SlideShare a Scribd company logo

Wordpress security 101 202

James Ruffer, profile picture
James Ruffer

Script kiddies and inside attackers are common threats to WordPress sites. To prevent attacks, site owners should keep their WordPress core, plugins, and themes up to date, use strong permissions on files and directories, and enable security features from their host like mod_sec. Logging and monitoring errors and traffic is also important to detect any suspicious activity.

Technology
1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Wordpress Security 101-202By James F. Ruffer III C|EH1
Bio of a Ethical Hacker:I am always thinking how can I break that?Open source brain and help as many as possible…within reason.2
My wordpress sites www.unixbox.orgwww.resolutegames.com < hackedwww.resoluteinteractive.commemphis.issa.orgwww.socialowl.cowww.securityevents.infowww.socialmediasecurity.com3
FireTalk – 3, 2, 1. GO!4
Who is attacking “you”?Kiddie Scripter'sInnocent bystandersEasy targets – inside attacksYou5
Script kiddies vandalize websites both for the thrill of it and to increase their reputation among their peers. Some more malicious script kiddies have used virus toolkits to create and propagate the Anna Kournikova and Love Bugviruses.[1] Script kiddies lack, or are only developing, coding skills sufficient to understand the effects and side effects of their work. As a result, they leave significant traces which lead to their detection, or directly attack companies which have detection and countermeasures already in place, or in recent cases, leave automatic crash reporting turned on. – Wiki Definition KiddieScripters6
Innocent bystanders Wrong place at the wrong time.7
Easy Targets – Inside Attacker8
“You” 9
Why are they attacking you?Kiddie Scripter'sInnocent bystandersEasy targets – inside attacksYou10
Scanned for certain information or pluginsBroadcasting wrong information Testing out tools before attacking real targetIdiots!KiddieScripters11
Innocent bystanders Wrong place at the wrong time.Alabama KKKPorn bloggerCanadian Pills12
Easy Targets – Inside Attacker13
“You” 14
How to preventKiddie Scripter'sInnocent bystandersEasy targets – inside attacksYou15
Keep your site up to dateKeep your plugins up to date / Use reliable / popularKeep your widgets up to date / tested and approvedAdd .htaccess to wp-admin pageRead your hosting status updates “godaddy”Ask for mod_sec to be installed by hosting providerKiddieScripters16
Innocent bystanders DNS – What is it?Whoiswww.yourdomain.com Go up 2 down 2 Misspelling your names17
Easy Targets – Inside Attacker18
“You” 19
Experts / Hosting on managed serverPermissions and Root Kill blogs4x316x920
All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the web server. / -- the root Wordpress directory: all files should be writable only by your user account.EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you/wp-admin/ -- the WordPress administration area: all files should be writable only by your user account./wp-includes/ -- the bulk of WordPress application logic: all files should be writable only by your user account./wp-content/ -- variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public)./wp-content/themes/ -- theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account/wp-content/plugins/ -- plugin files: all files should be writable only by your user account.other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.File Permissions – Hosting your own21
Error logs Please customize your error handlers.Check your logs /var/logs/ /apache2 /httpdForce SSL Usage - NoClear TXT!Traffic is keyUse .htaccess To Protect The wp-config File Remove Your WordPress Version Number… Seriously!22
URLs to Help http://httpd.apache.org/docs/2.2/howto/auth.htmlhttp://www.modsecurity.org/http://wordpress.org/extend/plugins/replace-wp-version/23

More Related Content

PPT
Hack Firefox to steal websecrets
guestb3d416
 
PPT
Internet browser and search engines
Joshua Pasion
 
ODP
New or obscure web browsers 4x3 (rcsi draft 6)
msz
 
PPT
Sadmind Viruses
CodyMM
 
ODP
Web Browser Basics, Tips & Tricks Draft 17
msz
 
PDF
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
PPT
Web development resourses
Ukietech
 
