SlideShare ist ein Scribd-Unternehmen logo

10 WordPress security measures you can implement today!

Toru Miki
Toru Miki

Slide for WordPress Meetup Tokyo #23, 23 May 2015.

Internet
1 von 17
Downloaden Sie, um offline zu lesen
1 0 W O R D P R E S S S E C U R I T Y M E A S U R E S Y O U C A N I M P L E M E N T T O D AY ! Wo rd P re s s M e e t u p To k y o # 2 3 — M a y 2 0 1 5 Toru Miki
A s s i s t a n t We b m a s t e r a t Te m p l e U n i v e r s i t y, J a p a n C a m p u s Wo rd P re s s e x p e r i e n c e : 9 y e a r s h t t p s : / / p ro f i l e s . w o rd p re s s . o rg / t o r u To r u M i k i
# 1 S e c u re y o u r l o c a l e n v i ro n m e n t • Use good internet security software • Antivirus • Firewall • Antispam • etc
# 2 S e c u re f i l e t r a n s f e r • Use • SSH • FTPS • SFTP • Stop using • FTP • Does your hosting server only allows FTP? • Move! C o m m a n d - l i n e C l i e n t s o f t w a re • W i n S C P • F i l e Z i l l a • C y b e rd u c k • Tr a n s m i t …
# 3 U p d a t e , u p d a t e , u p d a t e ! • Core • Minor updates (E.g. 4.1.x, 4.2.x, 4.3.x, etc) are security fixes • Major updates (e.g. 3.x, 4.x, 5.x, etc) includes lots of bug fixes too • Themes • Plugins • If you are a developer — libraries/scripts you have used • E.g. TimThumb script
 http://wptavern.com/wordpress-security-alert-new-zero-day- vulnerability-discovered-in-timthumb-script
# 4 S t ro n g p a s s w o rd • Stronger password = • harder for others to guess • harder for brute force attack to succeed • At least 8 characters, include uppercase letter(s), include special character(s), include number(s), and not found in the dictionary • E.g. K#5r!g3y
# 4 S t ro n g p a s s w o rd English alphabet (uppercase not distinguished) English alphabet (lower & upper) + number English alphabet (lower & upper) + number + special character Type of letters used Available number of letters Max. time needed to decrypt No. characters Ref: IPA 独立行政法人 情報処理推進機構:コンピュータウイルス・不正アクセスの届出状況[2008年9月分および第3四半期]について http://www.ipa.go.jp/security/txt/2008/10outline.html 3 sec. 2 min. 9 min. 54 days 5 days 37 min. 17 days 50 yrs. 32 yrs. 0.2m yrs. 1000 yrs. 10m yrs.
# 4 S t ro n g p a s s w o rd • WordPress’ password strength meter • Password manager softwares • 1 Password - https://agilebits.com/onepassword • LastPass - https://lastpass.com/
# 5 Tw o - s t e p a u t h e n t i c a t i o n • = Two-factor authentication/verification • 2nd layer of secure login • Plugins (e.g.) • Google Authenticator - https://wordpress.org/plugins/google-authenticator/ • Rublon - https://wordpress.org/plugins/rublon/ • Jetpack - https://wordpress.org/plugins/jetpack/ • Use “sign in using your WordPress.com account” feature, and utilize its “Two Step Authentification” feature • E.g. Using Google Two-Factor Authentication With WordPress - Tuts+ Code Tutorial 
 http://code.tutsplus.com/tutorials/using-google-two-factor-authentication-with- wordpress--cms-22263
# 6 L i m i t a c c e s s t o / w p - a d m i n / • Limit by password protection (e.g. BasicAuth) • http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php • create .htpassword • edit .htaccess • Limit by IP address • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP • For both methods, watch out for plugin which uses admin-ajax.php • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP
# 7 S e t t h e f i l e p e r m i s s i o n s r i g h t • WordPress Codex’s recommendations are… • All directories should be 755 or 750
 find . -type d -print -exec chmod 755 {} ; • No directories should ever given 777 • All files should be 644 or 640
 find . -type f -print -exec chmod 644 {} ; • Except, wp-config.php should be 440 or 400
 chmod 644 wp-config.php; Changing File Permissions « WordPress Codex https://codex.wordpress.org/Changing_File_Permissions
# 8 D i s a b l e f i l e e d i t i n g • By default, administrators can edit Theme and Plugin files from the dashboard. This feature can be used by an attacker to insert malicious code… • To disable editing files in dashboard, add this to wp- config.php
 define('DISALLOW_FILE_EDIT', true); • http://codex.wordpress.org/ Hardening_WordPress#Disable_File_Editing
# 1 0 G e t T h e m e s a n d P l u g i n s f ro m t r u s t e d s o u rc e s , a n d d e l e t e i f n o t u s e d • The official repository at WordPress.org • Frequently updated, and still in continuous development • Delete any Themes and Plugins you are not using any more
E x t r a — a n o t e o n “ a d m i n ” u s e r • Username “admin” is often targeted by brute-force attack • But even if you don’t use “admin”, attacker can find out the username by http://example.com/?author=1 • So not using “admin” does not mean it is safe • However, it is still a good practice because: • We know “admin” is targeted, so it is better not use it than using it • High number of login attempts uses so much of your server resources, and can bring the server down
E x t r a — h i d e y o u r Wo rd P re s s v e r s i o n ? • Hide you WordPress version, so the attacker won’t know which version you are using — Not True
 remove_action('wp_head', ‘wp_generator'); • There are other ways of attackers to find the version: • http://example.com/readme.html • Query string appended to style sheet and scripts, such as style.css? ver=4.1.0 • And many more…
 The WordPress Meta “generator” Tag Paranoia 
 http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag- paranoia/
E x t r a — s o m e p l u g i n s • Wordfence Security
 https://wordpress.org/plugins/wordfence/ • Login Security Solution
 https://wordpress.org/plugins/login-security-solution/ • Crazy Bone
 https://wordpress.org/plugins/crazy-bone/
E x t r a — s o m e l i n k s • Hardening WordPress « WordPress Codex
 http://codex.wordpress.org/Hardening_WordPress • Brute Force Attacks « WordPress Codex
 http://codex.wordpress.org/Brute_Force_Attacks • WordPress Tavern 
 http://wptavern.com/ • Sucuri Blog | Website Security News
 https://blog.sucuri.net/

