SlideShare uma empresa Scribd logo

WordPress Security - How to Secure your WordPress Site

Rupok Chowdhury Protik
Rupok Chowdhury Protik

I presented this at "CMS Developers Conference 2015" on 10th February, 2015 Topics Include: # A Basic Understanding # Vulnerability Statics # Direct Approach # Indirect Approach # Insane Approach # Plugin URLs # Tutorial URLs * I've a presentation almost same couple of months ago but this one is with more data.

Tecnologia
1 de 47
WordPress Security How to secure your WordPress website CMSCon2015
02 ! ! ! @rupok fb.com/rupokify rupokify@gmail.com www.rupok.xyz Find Me Rupok Chowdhury Protik Also Known as “The Formatter” CMSCon2015
01 “ I have not failed. I've just found 10,000 ways that won't work “ 03 Ways to secure your site Ways to follow Direct Approach Indirect Approach Scattered Approach CMSCon2015
01 “ Direct Approach “ 06 Direct Approach Easiest way to follow CMSCon2015
01 “ There is only “ONE” way to 100% secure your WordPress Site “ 04 Direct Approach Easiest way to follow CMSCon2015
01 “ BEST Way -100% Guaranteed “ 05 Direct Approach Easiest way to follow CMSCon2015
01 “ DELETE IT ! “ 06 Direct Approach Easiest way to follow CMSCon2015
01 “ Request ? “ 07 Direct Approach Easiest way to follow CMSCon2015 A really really cute face may help
01 “ Indirect Approach “ 08 Indirect Approach Easiest way to follow CMSCon2015
01 “ A Basic Understanding “ 09 Indirect Approach How you can really save your site CMSCon2015
Current Scenario 0110 Based on 42,106 WordPress websites found in Alexa’s top 1 million websites 74 different versions of WordPress were identified WordPress Versions 74 11 of these versions are invalid. For example version 6.6.6 WordPress 6.6.6 11 18 websites had an invalid non existing versions of WordPress. Invalid Version 18 CMSCon2015
769 websites (1.82%) are still running a subversion of WordPress 2.0. WordPress 2.0 1.82 Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1. WordPress 3.6.1 18.55 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September. Upgrade 1785 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6. Vulnerable 3.6 30.95 CMSCon2015
01 “ Main Reasons “ 11 Indirect Approach Things that will really help you to save your site CMSCon2015
Indirect Approach 0112 Things that will really help you to save your site 41%
 Hosting Provider 29%
 Vulnerability in the WordPress theme 22%
 Vulnerability in a plugin 8%
 Weak Password
01 “ Understanding the reasons “ 13 Indirect Approach Things that will really help you to save your site CMSCon2015
01 “ Four W One H “ 14 Indirect Approach Things that will really help you to save your site CMSCon2015 Who . Why . When . Where . How
01 “ Who ? “ 15 Indirect Approach Things that will really help you to save your site CMSCon2015 Anonymous . Your Friend . A Random Guy
01 “ Why ? “ 16 Indirect Approach Things that will really help you to save your site CMSCon2015 Fun . Revenge . Profit . Political
01 “ When ? “ 17 Indirect Approach Things that will really help you to save your site CMSCon2015 Least Expected . You are not Ready . The door is open
01 “ [every]Where ? “ 18 Indirect Approach Things that will really help you to save your site CMSCon2015 Shared Hosting . VPS . Dedicated Server . Your Laptop
01 “ How ? “ 19 Indirect Approach Things that will really help you to save your site CMSCon2015 Defacement, Spam Links, Backdoors, SQL Injections, Malicious Redirects, Form Abuse, Compromised Web Servers
01 “ What can we do ? “ 20 Indirect Approach Things that will really help you to save your site CMSCon2015
01 “ Avoid nulled Themes & Plugins “ 21 Indirect Approach Things that will really help you to save your site CMSCon2015 Why are they giving you for free ?
01 “ Delete “admin” account “ 22 Indirect Approach Things that will really help you to save your site CMSCon2015 UPDATE wp_users SET user_login=‘batman’ WHERE user_login=‘admin’; ! Hackers need only two piece of information - “username” & “password” Don’t give them half. Try to avoid showing your username in posts
