Enviar pesquisa
Carregar
Hardening WordPress Security
•
Transferir como PPTX, PDF
•
2 gostaram
•
1,924 visualizações
Mattia Piovano
Seguir
How to harden WordPress security with few steps and methods
Leia menos
Leia mais
Software
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 60
Baixar agora
Recomendados
Hp26簡報 joyhsu
Hp26簡報 joyhsu
Joy Hsu
Azure purview
Azure purview
Shafqat Turza
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
Increase Your WordPress Website's Google PageSpeed Score
Increase Your WordPress Website's Google PageSpeed Score
Brainspire Solutions
3 simple steps improving pageSpeed in Wordpress
3 simple steps improving pageSpeed in Wordpress
Antti Alatalo
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
Optimizing your WordPress website
Optimizing your WordPress website
mwfordesigns
WordPress: cómo aumentar la velocidad y la seguridad de una web
WordPress: cómo aumentar la velocidad y la seguridad de una web
Nominalia
Recomendados
Hp26簡報 joyhsu
Hp26簡報 joyhsu
Joy Hsu
Azure purview
Azure purview
Shafqat Turza
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
Increase Your WordPress Website's Google PageSpeed Score
Increase Your WordPress Website's Google PageSpeed Score
Brainspire Solutions
3 simple steps improving pageSpeed in Wordpress
3 simple steps improving pageSpeed in Wordpress
Antti Alatalo
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
Optimizing your WordPress website
Optimizing your WordPress website
mwfordesigns
WordPress: cómo aumentar la velocidad y la seguridad de una web
WordPress: cómo aumentar la velocidad y la seguridad de una web
Nominalia
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Mike Schinkel
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
wpnepal
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
Chandra Prakash Thapa
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Adam Tomat
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
Maurizio Pelizzone
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
Faysal Shahi
wp cli
wp cli
Wataru OKAMOTO
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
Bo-Yi Wu
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
Introduction to Plugin Programming, WordCamp Miami 2011
Introduction to Plugin Programming, WordCamp Miami 2011
David Carr
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Tammy Hart
Wp security presentation
Wp security presentation
Nik Cree
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Diana Thompson
Intro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
How Not to Build a WordPress Plugin
How Not to Build a WordPress Plugin
Will Norris
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
Rakesh Kushwaha
WordPress Plugins
WordPress Plugins
randyhoyt
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
DrupalDay
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
WSO2
Mais conteúdo relacionado
Semelhante a Hardening WordPress Security
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Mike Schinkel
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
wpnepal
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
Chandra Prakash Thapa
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Adam Tomat
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
Maurizio Pelizzone
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
Faysal Shahi
wp cli
wp cli
Wataru OKAMOTO
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
Bo-Yi Wu
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
Introduction to Plugin Programming, WordCamp Miami 2011
Introduction to Plugin Programming, WordCamp Miami 2011
David Carr
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Tammy Hart
Wp security presentation
Wp security presentation
Nik Cree
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Diana Thompson
Intro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
How Not to Build a WordPress Plugin
How Not to Build a WordPress Plugin
Will Norris
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
Rakesh Kushwaha
WordPress Plugins
WordPress Plugins
randyhoyt
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
DrupalDay
Semelhante a Hardening WordPress Security
(20)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
wp cli
wp cli
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Introduction to Plugin Programming, WordCamp Miami 2011
Introduction to Plugin Programming, WordCamp Miami 2011
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Wp security presentation
Wp security presentation
Take Command of WordPress With WP-CLI
Take Command of WordPress With WP-CLI
Intro to WordPress Plugin Development
Intro to WordPress Plugin Development
How Not to Build a WordPress Plugin
How Not to Build a WordPress Plugin
WordPress basic fundamental of plugin development and creating shortcode
WordPress basic fundamental of plugin development and creating shortcode
WordPress Plugins
WordPress Plugins
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Drupal Day 2012 - Automating Drupal Development: Make!les, Features and Beyond
Último
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
WSO2
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Shane Coughlan
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Bert Jan Schrijver
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
masabamasaba
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
masabamasaba
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
AmarnathKambale
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
Jim McKeeth
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
masabamasaba
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
masabamasaba
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
AnnaArtyushina1
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
masabamasaba
Último
(20)
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
Hardening WordPress Security
1.
Hardening WordPress Security WordPress
Day 2015 - Pordenone, Italy
2.
What is security? (http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)
3.
Risk reduction
4.
SECURITYBecause sometimes a
Rottweiler is not enough
5.
Why we need
more security?
6.
WordPress Popularity, Market
Share and Responsibility
7.
0 10 20
30 40 50 60 70 No CMS WordPress Joomla Drupal Usage of content management systems for websites Market Share Usage http://w3techs.com/technologies/overview/content_management/all
8.
What are the
dangers?
9.
- Social Engineering -
Human Mistakes - Brute Force Attacks - WordPress Vulnerabilities - Web Server Vulnerabilities - Network Vulnerabilities - FTP - File Permissions - And other beautiful things…
10.
11.
Solutions
12.
Backup! Modern Task Runner
for PHP
13.
Use strong passwords Insecure
examples admin mysite123 mysitename myname4321 password Secure examples -yCpHuHJ68fRtB805i "kaN4Y]99Z)[/ylaJN &3388wu1530Cx;73kR zN1/K>9'51]9~495° 1'N434g&h51I78x3?M
14.
Stay updated! Update WordPress
Core Update Themes Update Plugins
15.
Remove Version Reference
16.
Deny access /
delete readme.html
17.
Deny access /
delete readme.html # .htaccess <files readme.html> Order allow,deny Deny from all </files>
18.
Remove WordPress Version //
** functions.php function wp_remove_version() { return ''; } add_filter('the_generator', 'wp_remove_version');
19.
Secure your login
20.
Secure your login -
.htaccess Authentication - Limit attempts - Restrict to certain IPs - Hide - Capcha - Two Factor Authentication - HTTPS
21.
.htaccess Authentication (example with
http://www.htaccesstools.com/)
22.
.htaccess Authentication (example with
http://www.htaccesstools.com/)
23.
Limit attempts
24.
Restrict to certain
IPs # .htaccess order deny,allow deny from all allow from 1.2.3.4
25.
Restrict to certain
IPs
26.
Hide your login #
BEGIN Hidden login RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L] RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L] RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule . http://%{SERVER_NAME}/? [L] # END Hidden login
27.
Hide your login
28.
Captcha on login
29.
Two-Factor Authentication
30.
Is there anything
more?
31.
Admin user
32.
Admin user - Don’t
use «admin» as username - Or change «admin» role
33.
Change WordPress Structure
34.
Change WordPress Structure From
this..
35.
Change WordPress Structure ..to
this
36.
Change WordPress Structure #
BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] # Redirect RewriteRule ^wp-admin$ wp-admin/ [R,L] RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ - [L] RewriteRule ^(.*.php)$ /$1 [L] RewriteRule . /index.php [L] </IfModule> # END WordPress
37.
Change WordPress Structure //
** index.php define( 'WP_USE_THEMES', true ); require( __DIR__ . '/application/wp-blog-header.php‘ ); // ** wp-config.php define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' ); define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' ); define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' ); define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
38.
Htaccess Tips and
Tricks
39.
Disable Directory Browsing #
.htaccess Options All -Indexes
40.
Protect your .htaccess #
.htaccess <files .htaccess> Order allow,deny Deny from all </files>
41.
Protect your configuration #
.htaccess <files wp-config.php> Order allow,deny Deny from all </files>
42.
Deny access to
xmlrpc.php # .htaccess <files xmlrpc.php> Order allow,deny Deny from all </files>
43.
Prevent WordPress users
listing http://www.yourbeautifulsite.org/?author=1 http://www.yourbeautifulsite.org/?author=2 http://www.yourbeautifulsite.org/?author=3 http://www.yourbeautifulsite.org/?author=4 […] # .htaccess RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L]
44.
Deny php execution
from upload directory # /path/to/upload-folder/.htaccess <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files>
45.
Rewrite assets permalinks #
.htaccess RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L] RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L] RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
46.
WP-config Tricks
47.
WP-config Tricks - Set
up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/) - Override File Permissions - Change WP Db Prefix
48.
Disable Plugins install/updates //
** wp-config.php define( DISALLOW_FILE_EDIT', true ); define( DISALLOW_FILE_MODS', true );
49.
Check installed Themes/Plugins -
Remove inactive themes/plugins - Remove useless themes/plugins - Evaluate code integration
50.
Blackhole
51.
52.
Blackhole (http://perishablepress.com/blackhole-bad-bots/) # END Blackholde <ifModule
mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg ister|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L] </ifModule> # END Blackhole
53.
Tools
54.
Tools Sucury Security Plugin
55.
Help us to
check our WordPress Project Vulnerabilities
56.
Monitoring time series
database for monitoring your application https://influxdb.com/
57.
Web Server Infrastructure
58.
Codex References http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Administration_Over_SSL http://codex.wordpress.org/Editing_wp-config.php
59.
Questions?
60.
Thanks Mattia Piovano @shadow_droid https://joind.in/15557
Baixar agora