Empfohlen

The Most Used Methods To Penetrate A Web Server
The Most Used Methods To Penetrate A Web ServerThe Most Used Methods To Penetrate A Web Server
The Most Used Methods To Penetrate A Web Serverguestd6761a
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Buffer overflow attack
Buffer overflow attackBuffer overflow attack
Buffer overflow attackKrish
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Password Attack
Password AttackPassword Attack
Password AttackAliaqa Hosainy
 

Empfohlen

The Most Used Methods To Penetrate A Web Server
The Most Used Methods To Penetrate A Web ServerThe Most Used Methods To Penetrate A Web Server
The Most Used Methods To Penetrate A Web Serverguestd6761a
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Buffer overflow attack
Buffer overflow attackBuffer overflow attack
Buffer overflow attackKrish
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Password Attack
Password AttackPassword Attack
Password AttackAliaqa Hosainy
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsOddvar Moe
 
Atilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunumAtilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunumEPICROUTERS
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricksSudhanshu Mishra
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingPrathan Phongthiproek
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Owasp Hacker Secrets Barcamp
Owasp Hacker Secrets BarcampOwasp Hacker Secrets Barcamp
Owasp Hacker Secrets Barcampsharmishtha
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 

Weitere ähnliche Inhalte

Was ist angesagt?

Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsOddvar Moe
 
Atilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunumAtilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunumEPICROUTERS
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricksSudhanshu Mishra
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingPrathan Phongthiproek
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Owasp Hacker Secrets Barcamp
Owasp Hacker Secrets BarcampOwasp Hacker Secrets Barcamp
Owasp Hacker Secrets Barcampsharmishtha
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

Was ist angesagt? (20)

Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows Environments
 
Atilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunumAtilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunum
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricks
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google Hacking
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 
Owasp Hacker Secrets Barcamp
Owasp Hacker Secrets BarcampOwasp Hacker Secrets Barcamp
Owasp Hacker Secrets Barcamp
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 

Ähnlich wie 10 WordPress security measures you can implement today!

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)PROIDEA
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestPawel Rzepa
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentssydneydrupal
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 

Ähnlich wie 10 WordPress security measures you can implement today! (20)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidents
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Deployments in one click!
Deployments in one click!Deployments in one click!
Deployments in one click!
 
