SlideShare uma empresa Scribd logo

WordPress Security

n|u - The Open Security Community
n|u - The Open Security Community

WordPress Security by Gaurav Pant @ null Pune Meet, October, 2010

TecnologiaNegócios
1 de 16
Baixar para ler offline
WordPress Security Few Simple Steps @ Null Meet 16th Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe
Thanks! Questions?

Recomendados

Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress Multisite
Craig Taylor
 
WP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common MistakesWP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common Mistakes
CT Moore
 
02 installation
02 installation02 installation
02 installation
Jadavsejal
 
Readme
ReadmeReadme
Readme
sanubiswas
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
GovLoop
 
DC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsDC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.js
Troy Goode
 
Web Quality Assurance Automation
Web Quality Assurance AutomationWeb Quality Assurance Automation
Web Quality Assurance Automation
frankiejol
 
#Continuous delivery with #Deployit
#Continuous delivery with #Deployit#Continuous delivery with #Deployit
#Continuous delivery with #Deployit
Xebia IT Architects
 

Recomendados

Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress Multisite
Craig Taylor
 
WP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common MistakesWP-MU 101: How to Install and Avoid Common Mistakes
WP-MU 101: How to Install and Avoid Common Mistakes
CT Moore
 
02 installation
02 installation02 installation
02 installation
Jadavsejal
 
Readme
ReadmeReadme
Readme
sanubiswas
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
GovLoop
 
DC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsDC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.js
Troy Goode
 
Web Quality Assurance Automation
Web Quality Assurance AutomationWeb Quality Assurance Automation
Web Quality Assurance Automation
frankiejol
 
#Continuous delivery with #Deployit
#Continuous delivery with #Deployit#Continuous delivery with #Deployit
#Continuous delivery with #Deployit
Xebia IT Architects
 
Wordpress Command-Line
Wordpress Command-LineWordpress Command-Line
Wordpress Command-Line
wpperu
 
Webpack and Web Performance Optimization
Webpack and Web Performance OptimizationWebpack and Web Performance Optimization
Webpack and Web Performance Optimization
Chen-Tien Tsai
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
ryanduff
 
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
X User
 
Matt doyleppt
Matt doylepptMatt doyleppt
Matt doyleppt
mattdoylelive
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015
Shawn Hooper
 
Web Sockets - HTML5
Web Sockets - HTML5Web Sockets - HTML5
Web Sockets - HTML5
Matheus Marabesi
 
Production optimization with React and Webpack
Production optimization with React and WebpackProduction optimization with React and Webpack
Production optimization with React and Webpack
k88hudson
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
WordPress Security for SEO & More
WordPress Security for SEO & MoreWordPress Security for SEO & More
WordPress Security for SEO & More
Sean Carlos
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
Faraz Ahmed
 
4 roadside hazard management
4 roadside hazard management4 roadside hazard management
4 roadside hazard management
Indonesia Infrastructure Initiative
 
Understanding governance
Understanding governanceUnderstanding governance
Understanding governance
n|u - The Open Security Community
 
SAUDADE
SAUDADESAUDADE
SAUDADE
eliane_ac
 
BELA BAHIA - BRASIL
BELA BAHIA - BRASILBELA BAHIA - BRASIL
BELA BAHIA - BRASIL
eliane_ac
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101
n|u - The Open Security Community
 
ÍNDIA
ÍNDIAÍNDIA
ÍNDIA
eliane_ac
 
Personal research environment presentation
Personal research environment presentationPersonal research environment presentation
Personal research environment presentation
Daniela Gachago
 
Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)
Indonesia Infrastructure Initiative
 
BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)
eliane_ac
 
Document
DocumentDocument
Document
Darnell Pruitt
 
5 route network rs final id r1
5 route network rs final id r15 route network rs final id r1
5 route network rs final id r1
Indonesia Infrastructure Initiative
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (8)

Wordpress Command-Line
Wordpress Command-LineWordpress Command-Line
Wordpress Command-Line
 