01 “ Use secret keys “ 23 Indirect Approach Things that will really help you to save your site CMSCon2015 https://api.wordpress.org/secret-key/1.1/salt/
01 “ Update Everything “ 24 Indirect Approach Things that will really help you to save your site CMSCon2015 Keep everything updated. Literally “EVERYTHING”
01 “ Modify File Permission “ 25 Indirect Approach Things that will really help you to save your site CMSCon2015 Files 644 | Folders 755 | .htaccess 444 | wp-config.php 444
01 “ Move-up wp-config.php “ 26 Indirect Approach Things that will really help you to save your site CMSCon2015 WordPress automatically checks the parent directory if wp- config.php file is not found in your root directory ! public_html/wordpress/wp-config.php public_html/wp-config.php
01 “ Protect wp-config.php “ 27 Indirect Approach Things that will really help you to save your site CMSCon2015 Write the following code in your .htaccess file ! <files wp-config.php> order allow, deny deny from all </files>
01 “ Local Security “ 28 Indirect Approach Things that will really help you to save your site CMSCon2015 KeyLogger, Malwares Don’t use FTP, try to use sFTP or SSH
01 “ Control Login Attempts “ 29 Indirect Approach Things that will really help you to save your site CMSCon2015 Don’t let them try for eternity https://wordpress.org/plugins/login-lockdown/
01 “ Database Table Prefix “ 30 Indirect Approach Things that will really help you to save your site CMSCon2015 Change from “wp_” to “wp_anything_” or wpanything_” anything may contain a-z, 0-9
01 “ SSL Certificate “ 31 Indirect Approach Things that will really help you to save your site CMSCon2015 Try to use SSL Certificate ! define(‘FORCE_SSL_ADMIN’, true); define(‘FORCE_SSL_LOGIN’, true);
01 “ Move wp-content Folder “ 32 Indirect Approach Things that will really help you to save your site CMSCon2015 Before wp-settings.php is called in wp-config.php ! define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' ); define( 'WP_CONTENT_URL', 'http://www.paulund.co.uk/blog/content/wp-content' );
01 “ Protect wp-admin “ 33 Indirect Approach Things that will really help you to save your site CMSCon2015 Password Protect wp-admin folder using .htaccess + .htpasswd ! http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/
01 “ Disable Dashboard Edit “ 34 Indirect Approach Things that will really help you to save your site CMSCon2015 define(‘DISALLOW_FILE_EDIT’, true);
01 “ Change Login URL “ 35 Indirect Approach Things that will really help you to save your site CMSCon2015 RewriteRule ^login$ http://www.rupok.xyz/wp-login.php [NC, L] Now I can login at www.rupok.xyz/login
01 “ Use strong password “ 36 Indirect Approach Things that will really help you to save your site CMSCon2015 Eight Characters . Two Uppercase Letters . Two Symbols Avoid your Name, Birth Year, Birthday, Age, Phone Number etc.
01 “ Creating A Password “ 37 Indirect Approach Things that will really help you to save your site CMSCon2015 - cabbage - Sorry, the password must be more than 8 characters. ! - boiled cabbage - Sorry, the password must contain 1 numerical character, ! - 1 boiled cabbage - Sorry, the password cannot have blank spaces. ! - 50fuckingboiledcabbages - Sorry, the password must contain at least one upper case character. ! - 50FUCKINGboiledcabbages - Sorry, the password cannot use more than one upper case character consecutively. ! - 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately - Sorry, the password cannot contain punctuation. ! - NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately - Sorry, that password is already in use!
01 “ Lots of other things “ 38 Indirect Approach Things that will really help you to save your site CMSCon2015 You may not protect it fully, but you can make it a nightmare for a hacker to hack your site
01 “ Security Plugins “ 39 Indirect Approach Things that will really help you to save your site CMSCon2015 BulletProof Security, Secure WordPress, Exploit Scanner, Malware Scanner (sucuri.net), Acunetix WP Security
 
