10 WordPress security measures you can implement today!
2 likes2,303 views
1. Secure your local environment by using good internet security software like antivirus and firewalls. 2. Secure file transfers by using SSH, FTPS, or SFTP instead of unsecure FTP. Update WordPress core, themes, plugins, and libraries regularly to fix security issues. 3. Use strong passwords that are at least 8 characters long with uppercase letters, numbers, and symbols. Consider using a password manager. Enable two-step authentication for added security.
![# 4 S t ro n g p a s s w o rd
English alphabet (uppercase not distinguished)
English alphabet (lower & upper) + number
English alphabet (lower & upper) + number + special character
Type of letters used Available number of letters
Max. time needed to decrypt
No. characters
Ref: IPA 独立行政法人 情報処理推進機構:コンピュータウイルス・不正アクセスの届出状況[2008年9月分および第3四半期]について
http://www.ipa.go.jp/security/txt/2008/10outline.html
3 sec.
2 min.
9 min. 54 days
5 days
37 min. 17 days
50 yrs.
32 yrs.
0.2m yrs.
1000 yrs. 10m yrs.](https://image.slidesharecdn.com/20150522wpmeetuptokyo23-150523014744-lva1-app6892/85/10-WordPress-security-measures-you-can-implement-today-7-320.jpg)
10 WordPress security measures you can implement today!
- 1. 1 0 W O R D P R E S S S E C U R I T Y M E A S U R E S Y O U C A N I M P L E M E N T T O D AY ! Wo rd P re s s M e e t u p To k y o # 2 3 — M a y 2 0 1 5 Toru Miki
- 2. A s s i s t a n t We b m a s t e r a t Te m p l e U n i v e r s i t y, J a p a n C a m p u s Wo rd P re s s e x p e r i e n c e : 9 y e a r s h t t p s : / / p ro f i l e s . w o rd p re s s . o rg / t o r u To r u M i k i
- 3. # 1 S e c u re y o u r l o c a l e n v i ro n m e n t • Use good internet security software • Antivirus • Firewall • Antispam • etc
- 4. # 2 S e c u re f i l e t r a n s f e r • Use • SSH • FTPS • SFTP • Stop using • FTP • Does your hosting server only allows FTP? • Move! C o m m a n d - l i n e C l i e n t s o f t w a re • W i n S C P • F i l e Z i l l a • C y b e rd u c k • Tr a n s m i t …
- 5. # 3 U p d a t e , u p d a t e , u p d a t e ! • Core • Minor updates (E.g. 4.1.x, 4.2.x, 4.3.x, etc) are security fixes • Major updates (e.g. 3.x, 4.x, 5.x, etc) includes lots of bug fixes too • Themes • Plugins • If you are a developer — libraries/scripts you have used • E.g. TimThumb script http://wptavern.com/wordpress-security-alert-new-zero-day- vulnerability-discovered-in-timthumb-script
- 6. # 4 S t ro n g p a s s w o rd • Stronger password = • harder for others to guess • harder for brute force attack to succeed • At least 8 characters, include uppercase letter(s), include special character(s), include number(s), and not found in the dictionary • E.g. K#5r!g3y
- 7. # 4 S t ro n g p a s s w o rd English alphabet (uppercase not distinguished) English alphabet (lower & upper) + number English alphabet (lower & upper) + number + special character Type of letters used Available number of letters Max. time needed to decrypt No. characters Ref: IPA 独立行政法人 情報処理推進機構:コンピュータウイルス・不正アクセスの届出状況[2008年9月分および第3四半期]について http://www.ipa.go.jp/security/txt/2008/10outline.html 3 sec. 2 min. 9 min. 54 days 5 days 37 min. 17 days 50 yrs. 32 yrs. 0.2m yrs. 1000 yrs. 10m yrs.
- 8. # 4 S t ro n g p a s s w o rd • WordPress’ password strength meter • Password manager softwares • 1 Password - https://agilebits.com/onepassword • LastPass - https://lastpass.com/
- 9. # 5 Tw o - s t e p a u t h e n t i c a t i o n • = Two-factor authentication/verification • 2nd layer of secure login • Plugins (e.g.) • Google Authenticator - https://wordpress.org/plugins/google-authenticator/ • Rublon - https://wordpress.org/plugins/rublon/ • Jetpack - https://wordpress.org/plugins/jetpack/ • Use “sign in using your WordPress.com account” feature, and utilize its “Two Step Authentification” feature • E.g. Using Google Two-Factor Authentication With WordPress - Tuts+ Code Tutorial http://code.tutsplus.com/tutorials/using-google-two-factor-authentication-with- wordpress--cms-22263
- 10. # 6 L i m i t a c c e s s t o / w p - a d m i n / • Limit by password protection (e.g. BasicAuth) • http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php • create .htpassword • edit .htaccess • Limit by IP address • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP • For both methods, watch out for plugin which uses admin-ajax.php • http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp- admin_by_IP
- 11. # 7 S e t t h e f i l e p e r m i s s i o n s r i g h t • WordPress Codex’s recommendations are… • All directories should be 755 or 750 find . -type d -print -exec chmod 755 {} ; • No directories should ever given 777 • All files should be 644 or 640 find . -type f -print -exec chmod 644 {} ; • Except, wp-config.php should be 440 or 400 chmod 644 wp-config.php; Changing File Permissions « WordPress Codex https://codex.wordpress.org/Changing_File_Permissions
- 12. # 8 D i s a b l e f i l e e d i t i n g • By default, administrators can edit Theme and Plugin files from the dashboard. This feature can be used by an attacker to insert malicious code… • To disable editing files in dashboard, add this to wp- config.php define('DISALLOW_FILE_EDIT', true); • http://codex.wordpress.org/ Hardening_WordPress#Disable_File_Editing
- 13. # 1 0 G e t T h e m e s a n d P l u g i n s f ro m t r u s t e d s o u rc e s , a n d d e l e t e i f n o t u s e d • The official repository at WordPress.org • Frequently updated, and still in continuous development • Delete any Themes and Plugins you are not using any more
- 14. E x t r a — a n o t e o n “ a d m i n ” u s e r • Username “admin” is often targeted by brute-force attack • But even if you don’t use “admin”, attacker can find out the username by http://example.com/?author=1 • So not using “admin” does not mean it is safe • However, it is still a good practice because: • We know “admin” is targeted, so it is better not use it than using it • High number of login attempts uses so much of your server resources, and can bring the server down
- 15. E x t r a — h i d e y o u r Wo rd P re s s v e r s i o n ? • Hide you WordPress version, so the attacker won’t know which version you are using — Not True remove_action('wp_head', ‘wp_generator'); • There are other ways of attackers to find the version: • http://example.com/readme.html • Query string appended to style sheet and scripts, such as style.css? ver=4.1.0 • And many more… The WordPress Meta “generator” Tag Paranoia http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag- paranoia/
- 16. E x t r a — s o m e p l u g i n s • Wordfence Security https://wordpress.org/plugins/wordfence/ • Login Security Solution https://wordpress.org/plugins/login-security-solution/ • Crazy Bone https://wordpress.org/plugins/crazy-bone/
- 17. E x t r a — s o m e l i n k s • Hardening WordPress « WordPress Codex http://codex.wordpress.org/Hardening_WordPress • Brute Force Attacks « WordPress Codex http://codex.wordpress.org/Brute_Force_Attacks • WordPress Tavern http://wptavern.com/ • Sucuri Blog | Website Security News https://blog.sucuri.net/