Webpack and Web Performance Optimization
Webpack and Web Performance OptimizationWebpack and Web Performance Optimization
Webpack and Web Performance Optimization
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
 
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
How to create_a_simple_java_web_service_and_publish_it_on_netbeans_7
 
Matt doyleppt
Matt doylepptMatt doyleppt
Matt doyleppt
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015
 
Web Sockets - HTML5
Web Sockets - HTML5Web Sockets - HTML5
Web Sockets - HTML5
 
Production optimization with React and Webpack
Production optimization with React and WebpackProduction optimization with React and Webpack
Production optimization with React and Webpack
 

Destaque

BELA BAHIA - BRASIL
BELA BAHIA - BRASILBELA BAHIA - BRASIL
BELA BAHIA - BRASIL
eliane_ac
 
BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)
eliane_ac
 

Destaque (19)

WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
 
WordPress Security for SEO & More
WordPress Security for SEO & MoreWordPress Security for SEO & More
WordPress Security for SEO & More
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
4 roadside hazard management
4 roadside hazard management4 roadside hazard management
4 roadside hazard management
 
Understanding governance
Understanding governanceUnderstanding governance
Understanding governance
 
SAUDADE
SAUDADESAUDADE
SAUDADE
 
BELA BAHIA - BRASIL
BELA BAHIA - BRASILBELA BAHIA - BRASIL
BELA BAHIA - BRASIL
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101
 
ÍNDIA
ÍNDIAÍNDIA
ÍNDIA
 
Personal research environment presentation
Personal research environment presentationPersonal research environment presentation
Personal research environment presentation
 
Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)Vwde dglt presentation 100511 bahasa (final)
Vwde dglt presentation 100511 bahasa (final)
 
BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)BRASIL - MORRO BRANCO (CE)
BRASIL - MORRO BRANCO (CE)
 
Document
DocumentDocument
Document
 
5 route network rs final id r1
5 route network rs final id r15 route network rs final id r1
5 route network rs final id r1
 
Ess 01 & ess-02 closing meeting
Ess 01 & ess-02 closing meetingEss 01 & ess-02 closing meeting
Ess 01 & ess-02 closing meeting
 
Aero dataworkshop 2d-module-00_v1.0_en
Aero dataworkshop 2d-module-00_v1.0_enAero dataworkshop 2d-module-00_v1.0_en
Aero dataworkshop 2d-module-00_v1.0_en
 
Digital library workshop
Digital library workshopDigital library workshop
Digital library workshop
 
4 roadside hazard management
4 roadside hazard management4 roadside hazard management
4 roadside hazard management
 
Tea time
Tea time Tea time
Tea time
 

Semelhante a WordPress Security

Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
David Wilemski
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
WordPress Plugin Development 201
WordPress Plugin Development 201WordPress Plugin Development 201
WordPress Plugin Development 201
ylefebvre
 

Semelhante a WordPress Security (20)

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
1. MySql plugins
1. MySql plugins1. MySql plugins
1. MySql plugins
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute Install
 
A new way to develop with WordPress!
A new way to develop with WordPress!A new way to develop with WordPress!
A new way to develop with WordPress!
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
 
How to set up a Wordpress Blog
How to set up a Wordpress BlogHow to set up a Wordpress Blog
How to set up a Wordpress Blog
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
What is (not) WordPress
What is (not) WordPressWhat is (not) WordPress
What is (not) WordPress
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
WordPress Plugin Development 201
WordPress Plugin Development 201WordPress Plugin Development 201
WordPress Plugin Development 201
 
It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’
 

Mais de n|u - The Open Security Community

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

WordPress Security

  • 1. WordPress Security Few Simple Steps @ Null Meet 16th Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
  • 2. Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
  • 3. WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
  • 4. WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
  • 5. Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
  • 6. Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
  • 7. Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
  • 8. Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
  • 9. Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
  • 10. Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
  • 11. Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
  • 12. Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
  • 13. Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
  • 14. Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
  • 15. BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe