SlideShare uma empresa Scribd logo
1 de 54
WordPress Security
 12 WordPress Security Fundamentals
Why Security?
•    SEO / Google rankings
•    Downtime - Decreased Revenue
•    Website / Business / Personal Credibility
•    Increased Costs with cleaning up the mess ( Potentially Law
     Suits )
• Lose everything - no site :-(
“How do I completely secure my site?”
WordPress Security - 12 WordPress Security Fundamentals
It’s all about “risk”
“The probability that a particular security threat will exploit a
                particular vulnerability” ISC 2
Threat = A potential danger
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
Vulnerability = A Weakness
WordPress Security - 12 WordPress Security Fundamentals
Weak Spots (Examples)
• WordPress (Core, Themes & Plugins)
  ‣ Bugs/Vulnerabilities in the code itself
• Hosting (Web & Database Server/s)
  ‣ Poor File Permissions
• You
  ‣ Weak Password Choice
There are some simple things you can do to reduce the risk
1. Update WordPress


• Simple
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
• If a vulnerability is discovered in WordPress and a new
     version is released to address the issue, the information
     required to exploit the vulnerability is almost certainly in the
     public domain.
• This makes old versions more open to attack, and is one of
     the primary reasons you should always keep WordPress up
     to date.
• REMOVE unused themes and plugins (or at least keep them
    up to date as well). Even when not activated, a vulnerable
    plugin or theme can be used to attack a site.
2. Rename “admin” account

• Make it hard for an attacker. If they already know your
     username that’s half the battle
• As of 3.0 WordPress asks upfront during installation for an
     admin account name - don't use "admin" and I recommend
     not using anything related to the domain.
• If you do happen to have an “admin” account there are a
    few options:
    ‣ Admin Renamer Extender - http://wordpress.org/
         extend/plugins/admin-renamer-extended/
    ‣ Create another administrator user and then login as
         new administrator user and delete "admin" user.
    ‣ Get your hands dirty with MySQL or use phpmyadmin
         to edit the database directly
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
3. Change your table_prefix
• My what? Its a database thing...
• Many published WordPress-specific SQL-injection attacks
     make the assumption that the table_prefix is wp_, the
     default.
• Changing this can block at least some SQL injection attacks.
• Good news - WordPress now asks upfront during installation
     for you to specify a table prefix - so don’t use “wp”.
• If you haven’t changed your prefix:
  ‣ Change Table Prefix (http://wordpress.org/extend/
        plugins/change-table-prefix/)
    ‣ Get your hands dirty with MySQL or use phpmyadmin
        to edit the database directly (remember to update your
        wp-config.php file as well)
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
4. Setup Security Keys

• Often referred to as Salts - they add random elements to
     your password when encrypting information in cookies
     ( that are used during the WordPress login process )
• They live in your sites wp-config.php and can be changed at
     any time
• https://api.wordpress.org/secret-key/1.1/salt/
WordPress Security - 12 WordPress Security Fundamentals
• WordPress now generates the salts for you if none are
     provided - but it’s better to be safe than sorry.
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
5. Use Strong Passwords
• Weak passwords leave your site vulnerable to:
  ‣ Brute Force Attacks
  ‣ Dictionary Attacks
• Please use a strong password
• Don’t reuse passwords
• WordPress has a built in strength meter (don’t ignore it)
Password1
jvYM89xwyzH?ah
• Try a password safe/generator like:
  ‣ 1Password (https://agilebits.com/onepassword)
  ‣ KeePass (http://keepass.info/)
6. Limit login attempts

• Restrict number of failed attempts using a plugin like:
  ‣ Login Lockdown - http://wordpress.org/extend/
          plugins/login-lockdown/
     ‣ Simple Login Lockdown - http://wordpress.org/
          extend/plugins/simple-login-lockdown/
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
7. Use SFTP or FTPS


• FTP transmits all data in the clear - including passwords
• If you need to regularly connect or upload files to your site
     use SFTP or FTPS (especially if you are using public wifi)
8. Check File Permissions