ODP
More Browser Basics, Tips & Tricks 3 Draft 8
msz
 
Hack Firefox to steal websecrets
guestb3d416
 
Internet browser and search engines
Joshua Pasion
 
New or obscure web browsers 4x3 (rcsi draft 6)
msz
 
Sadmind Viruses
CodyMM
 
Web Browser Basics, Tips & Tricks Draft 17
msz
 
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
Web development resourses
Ukietech
 
More Browser Basics, Tips & Tricks 3 Draft 8
msz
 

What's hot (8)

PDF
Techno Savvy Course Presentation
Jesse Emerick
 
PPTX
Web Browser And Search Engine ! Batra Computer Centre
jatin batra
 
PPTX
Prevent hacking
Viswanath Polaki
 
PPT
Hacking The World With Flash
joepangus
 
ODP
More Browser Basics, Tips & Tricks 2 Draft 17
msz
 
PPTX
Two Step Authentication - Chris La Nauze WordPress meetup presentation
Chris La Nauze
 
PPTX
Ransomware History and Monitoring Tips
NetFort
 
PPT
Malware Goes to the Movies - Briefing
Aleksandr Yampolskiy
 
Techno Savvy Course Presentation
Jesse Emerick
 
Web Browser And Search Engine ! Batra Computer Centre
jatin batra
 
Prevent hacking
Viswanath Polaki
 
Hacking The World With Flash
joepangus
 
More Browser Basics, Tips & Tricks 2 Draft 17
msz
 
Two Step Authentication - Chris La Nauze WordPress meetup presentation
Chris La Nauze
 
Ransomware History and Monitoring Tips
NetFort
 
Malware Goes to the Movies - Briefing
Aleksandr Yampolskiy
 
Ad

Viewers also liked (7)

PDF
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
PPTX
Nbt con december-2014-slides
Behrouz Sadeghipour
 
PDF
Nikto
Sorina Chirilă
 
PDF
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
PDF
Web Application Security 101 - 06 Authentication
Websecurify
 
PPTX
Introduction to STIX 101
stixproject
 
PPTX
Bug Bounty 101
Shahee Mirza
 
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Nikto
Sorina Chirilă
 
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Web Application Security 101 - 06 Authentication
Websecurify
 
Introduction to STIX 101
stixproject
 
Bug Bounty 101
Shahee Mirza
 
Ad

Similar to Wordpress security 101 202 (20)

PPTX
WordPress Security Best Practices
Zero Point Development
 
PPTX
WordPress security
Shelley Magnezi
 
PPT
Secure All The Things!
Dougal Campbell
 
PPTX
How To Remove WP-VCD WordPress Malware Attack_.pptx
Elsner Technologies Pvt. Ltd.
 
PDF
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
PPT
ethical-hacking-18092013112412-ethical-hacking.ppt
ricagip499
 
KEY
Higher Order WordPress Security
Dougal Campbell
 
PDF
Types of Security Threats WordPress Websites Face: Part-1
WPWhiteBoard
 
PPTX
Simple Ways to Secure and Maintain Your WordPress Website
Rich Plakas
 
DOCX
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
PPTX
WordPress Security Best Practices
Zero Point Development
 
PDF
WordPress Security Presentation
Andrew Paton
 
PDF
WordPress Security Best Practices 2019 Update
Zero Point Development
 
PPTX
Wordpress Bug Bounty by Nagendran R.pptx
NagendranR14
 
PPTX
Wordpress Bug Bounty by Nagendran R.pptx
NagendranR14
 
PDF
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
xererenhosdominaram
 
PDF
Computer viruses
Alfred George
 
PPTX
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
PDF
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
PDF
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
WordPress Security Best Practices
Zero Point Development
 
WordPress security
Shelley Magnezi
 
Secure All The Things!
Dougal Campbell
 
How To Remove WP-VCD WordPress Malware Attack_.pptx
Elsner Technologies Pvt. Ltd.
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ricagip499
 