 And specially, Rublon
01 “ Insane Plans “ 40 Indirect Approach Things that will really help you to save your site CMSCon2015
01 “ Google Authenticator “ 41 Indirect Approach Things that will really help you to save your site CMSCon2015 The Google Authenticator plugin for WordPress gives you two- factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. ! http://wordpress.org/plugins/google-authenticator/
01 “ Voice Biometrics “ 42 Indirect Approach Things that will really help you to save your site CMSCon2015 VoxedIn is a Smartphone app and web toolkit that lets your users log in to your site using voice biometrics ! http://wordpress.org/plugins/voxedin/
01 “ SPECIAL THANKS “ 43 Indirect Approach Things that will really help you to save your site CMSCon2015 Jesse Pollak . Brad Williams . Lime Canvas
“ Questions ? “ Thank You Hope you enjoyed ! CMSCon2015

Recomendados

Passwords, Attacks, and Security oh My!
Passwords, Attacks, and Security oh My!Passwords, Attacks, and Security oh My!
Passwords, Attacks, and Security oh My!Michele Butcher-Jones
 
Making the Mobile Web Work
Making the Mobile Web WorkMaking the Mobile Web Work
Making the Mobile Web WorkTerry Ryan
 
HTML Design for Devices
HTML Design for DevicesHTML Design for Devices
HTML Design for DevicesTerry Ryan
 
Advanced Error Handling Strategies for ColdFusion
Advanced Error Handling Strategies for ColdFusion Advanced Error Handling Strategies for ColdFusion
Advanced Error Handling Strategies for ColdFusion Mary Jo Sminkey
 
Wordpress Guide
Wordpress GuideWordpress Guide
Wordpress GuideSunanda Bansal
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityJosé Javier Peleato Pradel
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for BeginnersAdam W. Warner
 
Ecommerce World, WooCommerce
Ecommerce World, WooCommerceEcommerce World, WooCommerce
Ecommerce World, WooCommerceGiovanni Cappellini
 

Recomendados

Passwords, Attacks, and Security oh My!
Passwords, Attacks, and Security oh My!Passwords, Attacks, and Security oh My!
Passwords, Attacks, and Security oh My!Michele Butcher-Jones
 
Making the Mobile Web Work
Making the Mobile Web WorkMaking the Mobile Web Work
Making the Mobile Web WorkTerry Ryan
 
HTML Design for Devices
HTML Design for DevicesHTML Design for Devices
HTML Design for DevicesTerry Ryan
 
Advanced Error Handling Strategies for ColdFusion
Advanced Error Handling Strategies for ColdFusion Advanced Error Handling Strategies for ColdFusion
Advanced Error Handling Strategies for ColdFusion Mary Jo Sminkey
 
Wordpress Guide
Wordpress GuideWordpress Guide
Wordpress GuideSunanda Bansal
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityJosé Javier Peleato Pradel
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for BeginnersAdam W. Warner
 
Ecommerce World, WooCommerce
Ecommerce World, WooCommerceEcommerce World, WooCommerce
Ecommerce World, WooCommerceGiovanni Cappellini
 
Building An Online Presence For Your Online Biz!
Building An Online Presence For Your Online Biz!Building An Online Presence For Your Online Biz!
Building An Online Presence For Your Online Biz!4FingersMedia
 
4 steps to make a custom 404 error page
4 steps to make a custom 404 error page4 steps to make a custom 404 error page
4 steps to make a custom 404 error pageTop Left Design
 
Day 2. Website design for musicians. CVA
Day 2. Website design for musicians. CVADay 2. Website design for musicians. CVA
Day 2. Website design for musicians. CVACreative Social Media Solutions
 
20 surefire techniques to insure your web explodes!
20 surefire techniques to insure your web explodes!20 surefire techniques to insure your web explodes!
20 surefire techniques to insure your web explodes!saeedmari
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hostingshendison
 
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. ViloriaHow To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. ViloriaManny Viloria
 
10 Simple Rules for Making My Site Accessible
10 Simple Rules for Making My Site Accessible10 Simple Rules for Making My Site Accessible
10 Simple Rules for Making My Site AccessibleHelena Zubkow
 
20 surefire techniques_to_insure_your_web_explodes!
20 surefire techniques_to_insure_your_web_explodes!20 surefire techniques_to_insure_your_web_explodes!
20 surefire techniques_to_insure_your_web_explodes!Flora Runyenje
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week JustGame
 
The Importance of Maintenance
The Importance of MaintenanceThe Importance of Maintenance
The Importance of MaintenanceMichele Butcher-Jones
 
Bitcoin 100$ a day
Bitcoin 100$ a day Bitcoin 100$ a day
Bitcoin 100$ a day AasinWilliams
 
Bitcoin 100$ a day
Bitcoin 100$ a day Bitcoin 100$ a day
Bitcoin 100$ a day MedAminuxElmo
 
Introduction to web design
Introduction to web designIntroduction to web design
Introduction to web designFitra Sani
 
Easy bitcoin 1000 a week
Easy bitcoin 1000 a weekEasy bitcoin 1000 a week
Easy bitcoin 1000 a weekLeventOzgun
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week devbhati007
 
Bitcoin 100$ a day easy method
Bitcoin 100$ a day easy methodBitcoin 100$ a day easy method
Bitcoin 100$ a day easy methodriyashastri1
 
WordPress and the GDPR
WordPress and the GDPRWordPress and the GDPR
WordPress and the GDPRArjan Olsder
 
Building a Headless Shop
Building a Headless ShopBuilding a Headless Shop
Building a Headless ShopPascalKaufmann
 
Who Wants to Use QR Codes
Who Wants to Use QR CodesWho Wants to Use QR Codes
Who Wants to Use QR CodesJudy Horn
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week HelenaWalsh5
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Mais conteúdo relacionado

Semelhante a WordPress Security - How to Secure your WordPress Site

Building An Online Presence For Your Online Biz!
Building An Online Presence For Your Online Biz!Building An Online Presence For Your Online Biz!
Building An Online Presence For Your Online Biz!4FingersMedia
 
4 steps to make a custom 404 error page
4 steps to make a custom 404 error page4 steps to make a custom 404 error page
4 steps to make a custom 404 error pageTop Left Design
 
20 surefire techniques to insure your web explodes!
20 surefire techniques to insure your web explodes!20 surefire techniques to insure your web explodes!
20 surefire techniques to insure your web explodes!saeedmari
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hostingshendison
 
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. ViloriaHow To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. ViloriaManny Viloria
 
10 Simple Rules for Making My Site Accessible
10 Simple Rules for Making My Site Accessible10 Simple Rules for Making My Site Accessible
10 Simple Rules for Making My Site AccessibleHelena Zubkow
 
20 surefire techniques_to_insure_your_web_explodes!
20 surefire techniques_to_insure_your_web_explodes!20 surefire techniques_to_insure_your_web_explodes!
20 surefire techniques_to_insure_your_web_explodes!Flora Runyenje
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week JustGame
 
Introduction to web design
Introduction to web designIntroduction to web design
Introduction to web designFitra Sani
 
Easy bitcoin 1000 a week
Easy bitcoin 1000 a weekEasy bitcoin 1000 a week
Easy bitcoin 1000 a weekLeventOzgun
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week devbhati007
 
Bitcoin 100$ a day easy method
Bitcoin 100$ a day easy methodBitcoin 100$ a day easy method
Bitcoin 100$ a day easy methodriyashastri1
 
WordPress and the GDPR
WordPress and the GDPRWordPress and the GDPR
WordPress and the GDPRArjan Olsder
 
Building a Headless Shop
Building a Headless ShopBuilding a Headless Shop
Building a Headless ShopPascalKaufmann
 
Who Wants to Use QR Codes
Who Wants to Use QR CodesWho Wants to Use QR Codes
Who Wants to Use QR CodesJudy Horn
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week HelenaWalsh5
 

Semelhante a WordPress Security - How to Secure your WordPress Site (20)

Building An Online Presence For Your Online Biz!
Building An Online Presence For Your Online Biz!Building An Online Presence For Your Online Biz!
Building An Online Presence For Your Online Biz!
 
