Hardening WordPress Security
•Als PPTX, PDF herunterladen•
2 gefällt mir•1,924 views
How to harden WordPress security with few steps and methods
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Hardening WordPress Security
Ähnlich wie Hardening WordPress Security (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Hardening WordPress Security
- 1. Hardening WordPress Security WordPress Day 2015 - Pordenone, Italy
- 4. SECURITYBecause sometimes a Rottweiler is not enough
- 5. Why we need more security?
- 6. WordPress Popularity, Market Share and Responsibility
- 7. 0 10 20 30 40 50 60 70 No CMS WordPress Joomla Drupal Usage of content management systems for websites Market Share Usage http://w3techs.com/technologies/overview/content_management/all
- 8. What are the dangers?
- 9. - Social Engineering - Human Mistakes - Brute Force Attacks - WordPress Vulnerabilities - Web Server Vulnerabilities - Network Vulnerabilities - FTP - File Permissions - And other beautiful things…
- 11. Solutions
- 12. Backup! Modern Task Runner for PHP
- 13. Use strong passwords Insecure examples admin mysite123 mysitename myname4321 password Secure examples -yCpHuHJ68fRtB805i "kaN4Y]99Z)[/ylaJN &3388wu1530Cx;73kR zN1/K>9'51]9~495° 1'N434g&h51I78x3?M
- 14. Stay updated! Update WordPress Core Update Themes Update Plugins
- 16. Deny access / delete readme.html
- 17. Deny access / delete readme.html # .htaccess <files readme.html> Order allow,deny Deny from all </files>
- 18. Remove WordPress Version // ** functions.php function wp_remove_version() { return ''; } add_filter('the_generator', 'wp_remove_version');
- 20. Secure your login - .htaccess Authentication - Limit attempts - Restrict to certain IPs - Hide - Capcha - Two Factor Authentication - HTTPS
- 21. .htaccess Authentication (example with http://www.htaccesstools.com/)
- 22. .htaccess Authentication (example with http://www.htaccesstools.com/)
- 23. Limit attempts
- 24. Restrict to certain IPs # .htaccess order deny,allow deny from all allow from 1.2.3.4
- 25. Restrict to certain IPs
- 26. Hide your login # BEGIN Hidden login RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L] RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L] RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule . http://%{SERVER_NAME}/? [L] # END Hidden login
- 27. Hide your login
- 28. Captcha on login
- 30. Is there anything more?
- 31. Admin user
- 32. Admin user - Don’t use «admin» as username - Or change «admin» role
- 34. Change WordPress Structure From this..
- 35. Change WordPress Structure ..to this
- 36. Change WordPress Structure # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] # Redirect RewriteRule ^wp-admin$ wp-admin/ [R,L] RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ - [L] RewriteRule ^(.*.php)$ /$1 [L] RewriteRule . /index.php [L] </IfModule> # END WordPress
- 37. Change WordPress Structure // ** index.php define( 'WP_USE_THEMES', true ); require( __DIR__ . '/application/wp-blog-header.php‘ ); // ** wp-config.php define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' ); define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' ); define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' ); define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
- 38. Htaccess Tips and Tricks
- 39. Disable Directory Browsing # .htaccess Options All -Indexes
- 40. Protect your .htaccess # .htaccess <files .htaccess> Order allow,deny Deny from all </files>
- 41. Protect your configuration # .htaccess <files wp-config.php> Order allow,deny Deny from all </files>
- 42. Deny access to xmlrpc.php # .htaccess <files xmlrpc.php> Order allow,deny Deny from all </files>
- 43. Prevent WordPress users listing http://www.yourbeautifulsite.org/?author=1 http://www.yourbeautifulsite.org/?author=2 http://www.yourbeautifulsite.org/?author=3 http://www.yourbeautifulsite.org/?author=4 […] # .htaccess RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L]
- 44. Deny php execution from upload directory # /path/to/upload-folder/.htaccess <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files>
- 45. Rewrite assets permalinks # .htaccess RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L] RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L] RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
- 46. WP-config Tricks
- 47. WP-config Tricks - Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/) - Override File Permissions - Change WP Db Prefix
- 48. Disable Plugins install/updates // ** wp-config.php define( DISALLOW_FILE_EDIT', true ); define( DISALLOW_FILE_MODS', true );
- 49. Check installed Themes/Plugins - Remove inactive themes/plugins - Remove useless themes/plugins - Evaluate code integration
- 50. Blackhole
- 52. Blackhole (http://perishablepress.com/blackhole-bad-bots/) # END Blackholde <ifModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg ister|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L] </ifModule> # END Blackhole
- 53. Tools
- 55. Help us to check our WordPress Project Vulnerabilities
- 56. Monitoring time series database for monitoring your application https://influxdb.com/
- 59. Questions?