SlideShare a Scribd company logo

How to Secure your WordPress Website - WordCamp UK 2014

Primary Image Ltd, profile picture
Primary Image Ltd

The document is a presentation on securing WordPress websites, highlighting the vulnerability of WordPress due to its widespread use and the common attacks it faces, primarily from automated bots. It offers practical steps to enhance security, including keeping WordPress and plugins updated, selecting trusted themes and plugins, using strong passwords, and implementing additional security measures like SSL encryption. The author emphasizes that while WordPress is generally secure, proactive measures are necessary to protect against potential threats.

TechnologyBusiness
1 of 75
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
WordCamp UK 2014 How to Secure your WordPress Website Mike Pead www.primaryimage.com
About Me!  Web design for 15 years  Based in Essex & London  Founded Primary Image in 2010  Mainly work with small/medium sized businesses 2
About Me!  Manage WordPress hosting for clients  100% WordPress  Handle all their security, including WordPress updates 3
 Why worry about WordPress security?  Steps you can take to secure your site… Today’s Talk
? Why is WordPress vulnerable?
% of WordPress Usage 23 60 All Websites CMS Websites % That’s over 70 million websites in the world! Half are self-hosted. Only a fraction of sites change from the default configuration. 6 1 2 3 %
! = WordPress is an attractive target to hackers due to its popularity – a victim of its own success!
? So why did I get interested in WordPress security?
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
Most attacks are automated (i.e. bots)!
Analysis by Wordfence Looked at 26 million "page not found“ reports from 30,000 websites 15
Bot URL requests • 4th place: 102,800 requests: /wp-login.php • 7th place: 31,800 requests: /wp-login.php?action=register • 10th place: 24,000 requests: /wp-comments-post.php • 11th place: 22,300 requests: /administrator/ • 23rd place: 14,200 requests: /wp-content/themes/GeoPlaces/monetize/ • 45th place: 8,500 requests: /author=1 Source: http://www.wordfence.com/blog/2014/05/top-100-page-not-found-errors-for-wordpress/ 16
Bot URL requests 17
? So what does a botnet attack look like?
Consequences of an attack… 19 Website becomes inaccessible Lose brand reputation Lose SEO / become blacklisted
20
So is WordPress Secure? 21 • YES IT IS! • And trusted by some of the biggest names in the world:
Are you sure it’s secure? • Most vulnerabilities are found in plugins and hosting environment, not the WordPress core. • WordPress is extremely good (& quick) at rolling out security fixes when issues are found. • Many techniques used to attack WordPress could be applied to other types of CMS too. 22
But there are precautions you can take to secure your site …!
And the WordPress Codex itself gives some tips: http://codex.wordpress.org/ Hardening_WordPress !
? What simple steps can I take to secure my site?
01 Keep WordPress updated • WHY? WordPress is open-source – means anyone can see what vulnerabilities have been fixed between versions. • HOW?  One-click upgrades are easy, quick & reliable. • Today you should all be using WordPress 3.9.1. 26
01 Keep WordPress updated • Survey of 350+ NHS WordPress websites: 27 Source: Terence Eden http://shkspr.mobi/blog/2014/03/2000-nhs-security/vulnerabilities-disclosed/
01 Keep WordPress updated • I alerted the Trade & Investment (UKTI) Government department in March they were using WP 3.4.2 for their blog: – released in 2012 – 9 security updates had been issued 28
02 Keep plugins updated • WHY? Can be a big hole for allowing attacks. • HOW?  If running multiple sites, use a service such as WP Remote (free) to check and install plugin updates in one dashboard. –How often do you check & install plugin updates? 29
03 Only use trusted plugins • WHY? Not all plugins can be trusted! • HOW?  Get the plugin from wordpress.org or a trusted source.  How many downloads / reviews has it got?  When was it last updated? 30
04 Only use trusted themes • WHY? Themes can have poorly written code, or worse – purposely malicious code included. • HOW?  Get the theme from a trusted source.  Examine the code yourself.  Be aware of Base64 code: TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGh pcyByZWFzb24sIGJ1dCBieSB0aGlzmd1aXNoZWQsIG5vdCft 31
05 Choose a secure password • WHY? Brute force attacks mainly rely on using dictionary words. • HOW?  Use characters, numbers, capitals, etc.  Use a unique password, don’t use the same for every login on the internet!  Change it regularly, at least every 3 months.  Make sure other users also have strong passwords.  This includes your FTP, cPanel & other passwords too! 32
06 No “admin” usernames • WHY? Any element of predictability gives hackers an edge. Bots will try this first! • HOW?  Setup a new admin account with a unique username.  Delete the existing admin account. 33
07 You need decent hosting • WHY? Attacks can exploit vulnerabilities at a server-level. Don’t let your hosting account be the weak link. • HOW?  Choose a reputable host, perhaps those that specialise in WordPress.  Budget hosts may not always have their focus on security. 34
08 Keep regular backups! • WHY? If the worst comes to the worst, have a clean backup you can restore to! • HOW?  Download a copy to your computer.  Use an external service, e.g. myRepono.  Frequency to depend on how often your site is updated! 35
? Want more powerful steps to secure your WordPress site…
09 Restrict login attempts • WHY? Detect and block brute force attacks. • HOW?  Install a plugin such as iThemes Security. 37
09 Restrict login attempts 38 • Setup differently depending on whether it’s just you or members of the public logging-in!
09 Restrict login attempts • BUT THERE ARE FLAWS IN THIS METHOD: Botnet attacks can come from 1000s of IP addresses. 39
09 Restrict login attempts • How about BruteProtect? It logs every failed attempt community-wide. Botnet attacks can come from 1000s of IP addresses. 40
10 Switch on SSL encryption • WHY? Secures the traffic between the server and your computer, inc. your password. • HOW?  Buy an SSL certificate from your host.  Force WP-Admin SSL in iThemes Security. 41
11 Obscurity • WHY? Make it harder for bots to scan for your WordPress version. • HOW? 42
12 Change your database prefix • WHY? Default MySQL tables easy to guess. • HOW? Use iThemes Security or Change Database Prefix 43
404 detection blocking “Away mode” Set “allow” IP addresses Changing directory URLs as they can break plugins Automatic edits to key files Enforcing strong passwords for subscribers Blocking whole countries Things I don’t recommend:
• WHY? Provides another hurdle for unauthorised users trying to login. • HOW?  Google Authenticator 45 13 Two-Factor Authentication
14 Monitor what’s happening • WHY? If you have a multi-author site, check what they’re doing! • HOW? Plainview Activity Monitor 46
.htaccess file
15 Block access to system files • WHY? You don’t want prying eyes looking at these sensitive files! • HOW?  Add some rules to your .htaccess file. 48
How to Secure your WordPress Website - WordCamp UK 2014
15 Block access to system files # protect files <files wp-config.php> Order deny,allow Deny from all </files> <files readme.html> Order allow,deny Deny from all </files> 50 <files license.txt> Order allow,deny Deny from all </files> <files install.php> Order allow,deny Deny from all </files> <files error_log> Order allow,deny Deny from all </files>
15 Block access to system files Recommended on the WordPress Codex: # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> 51
16 Build your own firewall • WHY? Stop dodgy requests from even reaching your WordPress installation – block them at server level. • HOW?  Again, add some rules to the .htaccess file. 52
16 Build your own firewall Extract from 5G Blacklist (http://perishablepress.com/5g-blacklist-2013) # 5G:[QUERY STRINGS] <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} ("|%22).*(<|>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (|../|`|='$|=%27$) [NC,OR] RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR] RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|[|%) [NC] RewriteRule .* - [F] </IfModule> 53
16 Build your own firewall <IfModule mod_alias.c> RedirectMatch 403 (https?|ftp|php):// RedirectMatch 403 /(https?|ima|ucp)/ RedirectMatch 403 /(Permanent|Better)$ RedirectMatch 403 (='|=%27|/'/?|).css()$ RedirectMatch 403 (,|)+|/,/|{0}|(/(|...|+++|||"") RedirectMatch 403 .(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$ RedirectMatch 403 /(contac|fpw|install|pingserver|register).php$ RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107_) RedirectMatch 403 (eval(|_vti_|(null)|echo.*kae|config.xml) RedirectMatch 403 .well-known/host-meta RedirectMatch 403 /function.array-rand RedirectMatch 403 );$(this).html( RedirectMatch 403 proc/self/environ RedirectMatch 403 msnbot.htm)._ RedirectMatch 403 /ref.outcontrol RedirectMatch 403 com_cropimage RedirectMatch 403 indonesia.htm RedirectMatch 403 {$itemURL} RedirectMatch 403 function() RedirectMatch 403 labels.rdf RedirectMatch 403 /playing.php RedirectMatch 403 muieblackcat </IfModule> 54 More…!
16 Build your own firewall RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader)[NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00)[NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|)|(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner)[NC,OR] RewriteCond %{THE_REQUEST} (?|*|%2a)+(%20+|s+|%20+s+|s+%20+|s+%20+s+)HTTP(:/|/)[NC,OR] RewriteCond %{THE_REQUEST} etc/passwd[NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|r|n)[NC,OR] RewriteCond %{REQUEST_URI} owssvr.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00)[NC,OR] RewriteCond %{HTTP_REFERER} .opendirviewer.[NC,OR] RewriteCond %{HTTP_REFERER} users.skynet.be.* [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http://[NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (../|%2e%2e%2f|%2e%2e/|..%2f|%2e.%2f|%2e./|.%2e%2f|.%2e/)[NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http:[NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} =|w| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$[NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E)[NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*embed.*(>|%3E)[NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*object.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E)[NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*)[NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*)[NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2})[OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})[OR] RewriteCond %{QUERY_STRING} ^.*((|)|<|>|%3c|%3e).*[NC,OR] RewriteCond %{QUERY_STRING} ^.*(x00|x04|x08|x0d|x1b|x20|x3c|x3e|x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (.{1,}/)+(motd|etc|bin)[NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1)[NC,OR] RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00)[NC,OR] RewriteCond %{QUERY_STRING} concat[^(]*([NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} -[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode)[NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql)[NC] RewriteRule ^(.*)$ - [F,L] # END BPSQSE BPS QUERY STRING EXPLOITS 55 BulletProof Security adds 43 lines of rules to the .htaccess file!
16 Build your own firewall • CHECK OUT…  The 5G 2013 list: http://perishablepress.com/5g- blacklist-2013/  The htaccess file generated by BulletProof Security  WordPress Codex 56
17 Hide the .htaccess file itself! • HOW? # STRONG HTACCESS PROTECTION <Files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files> 57
18 Protect your WP-Admin area • Problem with login limits plugins: –Query database for every request –Run a lot of server processes –Fill up your MySQL database 58
18 Protect your WP-Admin area 59 WP-Admin MySQL Database
18 Protect your WP-Admin area STEP 1: Use your hosting control panel to password protect the WP-Admin directory 60
18 Protect your WP-Admin area End up with this: 61
18 Protect your WP-Admin area • STEP 2: New htaccess file in the WP-Admin folder: AuthType basic AuthUserFile "/home/example.co.uk/wp-admin//.htpasswd" AuthGroupFile /dev/null AuthName "ENTER YOUR LOGIN DETAILS" Require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> ErrorDocument 401 /401error.html 62
18 Protect your WP-Admin area • STEP 3: Add this to your root htaccess: <Files wp-login.php> AuthType Basic AuthUserFile "/home/example.co.uk/wp-admin//.htpasswd" AuthGroupFile /dev/null AuthName "ENTER YOUR LOGIN DETAILS" Require valid-user </Files> ErrorDocument 401 /401error.html 63
18 Protect your WP-Admin area 64 Presented to the user:
18 Protect your WP-Admin area 65 Create a custom 401 error page:
18 Protect your WP-Admin area • Benefits: –Blocks bad bots at server-level –Less server resources needed than firing up WordPress –Works ok with public logins if using a front- end login form (e.g. ‘Theme My Login’ plugin with the front-end widget) 66
19 Block PHP in Uploads folder • WHY? Uploads folder can be used by other users. • HOW?  Create a .htaccess file in the WP-Content/Uploads folder, with the following: <Files *.php> Deny from All </Files> 67
20 Tighten PHP configuration • WHY? Helps block PHP code injection vulnerabilities caused by bad input filtering. • HOW?  Add a php.ini file in your root directory and paste in some code… 68
20 Tighten PHP configuration ; Disable allow_url_fopen in php.ini for security reasons allow_url_fopen = Off ; Disable allow_url_include in php.ini for security reasons allow_url_include = Off ; Disable display_errors in php.ini for security reasons display_errors = Off log_errors = On 69
21 Create your own encryption keys • WHY? Makes an attackers job harder. • HOW?  Open up wp-config.php, scroll down to “Authentication Unique Keys and Salts”.  Generate your own keys at: https://api.wordpress.org/secret-key/1.1/salt/ 70
22 Move WP-Config location • WHY? Take wp-config.php out of a publicly accessible location. • HOW? Move it one level up, outside of your public_html folder: 71
23 Folder permissions • WHY? Can be a security hole if permissions are not strong enough. • HOW?  Use your FTP software’s CHMOD feature. 72
23 Folder permissions  All folders should have a CHMOD of 755.  All "wp-" PHP files = 644.  wp-config.php = 640.  htaccess files = 644.  robot.txt = 755.  sitemap.xml = 666. 73
Don’t forget the basics: • Keep WordPress and your plugins updated. • Have a secure password. • Get decent quality hosting.
www.primaryimage.com Twitter: @primaryimage Also find us on Facebook, Google+ & LinkedIn

