SlideShare uma empresa Scribd logo

Tips & Tricks in securing your WordPress installation

Transferir como PPTX, PDF
Lester Chan
Lester Chan

My presentation slides for Tips & Tricks in securing your WordPress installation during Hackatron Asia 2014 which takes place on 6th and 7th December 2014. This presentation is just an updated presentation of http://www.slideshare.net/gamerz/singapore-word-press-user-group-meetup-september-2014-wordpress-security

Software
1 de 18
Security Tips & Tricks in securing your WordPress installation
About Me • WordPress Plugins Developer – Since 2003 – Created > 22 plugins • wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc • http://profiles.wordpress.org/gamerz • Tech Guy in Tech in Asia – Joined on 1st September 2014 Lester Chan (@gamerz) [ 2 ]
WordPress Is Popular • Power 22% of the web • Most blogs uses WordPress – Mashable.com – Techcrunch.com • Because it is popular, lots of attacks are being targeted at WordPress sites Lester Chan (@gamerz) [ 3 ]
Hack Attempts • wp-includes/users.php – $fh = fopen(ABSPATH . "core/wp-content/ plugins/.htaccess","a+"); – fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "n"); – fclose($fh); • Backdoor files Lester Chan (@gamerz) [ 4 ]
Security 101 • Always keep your WordPress & it’s plugins up to date. – 20th November 2014 • WordPress 4.0.1 was released to fix: – Three cross-site scripting issues that a contributor or author could use to compromise a site. – A cross-site request forgery that could be used to trick a user into changing their password. – An issue that could lead to a denial of service when passwords are checked – An extremely unlikely hash collision could allow a user’s account to be compromised Lester Chan (@gamerz) [ 5 ]
Passwords • Use a complex password – In general • Not just WordPress but your CPanel/FTP as well • Use a 2FA plugin – Google Authenticator • https://wordpress.org/plugins/google-authenticator/ – Authy Two Factor Authentication • https://wordpress.org/plugins/authy-two- factor-authentication/ Lester Chan (@gamerz) [ 6 ]
Passwords • Protect your WP-Admin with a password – Using htpasswd • http://www.htaccesstools.com/htpasswd-generator/ – Placing .htaccess in wp-admin ErrorDocument 401 default AuthName "Lester Chan's Website WordPress Admin" AuthUserFile "/home/gamerz/wp-admin/passwd" AuthType Basic require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lester Chan (@gamerz) [ 7 ]
HTTPS • HTTPS encrypts communication and sensitive data between the browser and wp-admin. • Prevents man in the middle attacks. – define('FORCE_SSL_LOGIN', true); – define('FORCE_SSL_ADMIN', true); Lester Chan (@gamerz) [ 8 ]
Files/Folder Permissions • Files & folder should be only readable & writeable only by the owner and readable by the rest • Ensure all files are CHMOD to 644 – find . -type f -exec chmod 644 {} ; • Ensure all folders are CHMOD to 755 – find . -type d -exec chmod 755 {} ; Lester Chan (@gamerz) [ 9 ]
WordPress Uploads • /wp-content/uploads/ – Is a common vector for attacks because it store user uploaded files – Harder to notice – Most people will just CHMOD this to 777 • Which means everyone can read & write to it – This folder should only serve static assets & not execute any scripts • http://stackoverflow.com/questions/18932756/disable-all- cgi-php-perl-for-a-directory-using-htaccess Lester Chan (@gamerz) [ 10 ]
Monitor Changed Files • I monitor my site changed files via email on a daily basis • Using CRON – find /home/gamerz/public_html -mtime -1 Lester Chan (@gamerz) [ 11 ]
Using Git • /core/ – Contains a Git checkout of https://github.com/WordPress/WordPress – git fetch --tags; git checkout 4.0.1 • /content/ – It is a Git checkout of my private repository – Contains all my active plugins and themes • Doing a git status on any folder above will also tell me what has changed Lester Chan (@gamerz) [ 12 ]
Backup • Backup your database regularly – Every hour if you blog more than once a day – Every day if you blog regularly – Using a plugin like WP-DBManager • https://wordpress.org/plugins/wp-dbmanager/ • Backup your /uploads/ folder – Using Git? (not ideal) – FTP to S3/Dropbox? – NAS – Gluster FS Lester Chan (@gamerz) [ 13 ]
VaultPress • https://vaultpress.com/ – By Automattic • Company behind WordPress.com – Paid • Lite (USD$55/year), Basic (USD$165/year), Premium (USD$440/year) – Features • Realtime full (database + files) backup • Scanning your site for dangerous files • Automatic restore of database + files Lester Chan (@gamerz) [ 14 ]
WordFence • http://www.wordfence.com/ • By Feedjit Inc – Paid • USD$39/year – Features • Cellphone Sign-in • Network & Geo Blocking • Site Repair • Machine Learning • Source Code Verification Lester Chan (@gamerz) [ 15 ]
Summary • Password Protected WP-Admin • Use Google Authenticator as 2FA login for WordPress • HTTPS for WP-Admin • Ensure all file are CHMOD to 644 and folders to 755 • Do not allow any script execution in /uploads/ folder • Monitor your site changed files • Backup your database regularly Lester Chan (@gamerz) [ 16 ]
Other References • http://codex.wordpress.org/Hardening_Word Press • http://codex.wordpress.org/Backing_Up_Your _WordPress_Files • http://wordpress.tv/tag/security/ Lester Chan (@gamerz) [ 17 ]
Questions? • Any questions? • You can also find me at – Blog: http://lesterchan.net – Twitter: @gamerz – Facebook: https://fb.com/lesterchan – Instagram: @gamerz Lester Chan (@gamerz) [ 18 ]