4 steps to make a custom 404 error page
4 steps to make a custom 404 error page4 steps to make a custom 404 error page
4 steps to make a custom 404 error page
 
Day 2. Website design for musicians. CVA
Day 2. Website design for musicians. CVADay 2. Website design for musicians. CVA
Day 2. Website design for musicians. CVA
 
20 surefire techniques to insure your web explodes!
20 surefire techniques to insure your web explodes!20 surefire techniques to insure your web explodes!
20 surefire techniques to insure your web explodes!
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. ViloriaHow To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
How To Create A Squeeze Page Using Blogger or Blogspot, by Manny M. Viloria
 
10 Simple Rules for Making My Site Accessible
10 Simple Rules for Making My Site Accessible10 Simple Rules for Making My Site Accessible
10 Simple Rules for Making My Site Accessible
 
20 surefire techniques_to_insure_your_web_explodes!
20 surefire techniques_to_insure_your_web_explodes!20 surefire techniques_to_insure_your_web_explodes!
20 surefire techniques_to_insure_your_web_explodes!
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week
 
The Importance of Maintenance
The Importance of MaintenanceThe Importance of Maintenance
The Importance of Maintenance
 
Bitcoin 100$ a day
Bitcoin 100$ a day Bitcoin 100$ a day
Bitcoin 100$ a day
 
Bitcoin 100$ a day
Bitcoin 100$ a day Bitcoin 100$ a day
Bitcoin 100$ a day
 
Introduction to web design
Introduction to web designIntroduction to web design
Introduction to web design
 
Easy bitcoin 1000 a week
Easy bitcoin 1000 a weekEasy bitcoin 1000 a week
Easy bitcoin 1000 a week
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week
 
Bitcoin 100$ a day easy method
Bitcoin 100$ a day easy methodBitcoin 100$ a day easy method
Bitcoin 100$ a day easy method
 
WordPress and the GDPR
WordPress and the GDPRWordPress and the GDPR
WordPress and the GDPR
 
Building a Headless Shop
Building a Headless ShopBuilding a Headless Shop
Building a Headless Shop
 
Who Wants to Use QR Codes
Who Wants to Use QR CodesWho Wants to Use QR Codes
Who Wants to Use QR Codes
 
Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week Easy bitcoin 1000$ a week
Easy bitcoin 1000$ a week
 