• Tricky to get right (especially in shared hosting where it is
     more important to get it right)
• A good rule of thumb is to set file and folder permissions at
     644 for files and 755 for folders
WordPress Security - 12 WordPress Security Fundamentals
• http://codex.wordpress.org/Changing_File_Permissions
9. Move wp-config.php

• wp-config.php is the main configuration file for your site
• WordPress automatically checks the parent directory if a wp-
     config.php file is not found in your root directory
• Recommended that it is moved up one level (to the parent
     directory) to make sure only your account and the server
     can read the file
• If WordPress is located here:
  ‣ /public_html/mysite/wp-config.php
• You can move wp-config.php to here:
  ‣ /public_html/wp-config.php
• This makes it much more difficult for anyone to access your
     wp-config.php file as it now resides outside of your sites root
     directory
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
10. Run Backups
• Hosts may provide backups
• However often...
  ‣ they don’t back up the right things
  ‣ they don’t back up regularly enough
  ‣ they don’t know WordPress
  ‣ they may charge you to restore your site
VaultPress - http://vaultpress.com/
Backup Buddy - http://ithemes.com/purchase/backupbuddy/
• Or just plain old...
  ‣ WP-DB-Backup - http://wordpress.org/extend/
        plugins/wp-db-backup/
    ‣ WordPress Export (note the export doesn’t contain your
        uploaded or options)
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
 Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
11. Choose hosting wisely

• In my experience you get what you pay for
• Look for hosts that have
  ‣ Good backup regime
  ‣ WordPress Expertise (tougher than you think)
  ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
12. Be Security Minded
•   Keep your own machine clean
•   Don’t share or reuse passwords
•   If you use public computers be sure to log out of WP
•   If you use public networks
    ‣ avoid using ftp (that's the insecure one)
    ‣ avoid logging into WP if your not using HTTPS
There’s a plugin for that
• There are also range of “all in one” solutions that will cover
     most of the above as well as things like:
     ‣    Remove the WordPress version/generator tag
     ‣    Remove update notifications
     ‣    Remove login error messages
     ‣    Change location of login urls
•   http://wordpress.org/extend/plugins/better-wp-security/
•   http://wordpress.org/extend/plugins/secure-wordpress/
•   http://wordpress.org/extend/plugins/bulletproof-security/
•   http://wordpress.org/extend/plugins/wp-security-scan/
Extra Resources

• http://codex.wordpress.org/Hardening_WordPress
• http://build.codepoet.com/2012/07/10/locking-down-
    wordpress/ (E-book)
• http://codex.wordpress.org/Changing_File_Permissions
• http://sucuri.net/ (Malware Scanner)
Summary
1.   Update WordPress         7.   Use SFTP or FTPS
2.   Rename “admin” user      8.   Check File Permissions
3.   Change the table_prefix   9.   Move wp-config.php
4.   Setup Security Keys      10. Run Backups
5.   Use Strong Passwords     11. Choose Hosting Wisely
6.   Limit Login Attempts     12. Be Security Minded
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
  Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress THANK YOU Update WordPress
  Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress THANK YOU Update WordPress Update WordPress
  Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress THANK YOU Update WordPress
  Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
     Update WordPress Update WordPress Update WordPress

Mais conteúdo relacionado

Mais procurados

Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleKayleigh Thorpe
 
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014Amazon Web Services
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 PlatformRapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 PlatformAmazon Web Services
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014Amazon Web Services
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...ColdFusionConference
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)Cloudways
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Documentmobi fly
 
Sexy, Powerful, Exciting
Sexy, Powerful, ExcitingSexy, Powerful, Exciting
Sexy, Powerful, ExcitingRobert Senktas
 
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting  - WordCamp Sydney 2014Make WordPress Fly With Virtual Server Hosting  - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014Vlad Lasky
 
Optimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp HoustonOptimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp HoustonChris Olbekson
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
AWS Customer Presentation - Mediafed
AWS Customer Presentation - MediafedAWS Customer Presentation - Mediafed
AWS Customer Presentation - MediafedAmazon Web Services
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 

Mais procurados (20)

Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
 
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
 
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 PlatformRapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
Rapid Prototyping with AWS IoT and Mongoose OS on ESP32 Platform
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014
 
Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications Online
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...Developing High Performance and Scalable ColdFusion Application Using Terraco...
Developing High Performance and Scalable ColdFusion Application Using Terraco...
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPress
 
How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Document
 
Sexy, Powerful, Exciting
Sexy, Powerful, ExcitingSexy, Powerful, Exciting
Sexy, Powerful, Exciting
 
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting  - WordCamp Sydney 2014Make WordPress Fly With Virtual Server Hosting  - WordCamp Sydney 2014
Make WordPress Fly With Virtual Server Hosting - WordCamp Sydney 2014
 
Optimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp HoustonOptimizing WordPress for Performance - WordCamp Houston
Optimizing WordPress for Performance - WordCamp Houston
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
 
AWS Customer Presentation - Mediafed
AWS Customer Presentation - MediafedAWS Customer Presentation - Mediafed
AWS Customer Presentation - Mediafed
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 

Semelhante a WordPress Security - 12 WordPress Security Fundamentals

Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014Judy Wilson
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Vagrant WordCamp Hamilton
Vagrant  WordCamp HamiltonVagrant  WordCamp Hamilton
Vagrant WordCamp HamiltonPaul Bearne
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress -  WordPress SF Meetup April 2012Optimizing WordPress -  WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Ben Metcalfe
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for BeginnersTRB Design, Inc.
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right WayChris Burgess
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyAngela Bowman
 
Backup and Security Lite WCPHX13
Backup and Security Lite WCPHX13Backup and Security Lite WCPHX13
Backup and Security Lite WCPHX13Jeffrey Zinn
 

Semelhante a WordPress Security - 12 WordPress Security Fundamentals (20)

Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
The WordPress Way
The WordPress WayThe WordPress Way
The WordPress Way
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Vagrant WordCamp Hamilton
Vagrant  WordCamp HamiltonVagrant  WordCamp Hamilton
Vagrant WordCamp Hamilton
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress -  WordPress SF Meetup April 2012Optimizing WordPress -  WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right Way
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core Safely
 
Backup and Security Lite WCPHX13
Backup and Security Lite WCPHX13Backup and Security Lite WCPHX13
Backup and Security Lite WCPHX13
 

Último

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Último (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