Higher Order WordPress Security
Dougal Campbell
 
Types of Security Threats WordPress Websites Face: Part-1
WPWhiteBoard
 
Simple Ways to Secure and Maintain Your WordPress Website
Rich Plakas
 
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
WordPress Security Best Practices
Zero Point Development
 
WordPress Security Presentation
Andrew Paton
 
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Wordpress Bug Bounty by Nagendran R.pptx
NagendranR14
 
Wordpress Bug Bounty by Nagendran R.pptx
NagendranR14
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
xererenhosdominaram
 
Computer viruses
Alfred George
 
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation theory and applications.pdf
gurumoop
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 

Wordpress security 101 202

  • 1. Wordpress Security 101-202By James F. Ruffer III C|EH1
  • 2. Bio of a Ethical Hacker:I am always thinking how can I break that?Open source brain and help as many as possible…within reason.2
  • 3. My wordpress sites www.unixbox.orgwww.resolutegames.com < hackedwww.resoluteinteractive.commemphis.issa.orgwww.socialowl.cowww.securityevents.infowww.socialmediasecurity.com3
  • 4. FireTalk – 3, 2, 1. GO!4
  • 5. Who is attacking “you”?Kiddie Scripter'sInnocent bystandersEasy targets – inside attacksYou5
  • 6. Script kiddies vandalize websites both for the thrill of it and to increase their reputation among their peers. Some more malicious script kiddies have used virus toolkits to create and propagate the Anna Kournikova and Love Bugviruses.[1] Script kiddies lack, or are only developing, coding skills sufficient to understand the effects and side effects of their work. As a result, they leave significant traces which lead to their detection, or directly attack companies which have detection and countermeasures already in place, or in recent cases, leave automatic crash reporting turned on. – Wiki Definition KiddieScripters6
  • 7. Innocent bystanders Wrong place at the wrong time.7
  • 8. Easy Targets – Inside Attacker8
  • 10. Why are they attacking you?Kiddie Scripter'sInnocent bystandersEasy targets – inside attacksYou10
  • 11. Scanned for certain information or pluginsBroadcasting wrong information Testing out tools before attacking real targetIdiots!KiddieScripters11
  • 12. Innocent bystanders Wrong place at the wrong time.Alabama KKKPorn bloggerCanadian Pills12
  • 13. Easy Targets – Inside Attacker13
  • 15. How to preventKiddie Scripter'sInnocent bystandersEasy targets – inside attacksYou15
  • 16. Keep your site up to dateKeep your plugins up to date / Use reliable / popularKeep your widgets up to date / tested and approvedAdd .htaccess to wp-admin pageRead your hosting status updates “godaddy”Ask for mod_sec to be installed by hosting providerKiddieScripters16
  • 17. Innocent bystanders DNS – What is it?Whoiswww.yourdomain.com Go up 2 down 2 Misspelling your names17
  • 18. Easy Targets – Inside Attacker18
  • 20. Experts / Hosting on managed serverPermissions and Root Kill blogs4x316x920
  • 21. All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the web server. / -- the root Wordpress directory: all files should be writable only by your user account.EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you/wp-admin/ -- the WordPress administration area: all files should be writable only by your user account./wp-includes/ -- the bulk of WordPress application logic: all files should be writable only by your user account./wp-content/ -- variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public)./wp-content/themes/ -- theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account/wp-content/plugins/ -- plugin files: all files should be writable only by your user account.other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.File Permissions – Hosting your own21
  • 22. Error logs Please customize your error handlers.Check your logs /var/logs/ /apache2 /httpdForce SSL Usage - NoClear TXT!Traffic is keyUse .htaccess To Protect The wp-config File Remove Your WordPress Version Number… Seriously!22

Editor's Notes

  • #5: I am going to run through this as if you don’t know anything about security per se. At the end I will get into more advanced tools and techniques. Some of this might be common sense but I have to say it so I can tell you I told you so later.