's URL
  • 20. MAKE SURE THAT THE SECURITY KEYS HAVE BEEN INSERTED INTO THE WP-CONFIG FILE These security keys help encrypt the data that is stored in the cookies, which is data that helps WordPress identify your computer as one that is logged into your WordPress website as a certain user. If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies.
  • 21. MAKE SURE FOLDER & FILE PERMISSIONS ARE SET CORRECTLY TYPICALLY THEY ARE GIVEN THE PROPER SETTINGS UPON DEPLOYMENT, BUT IT DOESN’T HURT TO CHECK FILE PERMISSION = 644 FOLDER PERMISSION = 755
  • 22. THIRD LEVEL SECURITY: TIGHTENING DOWN SERVER SETTINGS VIA .htaccess FILES “The ability to include .htaccess files in specific directories gives you more control of your site’s configuration, optimization, and security.” -Jeff Starr While hosting in an environment optimized for WordPress is ideal … it is not always available….
  • 23. BY DEFAULT A WORDPRESS DEPLOYMENT DOES NOT INCLUDE AN .htaccess FILE ONCE PERMALINKS ARE ACTIVATED IT WILL BE CREATED, BUT WITH THIS CODE ONLY: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /”site-folder-name”/ RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /”SITE-DIRECTORY-NAME”/index.php [L] </IfModule> # END WordPress
  • 24. NEXT: INCLUDE THE FOLLOWING (outside the WP generated code) #PROTECT HTACCESS FILE <files .htaccess> order allow,deny deny from all </files> # SECURE WP-CONFIG.PHP <Files wp-config.php> Order Deny,Allow Deny from all </Files> # BLOCK THE INCLUDE-ONLY FILES. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
  • 25. AN ADDITIONAL RULE WORTH ADDING: # CANONICAL FAVICONS - A COMMON POINT OF ATTACK <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC] RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC] RewriteRule (.*) http://SITEURL/favicon.ico [R=301,L] </IfModule>
  • 26. SPECIFIC .HTACCESS TO PROTECT WP-CONTENT protects php files | allows access to images, CSS, java-script and XML files, but denies for any other type # PREVENT ACCESS TO WP-CONTENT Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> AND FOR EXTRA CREDIT… KILL PHP EXECUTION IN THESE 2 LOCATIONS /wp-content/uploads/.htaccess /wp-includes/.htaccess <Files *.php> deny from all </Files>
  • 27. SOME ADDITIONAL .htaccess RULES: LOCATION: UPLOADS DIRECTORY # secure uploads directory <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|mov|wmvzip|pdf)$"> Order Deny,Allow Allow from all </FilesMatch> => issue: blocks ability to access pdf related URLs by link
  • 28. LOCATION: WP-ADMIN DIRECTORY # SECURE WP-ADMIN FILES <FilesMatch "*.*"> Order Deny,Allow Deny from all Allow from 123.456.789 <= the allowed address </FilesMatch> => issue: restricting by IP address is not practical in many cases
  • 29. LOCATION: ROOT DIRECTORY #Denies “hotlinking” of images <IfModule mod_rewrite.c> RewriteEngine on # ultimate hotlink protection RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} .(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|elfshot.org) [NC] RewriteRule .(gif|jpe?g?|png)$ - [F,NC,L] </ifModule> => issue: this disables the theme screenshot display so I don’t use it
  • 30. LOCATION: ROOT DIRECTORY # MAKES EXPLICIT LOCATION OF ROBOTS.TXT <IfModule mod_rewrite.c> RewriteBase / RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC] RewriteCond %{REQUEST_URI} robots.txt [NC] RewriteRule .* http://example.com/robots.txt [R=301,L] </IfModule> => issue: seems like overkill # MAKES EXPLICIT LOCATION OF SITEMAP <IfModule mod_alias.c> RedirectMatch 301 /sitemap.xml$ http://example.com/sitemap.xml RedirectMatch 301 /sitemap.xml.gz$ http://example.com/sitemap.xml.gz</IfModule> => seems like overkill
  • 31. WHILE A ROBOTS.TXT FILE IS NOT A DIRECT SECURITY MEASURE, IT WILL PREVENT FILES YOU WANT SECURED FROM BEING INDEXED User-agent: * Disallow: /cgi-bin/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: /tag/ Disallow: /trackback/ Disallow: */trackback/ Disallow: /index.php # separate directive for the main script file of WP Disallow: /*.php$ Disallow: /*.js$ Disallow: /*.inc$ Disallow: /*.css$ Allow: /wp-content/uploads/ Sitemap: http://SITEURL/sitemap_index.xml * *(SEO by Yoast generates a relilable sitemap)
  • 32. PLUGINS OF NOTE: SITE SCANNERS wp security scan http://wordpress.org/plugins/wp-security-scan Sucuri Security - SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner WordPress File Monitor Plus http://wordpress.org/plugins/wordpress-file-monitor-plus Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. wordpress exploit scanner http://wordpress.org/plugins/exploit-scanner This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. secure wordpress http://wordpress.org/plugins/secure-wordpress
  • 33. PLUGINS OF NOTE: MORE SCANNERS Wordfence http://wordpress.org/plugins/wordfence/ Better WP Security http://wordpress.org/plugins/better-wp-security/ BulletProof Security http://wordpress.org/plugins/bulletproof-security/
  • 34. PLUGINS OF NOTE: BACKUP vaultpress http://wordpress.org/plugins/vaultpress/ (subscription) backup buddy http://ithemes.com/purchase/backupbuddy/ (paid) WP Migrate DB Pro https://deliciousbrains.com/wp-migrate-db-pro/ (paid) backwpup http://wordpress.org/plugins/backwpup/ backup to dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Online Backup for WordPress http://wordpress.org/plugins/wponlinebackup/ WP-DB-Backup http://wordpress.org/plugins/wp-db-backup/ WP-DBManager http://wordpress.org/plugins/wp-dbmanager/ BackUpWordPress http://wordpress.org/plugins/backupwordpress/
  • 35. PLUGINS OF NOTE: LOGIN LIMITATION limit login attempts http://wordpress.org/plugins/limit-login-attempts/ Login Security Solution http://wordpress.org/plugins/login-security-solution/ Stealth Login Page http://wordpress.org/plugins/stealth-login-page/ PLUGINS OF NOTE: CHANGE LOGIN LOCATION lockdown wp-admin http://wordpress.org/plugins/lockdown-wp-admin/ Simple Login Lockdown http://wordpress.org/plugins/simple-login-lockdown/ Login Security Solution http://wordpress.org/plugins/login-security-solution/
  • 36. PLUGINS OF NOTE: MIXED BAG theme authenticity checker http://wordpress.org/plugins/tac/ Theme-Check http://wordpress.org/plugins/theme-check/ Theme Test Drive http://wordpress.org/plugins/theme-test-drive/ block bad queries http://wordpress.org/plugins/block-bad-queries/ **jeff starr plugin antivirus http://wordpress.org/plugins/antivirus/
  • 37. NOTHING IS 100% HACK-PROOF, BUT YOU CAN MAKE IT MORE DIFFICULT Keep your code current and work in a clean environment Restrict access to WordPress admin Block access to crucial files Backup crucial files on a regular basis Have a strategy to re-build if the easy solutions elude you