9. WP PLUGINS SECURITY STATE
“Checkmarx’s research lab identified that
more than 20% of the 50 most popular
WordPress plugins are vulnerable to
common Web attacks, such as SQL
Injection”
http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPressTop-50-Plugins.pdf
23. SECURE YOUR COMPUTERS
• Keep
your OS and all programs updated
• Install
Anti-Virus software
• Use
personal firewalls
• Open
• Use
sites via HTTPS whenever possible
SSH or SFTP instead of FTP
26. SOME EXAMPLES
•
PHP-CGI Vulnerability - versions before 5.3.12/5.4.2
•
MySQL/MariaDB Vulnerability - versions before 5.5.25
•
Apache range header DoS - versions before 2.2.20
29. APACHE SYMLINK VULNERABILITY
The Problem:
public_html/fred.txt —> /home/otheracct/public_html/wp-config.php
The Solution:
Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch
33. SSH COMMAND TO CORRECT
PERMISSIONS
•
find /wordpress -type d -exec chmod 755 {} ;
!
!
•
find /wordpress -type f -exec chmod 644 {} ;
34. GENERAL GUIDELINES
• Use
Secret Keys - http://api.wordpress.org/secret-
key/1.1/salt
• Move
• Use
wp-config.php to parent folder
SSL for wp-login.php
• Allow
admin access only from certain IPs