Hardening WordPress Security
•Transferir como PPTX, PDF•
2 gostaram•1,924 visualizações
How to harden WordPress security with few steps and methods
Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a Hardening WordPress Security
Semelhante a Hardening WordPress Security (20)
Último
Último (20)
Hardening WordPress Security
- 1. Hardening WordPress Security WordPress Day 2015 - Pordenone, Italy
- 4. SECURITYBecause sometimes a Rottweiler is not enough
- 5. Why we need more security?
- 6. WordPress Popularity, Market Share and Responsibility
- 7. 0 10 20 30 40 50 60 70 No CMS WordPress Joomla Drupal Usage of content management systems for websites Market Share Usage http://w3techs.com/technologies/overview/content_management/all
- 8. What are the dangers?
- 9. - Social Engineering - Human Mistakes - Brute Force Attacks - WordPress Vulnerabilities - Web Server Vulnerabilities - Network Vulnerabilities - FTP - File Permissions - And other beautiful things…
- 11. Solutions
- 12. Backup! Modern Task Runner for PHP
- 13. Use strong passwords Insecure examples admin mysite123 mysitename myname4321 password Secure examples -yCpHuHJ68fRtB805i "kaN4Y]99Z)[/ylaJN &3388wu1530Cx;73kR zN1/K>9'51]9~495° 1'N434g&h51I78x3?M
- 14. Stay updated! Update WordPress Core Update Themes Update Plugins
- 16. Deny access / delete readme.html
- 17. Deny access / delete readme.html # .htaccess <files readme.html> Order allow,deny Deny from all </files>
- 18. Remove WordPress Version // ** functions.php function wp_remove_version() { return ''; } add_filter('the_generator', 'wp_remove_version');
- 20. Secure your login - .htaccess Authentication - Limit attempts - Restrict to certain IPs - Hide - Capcha - Two Factor Authentication - HTTPS
- 21. .htaccess Authentication (example with http://www.htaccesstools.com/)
- 22. .htaccess Authentication (example with http://www.htaccesstools.com/)
- 23. Limit attempts
- 24. Restrict to certain IPs # .htaccess order deny,allow deny from all allow from 1.2.3.4
- 25. Restrict to certain IPs
- 26. Hide your login # BEGIN Hidden login RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L] RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L] RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule . http://%{SERVER_NAME}/? [L] # END Hidden login
- 27. Hide your login
- 28. Captcha on login
- 30. Is there anything more?
- 31. Admin user
- 32. Admin user - Don’t use «admin» as username - Or change «admin» role
- 34. Change WordPress Structure From this..
- 35. Change WordPress Structure ..to this
- 36. Change WordPress Structure # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] # Redirect RewriteRule ^wp-admin$ wp-admin/ [R,L] RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ - [L] RewriteRule ^(.*.php)$ /$1 [L] RewriteRule . /index.php [L] </IfModule> # END WordPress
- 37. Change WordPress Structure // ** index.php define( 'WP_USE_THEMES', true ); require( __DIR__ . '/application/wp-blog-header.php‘ ); // ** wp-config.php define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' ); define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' ); define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' ); define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
- 38. Htaccess Tips and Tricks
- 39. Disable Directory Browsing # .htaccess Options All -Indexes
- 40. Protect your .htaccess # .htaccess <files .htaccess> Order allow,deny Deny from all </files>
- 41. Protect your configuration # .htaccess <files wp-config.php> Order allow,deny Deny from all </files>
- 42. Deny access to xmlrpc.php # .htaccess <files xmlrpc.php> Order allow,deny Deny from all </files>
- 43. Prevent WordPress users listing http://www.yourbeautifulsite.org/?author=1 http://www.yourbeautifulsite.org/?author=2 http://www.yourbeautifulsite.org/?author=3 http://www.yourbeautifulsite.org/?author=4 […] # .htaccess RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L]
- 44. Deny php execution from upload directory # /path/to/upload-folder/.htaccess <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files>
- 45. Rewrite assets permalinks # .htaccess RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L] RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L] RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
- 46. WP-config Tricks
- 47. WP-config Tricks - Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/) - Override File Permissions - Change WP Db Prefix
- 48. Disable Plugins install/updates // ** wp-config.php define( DISALLOW_FILE_EDIT', true ); define( DISALLOW_FILE_MODS', true );
- 49. Check installed Themes/Plugins - Remove inactive themes/plugins - Remove useless themes/plugins - Evaluate code integration
- 50. Blackhole
- 52. Blackhole (http://perishablepress.com/blackhole-bad-bots/) # END Blackholde <ifModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg ister|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L] </ifModule> # END Blackhole
- 53. Tools
- 55. Help us to check our WordPress Project Vulnerabilities
- 56. Monitoring time series database for monitoring your application https://influxdb.com/
- 59. Questions?