Scrapy
ScrapyScrapy
Scrapy
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaTietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 

Mehr von Toru Miki

WordPress 4.4
WordPress 4.4WordPress 4.4
WordPress 4.4Toru Miki
 
レスポンシブ・イメージのWordPressへの実装と4.4
レスポンシブ・イメージのWordPressへの実装と4.4レスポンシブ・イメージのWordPressへの実装と4.4
レスポンシブ・イメージのWordPressへの実装と4.4Toru Miki
 
English Speaking Session: Introduction (WordCamp Tokyo 2015)
English Speaking Session: Introduction (WordCamp Tokyo 2015)English Speaking Session: Introduction (WordCamp Tokyo 2015)
English Speaking Session: Introduction (WordCamp Tokyo 2015)Toru Miki
 
WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~
WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~
WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~Toru Miki
 
WordFes 発表事例セッション
WordFes 発表事例セッションWordFes 発表事例セッション
WordFes 発表事例セッションToru Miki
 
What's coming in WordPress 3.6
What's coming in WordPress 3.6What's coming in WordPress 3.6
What's coming in WordPress 3.6Toru Miki
 
WordPress 3.4 〜新機能や変更点〜
WordPress 3.4 〜新機能や変更点〜WordPress 3.4 〜新機能や変更点〜
WordPress 3.4 〜新機能や変更点〜Toru Miki
 

Mehr von Toru Miki (7)

WordPress 4.4
WordPress 4.4WordPress 4.4
WordPress 4.4
 
レスポンシブ・イメージのWordPressへの実装と4.4
レスポンシブ・イメージのWordPressへの実装と4.4レスポンシブ・イメージのWordPressへの実装と4.4
レスポンシブ・イメージのWordPressへの実装と4.4
 
English Speaking Session: Introduction (WordCamp Tokyo 2015)
English Speaking Session: Introduction (WordCamp Tokyo 2015)English Speaking Session: Introduction (WordCamp Tokyo 2015)
English Speaking Session: Introduction (WordCamp Tokyo 2015)
 
WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~
WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~
WordPress サイト制作におけるデプロイメントを考える ~Git とデプロイメントサービスの活用~
 
WordFes 発表事例セッション
WordFes 発表事例セッションWordFes 発表事例セッション
WordFes 発表事例セッション
 
What's coming in WordPress 3.6
What's coming in WordPress 3.6What's coming in WordPress 3.6
What's coming in WordPress 3.6
 
WordPress 3.4 〜新機能や変更点〜
WordPress 3.4 〜新機能や変更点〜WordPress 3.4 〜新機能や変更点〜
WordPress 3.4 〜新機能や変更点〜
 

Kürzlich hochgeladen

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 

Kürzlich hochgeladen (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 

10 WordPress security measures you can implement today!

  • 1. 1 0 W O R D P R E S S S E C U R I T Y M E A S U R E S Y O U C A N I M P L E M E N T T O D AY ! Wo rd P re s s M e e t u p To k y o # 2 3 — M a y 2 0 1 5 Toru Miki
  • 2. A s s i s t a n t We b m a s t e r a t Te m p l e U n i v e r s i t y, J a p a n C a m p u s Wo rd P re s s e x p e r i e n c e : 9 y e a r s h t t p s : / / p ro f i l e s . w o rd p re s s . o rg / t o r u To r u M i k i
  • 3. # 1 S e c u re y o u r l o c a l e n v i ro n m e n t • Use good internet security software • Antivirus • Firewall • Antispam • etc
  • 4. # 2 S e c u re f i l e t r a n s f e r • Use • SSH • FTPS • SFTP • Stop using • FTP • Does your hosting server only allows FTP? • Move! C o m m a n d - l i n e C l i e n t s o f t w a re • W i n S C P • F i l e Z i l l a • C y b e rd u c k • Tr a n s m i t …
  • 5. # 3 U p d a t e , u p d a t e , u p d a t e ! • Core • Minor updates (E.g. 4.1.x, 4.2.x, 4.3.x, etc) are security fixes • Major updates (e.g. 3.x, 4.x, 5.x, etc) includes lots of bug fixes too • Themes • Plugins • If you are a developer — libraries/scripts you have used • E.g. TimThumb script
 http://wptavern.com/wordpress-security-alert-new-zero-day- vulnerability-discovered-in-timthumb-script
  • 6. # 4 S t ro n g p a s s w o rd • Stronger password = • harder for others to guess • harder for brute force attack to succeed • At least 8 characters, include uppercase letter(s), include special character(s), include number(s), and not found in the dictionary • E.g. K#5r!g3y
  • 7. # 4 S t ro n g p a s s w o rd English alphabet (uppercase not distinguished) English alphabet (lower & upper) + number English alphabet (lower & upper) + number + special character Type of letters used Available number of letters Max. time needed to decrypt No. characters Ref: IPA 独立行政法人 情報処理推進機構:コンピュータウイルス・不正アクセスの届出状況[2008年9月分および第3四半期]について http://www.ipa.go.jp/security/txt/2008/10outline.html 3 sec. 2 min. 9 min. 54 days 5 days 37 min. 17 days 50 yrs. 32 yrs. 0.2m yrs. 1000 yrs. 10m yrs.
  • 8. # 4 S t ro n g p a s s w o rd • WordPress’ password strength meter • Password manager softwares • 1 Password - https://agilebits.com/onepassword • LastPass - https://lastpass.com/
  • 9. # 5 Tw o - s t e p a u t h e n t i c a t i o n • = Two-factor authentication/verification • 2nd layer of secure login • Plugins (e.g.) • Google Authenticator - https://wordpress.org/plugins/google-authenticator/ • Rublon - https://wordpress.org/plugins/rublon/ • Jetpack - https://wordpress.org/plugins/jetpack/ • Use “sign in using your WordPress.com account” feature, and utilize its “Two Step Authentification” feature • E.g. Using Google Two-Factor Authentication With WordPress - Tuts+ Code Tutorial 
 http://code.tutsplus.com/tutorials/using-google-two-factor-authentication-with- wordpress--cms-22263
  • 10. # 6 L i m i t a c c e s s t o / w p - a d m i n / • Limit by password protection (e.g. BasicAuth) • http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php • create .htpassword • edit .htaccess • Limit by IP address • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP • For both methods, watch out for plugin which uses admin-ajax.php • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP
  • 11. # 7 S e t t h e f i l e p e r m i s s i o n s r i g h t • WordPress Codex’s recommendations are… • All directories should be 755 or 750
 find . -type d -print -exec chmod 755 {} ; • No directories should ever given 777 • All files should be 644 or 640
 find . -type f -print -exec chmod 644 {} ; • Except, wp-config.php should be 440 or 400
 chmod 644 wp-config.php; Changing File Permissions « WordPress Codex https://codex.wordpress.org/Changing_File_Permissions
  • 12. # 8 D i s a b l e f i l e e d i t i n g • By default, administrators can edit Theme and Plugin files from the dashboard. This feature can be used by an attacker to insert malicious code… • To disable editing files in dashboard, add this to wp- config.php
 define('DISALLOW_FILE_EDIT', true); • http://codex.wordpress.org/ Hardening_WordPress#Disable_File_Editing
  • 13. # 1 0 G e t T h e m e s a n d P l u g i n s f ro m t r u s t e d s o u rc e s , a n d d e l e t e i f n o t u s e d • The official repository at WordPress.org • Frequently updated, and still in continuous development • Delete any Themes and Plugins you are not using any more
  • 14. E x t r a — a n o t e o n “ a d m i n ” u s e r • Username “admin” is often targeted by brute-force attack • But even if you don’t use “admin”, attacker can find out the username by http://example.com/?author=1 • So not using “admin” does not mean it is safe • However, it is still a good practice because: • We know “admin” is targeted, so it is better not use it than using it • High number of login attempts uses so much of your server resources, and can bring the server down
  • 15. E x t r a — h i d e y o u r Wo rd P re s s v e r s i o n ? • Hide you WordPress version, so the attacker won’t know which version you are using — Not True
 remove_action('wp_head', ‘wp_generator'); • There are other ways of attackers to find the version: • http://example.com/readme.html • Query string appended to style sheet and scripts, such as style.css? ver=4.1.0 • And many more…
 The WordPress Meta “generator” Tag Paranoia 
 http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag- paranoia/
  • 16. E x t r a — s o m e p l u g i n s • Wordfence Security
 https://wordpress.org/plugins/wordfence/ • Login Security Solution
 https://wordpress.org/plugins/login-security-solution/ • Crazy Bone
 https://wordpress.org/plugins/crazy-bone/
  • 17. E x t r a — s o m e l i n k s • Hardening WordPress « WordPress Codex
 http://codex.wordpress.org/Hardening_WordPress • Brute Force Attacks « WordPress Codex
 http://codex.wordpress.org/Brute_Force_Attacks • WordPress Tavern 
 http://wptavern.com/ • Sucuri Blog | Website Security News
 https://blog.sucuri.net/