I presented this at "CMS Developers Conference 2015" on 10th February, 2015
Topics Include:
# A Basic Understanding
# Vulnerability Statics
# Direct Approach
# Indirect Approach
# Insane Approach
# Plugin URLs
# Tutorial URLs
* I've a presentation almost same couple of months ago but this one is with more data.
3. 01
“ I have not failed. I've just found
10,000 ways that won't work “
03
Ways to secure your site
Ways to follow
Direct
Approach
Indirect
Approach
Scattered
Approach
CMSCon2015
11. 01
“ A Basic Understanding “
09
Indirect Approach
How you can really save your site
CMSCon2015
12. Current Scenario 0110
Based on 42,106 WordPress websites found in Alexa’s top 1 million websites
74 different versions of WordPress were
identified
WordPress Versions
74
11 of these versions are invalid. For example
version 6.6.6
WordPress 6.6.6
11
18 websites had an invalid non existing
versions of WordPress.
Invalid Version
18
CMSCon2015
13. 769 websites (1.82%) are still running a
subversion of WordPress 2.0.
WordPress 2.0
1.82
Only 7,814 websites (18.55%) upgraded to
WordPress 3.6.1.
WordPress 3.6.1
18.55
1,785 websites upgraded to version 3.6.1
between the 12th and the 15th of September.
Upgrade
1785
13,034 websites (30.95%) are still running a
vulnerable version of WordPress 3.6.
Vulnerable 3.6
30.95
CMSCon2015
14. 01
“ Main Reasons “
11
Indirect Approach
Things that will really help you to save your site
CMSCon2015
15. Indirect Approach 0112
Things that will really help you to save your site
41%
Hosting Provider
29%
Vulnerability in the WordPress theme
22%
Vulnerability in a plugin
8%
Weak Password
16. 01
“ Understanding the reasons “
13
Indirect Approach
Things that will really help you to save your site
CMSCon2015
17. 01
“ Four W One H “
14
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Who . Why . When . Where . How
18. 01
“ Who ? “
15
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Anonymous . Your Friend . A Random Guy
19. 01
“ Why ? “
16
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Fun . Revenge . Profit . Political
20. 01
“ When ? “
17
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Least Expected . You are not Ready . The door is open
21. 01
“ [every]Where ? “
18
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Shared Hosting . VPS . Dedicated Server . Your Laptop
22. 01
“ How ? “
19
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Defacement, Spam Links, Backdoors, SQL Injections,
Malicious Redirects, Form Abuse, Compromised Web Servers
23. 01
“ What can we do ? “
20
Indirect Approach
Things that will really help you to save your site
CMSCon2015
24. 01
“ Avoid nulled Themes & Plugins “
21
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Why are they giving you for free ?
25. 01
“ Delete “admin” account “
22
Indirect Approach
Things that will really help you to save your site
CMSCon2015
UPDATE wp_users SET user_login=‘batman’ WHERE user_login=‘admin’;
!
Hackers need only two piece of information - “username” & “password”
Don’t give them half.
Try to avoid showing your username in posts
26. 01
“ Use secret keys “
23
Indirect Approach
Things that will really help you to save your site
CMSCon2015
https://api.wordpress.org/secret-key/1.1/salt/
27. 01
“ Update Everything “
24
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Keep everything updated. Literally “EVERYTHING”
28. 01
“ Modify File Permission “
25
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Files 644 | Folders 755 | .htaccess 444 | wp-config.php 444
29. 01
“ Move-up wp-config.php “
26
Indirect Approach
Things that will really help you to save your site
CMSCon2015
WordPress automatically checks the parent directory if wp-
config.php file is not found in your root directory
!
public_html/wordpress/wp-config.php
public_html/wp-config.php
30. 01
“ Protect wp-config.php “
27
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Write the following code in your .htaccess file
!
<files wp-config.php>
order allow, deny
deny from all
</files>
31. 01
“ Local Security “
28
Indirect Approach
Things that will really help you to save your site
CMSCon2015
KeyLogger, Malwares
Don’t use FTP, try to use sFTP or SSH
32. 01
“ Control Login Attempts “
29
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Don’t let them try for eternity
https://wordpress.org/plugins/login-lockdown/
33. 01
“ Database Table Prefix “
30
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Change from “wp_” to “wp_anything_” or wpanything_”
anything may contain a-z, 0-9
34. 01
“ SSL Certificate “
31
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Try to use SSL Certificate
!
define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);
35. 01
“ Move wp-content Folder “
32
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Before wp-settings.php is called in wp-config.php
!
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' );
define( 'WP_CONTENT_URL', 'http://www.paulund.co.uk/blog/content/wp-content' );
36. 01
“ Protect wp-admin “
33
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Password Protect wp-admin folder using .htaccess + .htpasswd
!
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-
wordpress-admin-wp-admin-directory/
37. 01
“ Disable Dashboard Edit “
34
Indirect Approach
Things that will really help you to save your site
CMSCon2015
define(‘DISALLOW_FILE_EDIT’, true);
38. 01
“ Change Login URL “
35
Indirect Approach
Things that will really help you to save your site
CMSCon2015
RewriteRule ^login$ http://www.rupok.xyz/wp-login.php [NC, L]
Now I can login at www.rupok.xyz/login
39. 01
“ Use strong password “
36
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Eight Characters . Two Uppercase Letters . Two Symbols
Avoid your Name, Birth Year, Birthday, Age, Phone Number etc.
40. 01
“ Creating A Password “
37
Indirect Approach
Things that will really help you to save your site
CMSCon2015
- cabbage
- Sorry, the password must be more than 8 characters.
!
- boiled cabbage
- Sorry, the password must contain 1 numerical character,
!
- 1 boiled cabbage
- Sorry, the password cannot have blank spaces.
!
- 50fuckingboiledcabbages
- Sorry, the password must contain at least one upper case character.
!
- 50FUCKINGboiledcabbages
- Sorry, the password cannot use more than one upper case character consecutively.
!
- 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately
- Sorry, the password cannot contain punctuation.
!
- NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately
- Sorry, that password is already in use!
41. 01
“ Lots of other things “
38
Indirect Approach
Things that will really help you to save your site
CMSCon2015
You may not protect it fully, but you can make it a
nightmare for a hacker to hack your site
42. 01
“ Security Plugins “
39
Indirect Approach
Things that will really help you to save your site
CMSCon2015
BulletProof Security, Secure WordPress, Exploit Scanner, Malware
Scanner (sucuri.net), Acunetix WP Security
And specially, Rublon
43. 01
“ Insane Plans “
40
Indirect Approach
Things that will really help you to save your site
CMSCon2015
44. 01
“ Google Authenticator “
41
Indirect Approach
Things that will really help you to save your site
CMSCon2015
The Google Authenticator plugin for WordPress gives you two-
factor authentication using the Google Authenticator app for
Android/iPhone/Blackberry.
!
http://wordpress.org/plugins/google-authenticator/
45. 01
“ Voice Biometrics “
42
Indirect Approach
Things that will really help you to save your site
CMSCon2015
VoxedIn is a Smartphone app and web toolkit that lets your users
log in to your site using voice biometrics
!
http://wordpress.org/plugins/voxedin/
46. 01
“ SPECIAL THANKS “
43
Indirect Approach
Things that will really help you to save your site
CMSCon2015
Jesse Pollak . Brad Williams . Lime Canvas
47. “ Questions ? “
Thank You
Hope you enjoyed !
CMSCon2015