1. WordPress Security
Few Simple Steps
@ Null Meet 16th
Oct 2010
Pune
Gaurav Pant
http://www.gauravpant.com
gauravggs@gmail.com
2. Agenda
● What is wordpress
● Installation
● Few basic steps for security
● Social aspects
3. WordPress
● weBlog Engine
● Written in PHP(mostly)
● Used for websites
● Approx 80% weblogs run on wordpress
● 20% on version 2.x
● 15% on version 3.x
● Ver 1.x: Jan 3 2004 -- Dec 2005
● Ver 2.x: Dec 31 2005 – June 2009
● Ver 3.x: June 17 2010 – and updating
4. WP installation
● Is Simple
● Need a web server with Apache, MySQL and
PHP
● Download WP from wordpress.org
● Create/Request DB User and Pass
● Unpack to document root of server
● Edit/Create wp-config.php
● Go to webpage and follow instructions
● Demo
5. Basic Security Steps
● FIX you Table Prefix
– Change Table prefix (this can be generally
done during install)
– edit your wp-config for prefix
– regular table prefix is wp_table
– vulnerable to standard SQL injections
6. Basic Security Steps...
● Securing the directories and files
– wordpress root / perms: writable by user acc.
– .htaccess writable by Wordpress if automatic
update is requreid
– other sub-dirs to be writable only by user acc
– /wp-contents/ sub dirs perms will vary
according to plugins and themes
– Uploaded images dir
● need to be WP writable for automatic uploads
● DO MANUAL UPLOADS uncomfortable but
safe
7. Basic Security Steps...
● Renaming 'admin' account:
● Run the query:
– update TablePrefix_users set
user_login='newusername' where
user_login='admin'
● Do all this before you start posting
● Do not write posts as admin
● Create generic user to create/write/
posts/pages
8. Basic Security Steps...
● Securing the /wp-admin/ area
● Move you wordpress installation to different dir
● Standard loc:
– www.site.com/wp-admin/
● Move or install wordpress in subdir
– www.site.com/mysecretinstall/wp-admin
● Users will still get your site from
– www.site.com
9. Basic Security Steps...
● Version info can be dangerous
● Disable version info
● Also from
● code meta tags
● Edit functions.php add:
– remove_action('wp_head',
'wp_generator');
10. Basic Security Steps...
● Disable dir index view
● Simple way:
– just add a blank index.html to all directories
(which do not have any index)
● Or add/modify .htaccess line
– Option Indexes
– TO
– Option -Indexes
11. Basic Security Steps...
● Moving wordpress:
● Edit wordpress url from wordpress panel
● copy index.php and .htaccess to root or new
location
● edit index.php and add following lines
– require('./wp-blog-header.php');
– TO
– require('./secretloc/wp-blog-header.php');
● New login location will be
– http://yoursite/secretloc/wp-admin/
12. Basic Security Steps...
● Hardening /wp-admin/ with .htaccess
● Create a .htaccess in wp-admin dir
● AuthUserFile /home/dexter/.htpasswd
● AuthName "Verify yourself"
● AuthType Basic
● require valid-user
● Create a .htpasswd
– /home/dexter/.htpasswd
– #htpasswd -b /home/dexter/.htpasswd dede
dede123
13. Basic Security Steps...
● USE SSL for admin/logins
● can be added to wp-config.php
● define('FORCE_SSL_LOGIN',true)
● define('FORCE_SSL_ADMIN',true)
● Add Salt: to wp-config: for better cookie
security
● define('AUTH_KEY', 'kie938rjmd903kdmr904');
● define('SECURE_AUTH_KEY','9485ekdfmsk43
98');
● define('LOGGED_IN_KEY', '9i7j6k[9md38');
● define('NONCE_KEY', 'kdkflow932034');
14. Basic Security Steps.
● Very BASIC but important:
● Don't be lazy –
– Update WP to latest version
– Change Passwords REGULARY
– Dont be a log Observer LOGS
– USE Passcode not just a word
– Backup DateBase regularly
– Report Bugs
– Use security Plugins like:
● lockdown, WP Security Scan, Captcha, Secure
Wordpress etc.
15. BLOGS...
● If its on the blog its no more personal
● If you put it on blog have good enough
material to defend it
● Do not use copy paste – check copy rights
● Acknowledge/Quote stuff used from other
places
● Be original
● Be Safe