Recomendados

Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
PHP Dosya Yükleme
PHP Dosya YüklemePHP Dosya Yükleme
PHP Dosya YüklemeMustafa Kırımlı
 
Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)
Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)
Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)Japheth Thomson
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
A Better WordPress Workflow with WP-CLI
A Better WordPress Workflow with WP-CLIA Better WordPress Workflow with WP-CLI
A Better WordPress Workflow with WP-CLIRikesh Ramlochund
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sitesJason Yingling
 

Recomendados

Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
PHP Dosya Yükleme
PHP Dosya YüklemePHP Dosya Yükleme
PHP Dosya YüklemeMustafa Kırımlı
 
Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)
Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)
Migrating a Site Quickly with SSH and WP-CLI (It's not as scary as you think!)Japheth Thomson
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
A Better WordPress Workflow with WP-CLI
A Better WordPress Workflow with WP-CLIA Better WordPress Workflow with WP-CLI
A Better WordPress Workflow with WP-CLIRikesh Ramlochund
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sitesJason Yingling
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Saving Time with WP-CLI
Saving Time with WP-CLISaving Time with WP-CLI
Saving Time with WP-CLITaylor Lovett
 
Secure your site
Secure your siteSecure your site
Secure your siteMatthew Farina
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fuAditya Balapure
 
Modernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchModernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchTaylor Lovett
 
Web server installation_configuration_apache
Web server installation_configuration_apacheWeb server installation_configuration_apache
Web server installation_configuration_apacheShaojie Yang
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1Information Technology
 
Multi tenant CMSes using php
Multi tenant CMSes using phpMulti tenant CMSes using php
Multi tenant CMSes using phpkae-verens
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshopBoston WordPress
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4Information Technology
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
You Got React.js in My PHP
You Got React.js in My PHPYou Got React.js in My PHP
You Got React.js in My PHPTaylor Lovett
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 
Apache Web Server Setup 2
Apache Web Server Setup 2Apache Web Server Setup 2
Apache Web Server Setup 2Information Technology
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 

Mais conteúdo relacionado

Mais procurados

ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Saving Time with WP-CLI
Saving Time with WP-CLISaving Time with WP-CLI
Saving Time with WP-CLITaylor Lovett
 
Modernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchModernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchTaylor Lovett
 
Web server installation_configuration_apache
Web server installation_configuration_apacheWeb server installation_configuration_apache
Web server installation_configuration_apacheShaojie Yang
 
Multi tenant CMSes using php
Multi tenant CMSes using phpMulti tenant CMSes using php
Multi tenant CMSes using phpkae-verens
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshopBoston WordPress
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
You Got React.js in My PHP
You Got React.js in My PHPYou Got React.js in My PHP
You Got React.js in My PHPTaylor Lovett
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 

Mais procurados (20)

ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in Enterprise
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
Saving Time with WP-CLI
Saving Time with WP-CLISaving Time with WP-CLI
Saving Time with WP-CLI
 
Secure your site
Secure your siteSecure your site
Secure your site
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
 
Modernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with ElasticsearchModernizing WordPress Search with Elasticsearch
Modernizing WordPress Search with Elasticsearch
 
Web server installation_configuration_apache
Web server installation_configuration_apacheWeb server installation_configuration_apache
Web server installation_configuration_apache
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1
 
Multi tenant CMSes using php
Multi tenant CMSes using phpMulti tenant CMSes using php
Multi tenant CMSes using php
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server Tutorial
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPress
 
You Got React.js in My PHP
You Got React.js in My PHPYou Got React.js in My PHP
You Got React.js in My PHP
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
 
Apache Web Server Setup 2
Apache Web Server Setup 2Apache Web Server Setup 2
Apache Web Server Setup 2
 

Semelhante a Tips & Tricks in securing your WordPress installation

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018Abul Khayer
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxyGaurav Mishra
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
Setting up a local WordPress development environment
Setting up a local WordPress development environmentSetting up a local WordPress development environment
Setting up a local WordPress development environmentZero Point Development
 

Semelhante a Tips & Tricks in securing your WordPress installation (20)

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018
 
Ithemes presentation
Ithemes presentationIthemes presentation
Ithemes presentation
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxy
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
Setting up a local WordPress development environment
Setting up a local WordPress development environmentSetting up a local WordPress development environment
Setting up a local WordPress development environment
 

Último

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 

Último (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

Tips & Tricks in securing your WordPress installation

  • 1. Security Tips & Tricks in securing your WordPress installation
  • 2. About Me • WordPress Plugins Developer – Since 2003 – Created > 22 plugins • wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc • http://profiles.wordpress.org/gamerz • Tech Guy in Tech in Asia – Joined on 1st September 2014 Lester Chan (@gamerz) [ 2 ]
  • 3. WordPress Is Popular • Power 22% of the web • Most blogs uses WordPress – Mashable.com – Techcrunch.com • Because it is popular, lots of attacks are being targeted at WordPress sites Lester Chan (@gamerz) [ 3 ]
  • 4. Hack Attempts • wp-includes/users.php – $fh = fopen(ABSPATH . "core/wp-content/ plugins/.htaccess","a+"); – fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "n"); – fclose($fh); • Backdoor files Lester Chan (@gamerz) [ 4 ]
  • 5. Security 101 • Always keep your WordPress & it’s plugins up to date. – 20th November 2014 • WordPress 4.0.1 was released to fix: – Three cross-site scripting issues that a contributor or author could use to compromise a site. – A cross-site request forgery that could be used to trick a user into changing their password. – An issue that could lead to a denial of service when passwords are checked – An extremely unlikely hash collision could allow a user’s account to be compromised Lester Chan (@gamerz) [ 5 ]
  • 6. Passwords • Use a complex password – In general • Not just WordPress but your CPanel/FTP as well • Use a 2FA plugin – Google Authenticator • https://wordpress.org/plugins/google-authenticator/ – Authy Two Factor Authentication • https://wordpress.org/plugins/authy-two- factor-authentication/ Lester Chan (@gamerz) [ 6 ]
  • 7. Passwords • Protect your WP-Admin with a password – Using htpasswd • http://www.htaccesstools.com/htpasswd-generator/ – Placing .htaccess in wp-admin ErrorDocument 401 default AuthName "Lester Chan's Website WordPress Admin" AuthUserFile "/home/gamerz/wp-admin/passwd" AuthType Basic require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lester Chan (@gamerz) [ 7 ]
  • 8. HTTPS • HTTPS encrypts communication and sensitive data between the browser and wp-admin. • Prevents man in the middle attacks. – define('FORCE_SSL_LOGIN', true); – define('FORCE_SSL_ADMIN', true); Lester Chan (@gamerz) [ 8 ]
  • 9. Files/Folder Permissions • Files & folder should be only readable & writeable only by the owner and readable by the rest • Ensure all files are CHMOD to 644 – find . -type f -exec chmod 644 {} ; • Ensure all folders are CHMOD to 755 – find . -type d -exec chmod 755 {} ; Lester Chan (@gamerz) [ 9 ]
  • 10. WordPress Uploads • /wp-content/uploads/ – Is a common vector for attacks because it store user uploaded files – Harder to notice – Most people will just CHMOD this to 777 • Which means everyone can read & write to it – This folder should only serve static assets & not execute any scripts • http://stackoverflow.com/questions/18932756/disable-all- cgi-php-perl-for-a-directory-using-htaccess Lester Chan (@gamerz) [ 10 ]
  • 11. Monitor Changed Files • I monitor my site changed files via email on a daily basis • Using CRON – find /home/gamerz/public_html -mtime -1 Lester Chan (@gamerz) [ 11 ]
  • 12. Using Git • /core/ – Contains a Git checkout of https://github.com/WordPress/WordPress – git fetch --tags; git checkout 4.0.1 • /content/ – It is a Git checkout of my private repository – Contains all my active plugins and themes • Doing a git status on any folder above will also tell me what has changed Lester Chan (@gamerz) [ 12 ]
  • 13. Backup • Backup your database regularly – Every hour if you blog more than once a day – Every day if you blog regularly – Using a plugin like WP-DBManager • https://wordpress.org/plugins/wp-dbmanager/ • Backup your /uploads/ folder – Using Git? (not ideal) – FTP to S3/Dropbox? – NAS – Gluster FS Lester Chan (@gamerz) [ 13 ]
  • 14. VaultPress • https://vaultpress.com/ – By Automattic • Company behind WordPress.com – Paid • Lite (USD$55/year), Basic (USD$165/year), Premium (USD$440/year) – Features • Realtime full (database + files) backup • Scanning your site for dangerous files • Automatic restore of database + files Lester Chan (@gamerz) [ 14 ]
  • 15. WordFence • http://www.wordfence.com/ • By Feedjit Inc – Paid • USD$39/year – Features • Cellphone Sign-in • Network & Geo Blocking • Site Repair • Machine Learning • Source Code Verification Lester Chan (@gamerz) [ 15 ]
  • 16. Summary • Password Protected WP-Admin • Use Google Authenticator as 2FA login for WordPress • HTTPS for WP-Admin • Ensure all file are CHMOD to 644 and folders to 755 • Do not allow any script execution in /uploads/ folder • Monitor your site changed files • Backup your database regularly Lester Chan (@gamerz) [ 16 ]
  • 17. Other References • http://codex.wordpress.org/Hardening_Word Press • http://codex.wordpress.org/Backing_Up_Your _WordPress_Files • http://wordpress.tv/tag/security/ Lester Chan (@gamerz) [ 17 ]
  • 18. Questions? • Any questions? • You can also find me at – Blog: http://lesterchan.net – Twitter: @gamerz – Facebook: https://fb.com/lesterchan – Instagram: @gamerz Lester Chan (@gamerz) [ 18 ]