Último

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 

Último (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

WordPress Security - How to Secure your WordPress Site

  • 1. WordPress Security How to secure your WordPress website CMSCon2015
  • 3. 01 “ I have not failed. I've just found 10,000 ways that won't work “ 03 Ways to secure your site Ways to follow Direct Approach Indirect Approach Scattered Approach CMSCon2015
  • 4. 01 “ Direct Approach “ 06 Direct Approach Easiest way to follow CMSCon2015
  • 5. 01 “ There is only “ONE” way to 100% secure your WordPress Site “ 04 Direct Approach Easiest way to follow CMSCon2015
  • 6. 01 “ BEST Way -100% Guaranteed “ 05 Direct Approach Easiest way to follow CMSCon2015
  • 7. 01 “ DELETE IT ! “ 06 Direct Approach Easiest way to follow CMSCon2015
  • 8. 01 “ Request ? “ 07 Direct Approach Easiest way to follow CMSCon2015 A really really cute face may help
  • 9.
  • 10. 01 “ Indirect Approach “ 08 Indirect Approach Easiest way to follow CMSCon2015
  • 11. 01 “ A Basic Understanding “ 09 Indirect Approach How you can really save your site CMSCon2015
  • 12. Current Scenario 0110 Based on 42,106 WordPress websites found in Alexa’s top 1 million websites 74 different versions of WordPress were identified WordPress Versions 74 11 of these versions are invalid. For example version 6.6.6 WordPress 6.6.6 11 18 websites had an invalid non existing versions of WordPress. Invalid Version 18 CMSCon2015
  • 13. 769 websites (1.82%) are still running a subversion of WordPress 2.0. WordPress 2.0 1.82 Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1. WordPress 3.6.1 18.55 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September. Upgrade 1785 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6. Vulnerable 3.6 30.95 CMSCon2015
  • 14. 01 “ Main Reasons “ 11 Indirect Approach Things that will really help you to save your site CMSCon2015
  • 15. Indirect Approach 0112 Things that will really help you to save your site 41%
 Hosting Provider 29%
 Vulnerability in the WordPress theme 22%
 Vulnerability in a plugin 8%
 Weak Password
  • 16. 01 “ Understanding the reasons “ 13 Indirect Approach Things that will really help you to save your site CMSCon2015
  • 17. 01 “ Four W One H “ 14 Indirect Approach Things that will really help you to save your site CMSCon2015 Who . Why . When . Where . How
  • 18. 01 “ Who ? “ 15 Indirect Approach Things that will really help you to save your site CMSCon2015 Anonymous . Your Friend . A Random Guy
  • 19. 01 “ Why ? “ 16 Indirect Approach Things that will really help you to save your site CMSCon2015 Fun . Revenge . Profit . Political
  • 20. 01 “ When ? “ 17 Indirect Approach Things that will really help you to save your site CMSCon2015 Least Expected . You are not Ready . The door is open
  • 21. 01 “ [every]Where ? “ 18 Indirect Approach Things that will really help you to save your site CMSCon2015 Shared Hosting . VPS . Dedicated Server . Your Laptop
  • 22. 01 “ How ? “ 19 Indirect Approach Things that will really help you to save your site CMSCon2015 Defacement, Spam Links, Backdoors, SQL Injections, Malicious Redirects, Form Abuse, Compromised Web Servers
  • 23. 01 “ What can we do ? “ 20 Indirect Approach Things that will really help you to save your site CMSCon2015
  • 24. 01 “ Avoid nulled Themes & Plugins “ 21 Indirect Approach Things that will really help you to save your site CMSCon2015 Why are they giving you for free ?
  • 25. 01 “ Delete “admin” account “ 22 Indirect Approach Things that will really help you to save your site CMSCon2015 UPDATE wp_users SET user_login=‘batman’ WHERE user_login=‘admin’; ! Hackers need only two piece of information - “username” & “password” Don’t give them half. Try to avoid showing your username in posts
  • 26. 01 “ Use secret keys “ 23 Indirect Approach Things that will really help you to save your site CMSCon2015 https://api.wordpress.org/secret-key/1.1/salt/
  • 27. 01 “ Update Everything “ 24 Indirect Approach Things that will really help you to save your site CMSCon2015 Keep everything updated. Literally “EVERYTHING”
  • 28. 01 “ Modify File Permission “ 25 Indirect Approach Things that will really help you to save your site CMSCon2015 Files 644 | Folders 755 | .htaccess 444 | wp-config.php 444