WordPress Security - 12 WordPress Security Fundamentals

  • 1. WordPress Security 12 WordPress Security Fundamentals
  • 2. Why Security? • SEO / Google rankings • Downtime - Decreased Revenue • Website / Business / Personal Credibility • Increased Costs with cleaning up the mess ( Potentially Law Suits ) • Lose everything - no site :-(
  • 3. “How do I completely secure my site?”
  • 5. It’s all about “risk”
  • 6. “The probability that a particular security threat will exploit a particular vulnerability” ISC 2
  • 7. Threat = A potential danger
  • 11. Vulnerability = A Weakness
  • 13. Weak Spots (Examples) • WordPress (Core, Themes & Plugins) ‣ Bugs/Vulnerabilities in the code itself • Hosting (Web & Database Server/s) ‣ Poor File Permissions • You ‣ Weak Password Choice
  • 14. There are some simple things you can do to reduce the risk
  • 16. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 17. • If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. • This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
  • 18. • REMOVE unused themes and plugins (or at least keep them up to date as well). Even when not activated, a vulnerable plugin or theme can be used to attack a site.
  • 19. 2. Rename “admin” account • Make it hard for an attacker. If they already know your username that’s half the battle • As of 3.0 WordPress asks upfront during installation for an admin account name - don't use "admin" and I recommend not using anything related to the domain.
  • 20. • If you do happen to have an “admin” account there are a few options: ‣ Admin Renamer Extender - http://wordpress.org/ extend/plugins/admin-renamer-extended/ ‣ Create another administrator user and then login as new administrator user and delete "admin" user. ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly
  • 21. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 22. 3. Change your table_prefix • My what? Its a database thing... • Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. • Changing this can block at least some SQL injection attacks. • Good news - WordPress now asks upfront during installation for you to specify a table prefix - so don’t use “wp”.
  • 23. • If you haven’t changed your prefix: ‣ Change Table Prefix (http://wordpress.org/extend/ plugins/change-table-prefix/) ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly (remember to update your wp-config.php file as well)
  • 24. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 25. 4. Setup Security Keys • Often referred to as Salts - they add random elements to your password when encrypting information in cookies ( that are used during the WordPress login process ) • They live in your sites wp-config.php and can be changed at any time • https://api.wordpress.org/secret-key/1.1/salt/
  • 27. • WordPress now generates the salts for you if none are provided - but it’s better to be safe than sorry.
  • 28. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 29. 5. Use Strong Passwords • Weak passwords leave your site vulnerable to: ‣ Brute Force Attacks ‣ Dictionary Attacks • Please use a strong password • Don’t reuse passwords • WordPress has a built in strength meter (don’t ignore it)
  • 32. • Try a password safe/generator like: ‣ 1Password (https://agilebits.com/onepassword) ‣ KeePass (http://keepass.info/)
  • 33. 6. Limit login attempts • Restrict number of failed attempts using a plugin like: ‣ Login Lockdown - http://wordpress.org/extend/ plugins/login-lockdown/ ‣ Simple Login Lockdown - http://wordpress.org/ extend/plugins/simple-login-lockdown/
  • 34. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 35. 7. Use SFTP or FTPS • FTP transmits all data in the clear - including passwords • If you need to regularly connect or upload files to your site use SFTP or FTPS (especially if you are using public wifi)
  • 36. 8. Check File Permissions • Tricky to get right (especially in shared hosting where it is more important to get it right) • A good rule of thumb is to set file and folder permissions at 644 for files and 755 for folders
  • 39. 9. Move wp-config.php • wp-config.php is the main configuration file for your site • WordPress automatically checks the parent directory if a wp- config.php file is not found in your root directory • Recommended that it is moved up one level (to the parent directory) to make sure only your account and the server can read the file
  • 40. • If WordPress is located here: ‣ /public_html/mysite/wp-config.php • You can move wp-config.php to here: ‣ /public_html/wp-config.php
  • 41. • This makes it much more difficult for anyone to access your wp-config.php file as it now resides outside of your sites root directory
  • 42. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 43. 10. Run Backups • Hosts may provide backups • However often... ‣ they don’t back up the right things ‣ they don’t back up regularly enough ‣ they don’t know WordPress ‣ they may charge you to restore your site
  • 45. Backup Buddy - http://ithemes.com/purchase/backupbuddy/
  • 46. • Or just plain old... ‣ WP-DB-Backup - http://wordpress.org/extend/ plugins/wp-db-backup/ ‣ WordPress Export (note the export doesn’t contain your uploaded or options)
  • 47. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress
  • 48. 11. Choose hosting wisely • In my experience you get what you pay for • Look for hosts that have ‣ Good backup regime ‣ WordPress Expertise (tougher than you think) ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
  • 49. 12. Be Security Minded • Keep your own machine clean • Don’t share or reuse passwords • If you use public computers be sure to log out of WP • If you use public networks ‣ avoid using ftp (that's the insecure one) ‣ avoid logging into WP if your not using HTTPS
  • 50. There’s a plugin for that • There are also range of “all in one” solutions that will cover most of the above as well as things like: ‣ Remove the WordPress version/generator tag ‣ Remove update notifications ‣ Remove login error messages ‣ Change location of login urls
  • 51. http://wordpress.org/extend/plugins/better-wp-security/ • http://wordpress.org/extend/plugins/secure-wordpress/ • http://wordpress.org/extend/plugins/bulletproof-security/ • http://wordpress.org/extend/plugins/wp-security-scan/
  • 52. Extra Resources • http://codex.wordpress.org/Hardening_WordPress • http://build.codepoet.com/2012/07/10/locking-down- wordpress/ (E-book) • http://codex.wordpress.org/Changing_File_Permissions • http://sucuri.net/ (Malware Scanner)
  • 53. Summary 1. Update WordPress 7. Use SFTP or FTPS 2. Rename “admin” user 8. Check File Permissions 3. Change the table_prefix 9. Move wp-config.php 4. Setup Security Keys 10. Run Backups 5. Use Strong Passwords 11. Choose Hosting Wisely 6. Limit Login Attempts 12. Be Security Minded
  • 54. Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress