Suche senden
Hochladen
Hardening WordPress Security
•
Als PPTX, PDF herunterladen
•
2 gefällt mir
•
1,924 views
Mattia Piovano
Folgen
How to harden WordPress security with few steps and methods
Weniger lesen
Mehr lesen
Software
Melden
Teilen
Melden
Teilen
1 von 60
Jetzt herunterladen
Empfohlen
Hp26簡報 joyhsu
Hp26簡報 joyhsu
Joy Hsu
Azure purview
Azure purview
Shafqat Turza
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
Increase Your WordPress Website's Google PageSpeed Score
Increase Your WordPress Website's Google PageSpeed Score
Brainspire Solutions
3 simple steps improving pageSpeed in Wordpress
3 simple steps improving pageSpeed in Wordpress
Antti Alatalo
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
Optimizing your WordPress website
Optimizing your WordPress website
mwfordesigns
WordPress: cómo aumentar la velocidad y la seguridad de una web
WordPress: cómo aumentar la velocidad y la seguridad de una web
Nominalia
Empfohlen
Hp26簡報 joyhsu
Hp26簡報 joyhsu
Joy Hsu
Azure purview
Azure purview
Shafqat Turza
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
Increase Your WordPress Website's Google PageSpeed Score
Increase Your WordPress Website's Google PageSpeed Score
Brainspire Solutions
3 simple steps improving pageSpeed in Wordpress
3 simple steps improving pageSpeed in Wordpress
Antti Alatalo
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
Optimizing your WordPress website
Optimizing your WordPress website
mwfordesigns
WordPress: cómo aumentar la velocidad y la seguridad de una web
WordPress: cómo aumentar la velocidad y la seguridad de una web
Nominalia
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Mike Schinkel
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
wpnepal
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
Chandra Prakash Thapa
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Adam Tomat
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
Maurizio Pelizzone
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
Faysal Shahi
wp cli
wp cli
Wataru OKAMOTO
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
Bo-Yi Wu
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
Introduction to Plugin Programming, WordCamp Miami 2011
Introduction to Plugin Programming, WordCamp Miami 2011
David Carr
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Tammy Hart
Wp security presentation
Wp security presentation
Nik Cree
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Diana Thompson
Intro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
How Not to Build a WordPress Plugin
How Not to Build a WordPress Plugin
Will Norris
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
Rakesh Kushwaha
WordPress Plugins
WordPress Plugins
randyhoyt
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
DrupalDay
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
RTS corp
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
rahul_net
Weitere ähnliche Inhalte
Ähnlich wie Hardening WordPress Security
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Mike Schinkel
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
wpnepal
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
Chandra Prakash Thapa
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Adam Tomat
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
Maurizio Pelizzone
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
Faysal Shahi
wp cli
wp cli
Wataru OKAMOTO
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
Bo-Yi Wu
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
Introduction to Plugin Programming, WordCamp Miami 2011
Introduction to Plugin Programming, WordCamp Miami 2011
David Carr
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Tammy Hart
Wp security presentation
Wp security presentation
Nik Cree
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Diana Thompson
Intro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
How Not to Build a WordPress Plugin
How Not to Build a WordPress Plugin
Will Norris
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
Rakesh Kushwaha
WordPress Plugins
WordPress Plugins
randyhoyt
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
DrupalDay
Ähnlich wie Hardening WordPress Security
(20)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
wp cli
wp cli
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Introduction to Plugin Programming, WordCamp Miami 2011
Introduction to Plugin Programming, WordCamp Miami 2011
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Wp security presentation
Wp security presentation
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Intro to WordPress Plugin Development
Intro to WordPress Plugin Development
How Not to Build a WordPress Plugin
How Not to Build a WordPress Plugin
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
WordPress Plugins
WordPress Plugins
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Kürzlich hochgeladen
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
RTS corp
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
rahul_net
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
osttopstonverter
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
RTS corp
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
manoharjgpsolutions
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
Andreas Kunz
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Rob Geurden
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
ABSYZ Inc
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
ssuser9e7c64
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
Neo4j
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Applitools
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
OnePlan Solutions
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
OnePlan Solutions
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
Lionel Briand
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
Alexandre Beguel
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
RTS corp
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
Lionel Briand
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
Andrey Devyatkin
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
Bert Jan Schrijver
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
Safe Software
Kürzlich hochgeladen
(20)
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
Hardening WordPress Security
1.
Hardening WordPress Security WordPress
Day 2015 - Pordenone, Italy
2.
What is security? (http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)
3.
Risk reduction
4.
SECURITYBecause sometimes a
Rottweiler is not enough
5.
Why we need
more security?
6.
WordPress Popularity, Market
Share and Responsibility
7.
0 10 20
30 40 50 60 70 No CMS WordPress Joomla Drupal Usage of content management systems for websites Market Share Usage http://w3techs.com/technologies/overview/content_management/all
8.
What are the
dangers?
9.
- Social Engineering -
Human Mistakes - Brute Force Attacks - WordPress Vulnerabilities - Web Server Vulnerabilities - Network Vulnerabilities - FTP - File Permissions - And other beautiful things…
10.
11.
Solutions
12.
Backup! Modern Task Runner
for PHP
13.
Use strong passwords Insecure
examples admin mysite123 mysitename myname4321 password Secure examples -yCpHuHJ68fRtB805i "kaN4Y]99Z)[/ylaJN &3388wu1530Cx;73kR zN1/K>9'51]9~495° 1'N434g&h51I78x3?M
14.
Stay updated! Update WordPress
Core Update Themes Update Plugins
15.
Remove Version Reference
16.
Deny access /
delete readme.html
17.
Deny access /
delete readme.html # .htaccess <files readme.html> Order allow,deny Deny from all </files>
18.
Remove WordPress Version //
** functions.php function wp_remove_version() { return ''; } add_filter('the_generator', 'wp_remove_version');
19.
Secure your login
20.
Secure your login -
.htaccess Authentication - Limit attempts - Restrict to certain IPs - Hide - Capcha - Two Factor Authentication - HTTPS
21.
.htaccess Authentication (example with
http://www.htaccesstools.com/)
22.
.htaccess Authentication (example with
http://www.htaccesstools.com/)
23.
Limit attempts
24.
Restrict to certain
IPs # .htaccess order deny,allow deny from all allow from 1.2.3.4
25.
Restrict to certain
IPs
26.
Hide your login #
BEGIN Hidden login RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L] RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L] RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule . http://%{SERVER_NAME}/? [L] # END Hidden login
27.
Hide your login
28.
Captcha on login
29.
Two-Factor Authentication
30.
Is there anything
more?
31.
Admin user
32.
Admin user - Don’t
use «admin» as username - Or change «admin» role
33.
Change WordPress Structure
34.
Change WordPress Structure From
this..
35.
Change WordPress Structure ..to
this
36.
Change WordPress Structure #
BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] # Redirect RewriteRule ^wp-admin$ wp-admin/ [R,L] RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ - [L] RewriteRule ^(.*.php)$ /$1 [L] RewriteRule . /index.php [L] </IfModule> # END WordPress
37.
Change WordPress Structure //
** index.php define( 'WP_USE_THEMES', true ); require( __DIR__ . '/application/wp-blog-header.php‘ ); // ** wp-config.php define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' ); define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' ); define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' ); define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
38.
Htaccess Tips and
Tricks
39.
Disable Directory Browsing #
.htaccess Options All -Indexes
40.
Protect your .htaccess #
.htaccess <files .htaccess> Order allow,deny Deny from all </files>
41.
Protect your configuration #
.htaccess <files wp-config.php> Order allow,deny Deny from all </files>
42.
Deny access to
xmlrpc.php # .htaccess <files xmlrpc.php> Order allow,deny Deny from all </files>
43.
Prevent WordPress users
listing http://www.yourbeautifulsite.org/?author=1 http://www.yourbeautifulsite.org/?author=2 http://www.yourbeautifulsite.org/?author=3 http://www.yourbeautifulsite.org/?author=4 […] # .htaccess RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L]
44.
Deny php execution
from upload directory # /path/to/upload-folder/.htaccess <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files>
45.
Rewrite assets permalinks #
.htaccess RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L] RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L] RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
46.
WP-config Tricks
47.
WP-config Tricks - Set
up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/) - Override File Permissions - Change WP Db Prefix
48.
Disable Plugins install/updates //
** wp-config.php define( DISALLOW_FILE_EDIT', true ); define( DISALLOW_FILE_MODS', true );
49.
Check installed Themes/Plugins -
Remove inactive themes/plugins - Remove useless themes/plugins - Evaluate code integration
50.
Blackhole
51.
52.
Blackhole (http://perishablepress.com/blackhole-bad-bots/) # END Blackholde <ifModule
mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg ister|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L] </ifModule> # END Blackhole
53.
Tools
54.
Tools Sucury Security Plugin
55.
Help us to
check our WordPress Project Vulnerabilities
56.
Monitoring time series
database for monitoring your application https://influxdb.com/
57.
Web Server Infrastructure
58.
Codex References http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Administration_Over_SSL http://codex.wordpress.org/Editing_wp-config.php
59.
Questions?
60.
Thanks Mattia Piovano @shadow_droid https://joind.in/15557
Jetzt herunterladen