  • 29. 01 “ Move-up wp-config.php “ 26 Indirect Approach Things that will really help you to save your site CMSCon2015 WordPress automatically checks the parent directory if wp- config.php file is not found in your root directory ! public_html/wordpress/wp-config.php public_html/wp-config.php
  • 30. 01 “ Protect wp-config.php “ 27 Indirect Approach Things that will really help you to save your site CMSCon2015 Write the following code in your .htaccess file ! <files wp-config.php> order allow, deny deny from all </files>
  • 31. 01 “ Local Security “ 28 Indirect Approach Things that will really help you to save your site CMSCon2015 KeyLogger, Malwares Don’t use FTP, try to use sFTP or SSH
  • 32. 01 “ Control Login Attempts “ 29 Indirect Approach Things that will really help you to save your site CMSCon2015 Don’t let them try for eternity https://wordpress.org/plugins/login-lockdown/
  • 33. 01 “ Database Table Prefix “ 30 Indirect Approach Things that will really help you to save your site CMSCon2015 Change from “wp_” to “wp_anything_” or wpanything_” anything may contain a-z, 0-9
  • 34. 01 “ SSL Certificate “ 31 Indirect Approach Things that will really help you to save your site CMSCon2015 Try to use SSL Certificate ! define(‘FORCE_SSL_ADMIN’, true); define(‘FORCE_SSL_LOGIN’, true);
  • 35. 01 “ Move wp-content Folder “ 32 Indirect Approach Things that will really help you to save your site CMSCon2015 Before wp-settings.php is called in wp-config.php ! define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' ); define( 'WP_CONTENT_URL', 'http://www.paulund.co.uk/blog/content/wp-content' );
  • 36. 01 “ Protect wp-admin “ 33 Indirect Approach Things that will really help you to save your site CMSCon2015 Password Protect wp-admin folder using .htaccess + .htpasswd ! http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/
  • 37. 01 “ Disable Dashboard Edit “ 34 Indirect Approach Things that will really help you to save your site CMSCon2015 define(‘DISALLOW_FILE_EDIT’, true);
  • 38. 01 “ Change Login URL “ 35 Indirect Approach Things that will really help you to save your site CMSCon2015 RewriteRule ^login$ http://www.rupok.xyz/wp-login.php [NC, L] Now I can login at www.rupok.xyz/login
  • 39. 01 “ Use strong password “ 36 Indirect Approach Things that will really help you to save your site CMSCon2015 Eight Characters . Two Uppercase Letters . Two Symbols Avoid your Name, Birth Year, Birthday, Age, Phone Number etc.
  • 40. 01 “ Creating A Password “ 37 Indirect Approach Things that will really help you to save your site CMSCon2015 - cabbage - Sorry, the password must be more than 8 characters. ! - boiled cabbage - Sorry, the password must contain 1 numerical character, ! - 1 boiled cabbage - Sorry, the password cannot have blank spaces. ! - 50fuckingboiledcabbages - Sorry, the password must contain at least one upper case character. ! - 50FUCKINGboiledcabbages - Sorry, the password cannot use more than one upper case character consecutively. ! - 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately - Sorry, the password cannot contain punctuation. ! - NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately - Sorry, that password is already in use!
  • 41. 01 “ Lots of other things “ 38 Indirect Approach Things that will really help you to save your site CMSCon2015 You may not protect it fully, but you can make it a nightmare for a hacker to hack your site
  • 42. 01 “ Security Plugins “ 39 Indirect Approach Things that will really help you to save your site CMSCon2015 BulletProof Security, Secure WordPress, Exploit Scanner, Malware Scanner (sucuri.net), Acunetix WP Security
 
 And specially, Rublon
  • 43. 01 “ Insane Plans “ 40 Indirect Approach Things that will really help you to save your site CMSCon2015
  • 44. 01 “ Google Authenticator “ 41 Indirect Approach Things that will really help you to save your site CMSCon2015 The Google Authenticator plugin for WordPress gives you two- factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. ! http://wordpress.org/plugins/google-authenticator/
  • 45. 01 “ Voice Biometrics “ 42 Indirect Approach Things that will really help you to save your site CMSCon2015 VoxedIn is a Smartphone app and web toolkit that lets your users log in to your site using voice biometrics ! http://wordpress.org/plugins/voxedin/
  • 46. 01 “ SPECIAL THANKS “ 43 Indirect Approach Things that will really help you to save your site CMSCon2015 Jesse Pollak . Brad Williams . Lime Canvas
  • 47. “ Questions ? “ Thank You Hope you enjoyed ! CMSCon2015