More Related Content

PDF
WordPress security & performance a beginners guide
Mickey Mellen
 
PPTX
Building Secure WordPress Sites
Catch Themes
 
PDF
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
PDF
8 Ways to Hack a WordPress website
SiteGround.com
 
PDF
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
PPTX
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
PDF
WordPress Troubleshooting Hacks.pdf
Arthur Kasirye
 
PPTX
WordPress security for everyone
Vladimír Smitka
 
WordPress security & performance a beginners guide
Mickey Mellen
 
Building Secure WordPress Sites
Catch Themes
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
8 Ways to Hack a WordPress website
SiteGround.com
 
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
WordPress Troubleshooting Hacks.pdf
Arthur Kasirye
 
WordPress security for everyone
Vladimír Smitka
 

What's hot (20)

PDF
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
PPTX
WordPress Security Tips
Catch Themes
 
PDF
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
PPTX
Locking down word press
Zachary Russell
 
DOCX
The Ultimate Guide to Wordpress Security
AidanChard
 
PPT
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
PPTX
How secure is WordPress ?
Er. Narayan Koirala
 
PPTX
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
Elsner Technologies Pvt Ltd
 
PPT
Why wordpress is not completely safe
Brainwork Technologies
 
PDF
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
PPTX
An example of cms - wordpress
Eunus Hosen
 
PPTX
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
PDF
WordPress Security WordCamp OC 2013
Brad Williams
 
PDF
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
PPT
Securing Word Press Blog
Chetan Gole
 
PDF
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
PPTX
Managing WordPress
Steven Watts
 
PDF
Basic Plugin Recommendations to get your WordPress Website Started
Nile Flores
 
PPTX
Word campktm speed-security
Digamber Pradhan
 
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
WordPress Security Tips
Catch Themes
 
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
Locking down word press
Zachary Russell
 
The Ultimate Guide to Wordpress Security
AidanChard
 
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
How secure is WordPress ?
Er. Narayan Koirala
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
Elsner Technologies Pvt Ltd
 
Why wordpress is not completely safe
Brainwork Technologies
 
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
An example of cms - wordpress
Eunus Hosen
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
WordPress Security WordCamp OC 2013
Brad Williams
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Securing Word Press Blog
Chetan Gole
 
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
Managing WordPress
Steven Watts
 
Basic Plugin Recommendations to get your WordPress Website Started
Nile Flores
 
Word campktm speed-security
Digamber Pradhan
 
Ad

Similar to How to Secure your WordPress Website - WordCamp UK 2014 (20)

PDF
Essential WordPress Security Tips to Protect Your Website in 2024.pdf
jaunelia596
 
PDF
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
jaunelia596
 
PPTX
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
WPMU DEV
 
PPTX
Protect Your WordPress From The Inside Out
SiteGround.com
 
PPTX
WordPress security
Shelley Magnezi
 
PPTX
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
 
PDF
Responsible [digital] Home Ownership
Denise (Dee) Teal
 
PDF
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
PPTX
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
KEY
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
PDF
Staying Connected: Securing Your WordPress Website
Raymund Mitchell
 
PDF
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
PPTX
Content Management System(CMS) & Basic WordPress
Shahadat Hossain Manik
 
PPTX
WordPress Resources Nov 2014
Judy Wilson
 
PDF
WordPress Security Presentation
Andrew Paton
 
PDF
Seravo.com: WordPress Security 101
Seravo
 
PPT
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 
PPTX
WordPress Security and Best Practices
Robert Vidal
 
PDF
Introduction to WordPress Security
Nile Flores
 
Essential WordPress Security Tips to Protect Your Website in 2024.pdf
jaunelia596
 
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
jaunelia596
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
WPMU DEV
 
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress security
Shelley Magnezi
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
 
Responsible [digital] Home Ownership
Denise (Dee) Teal
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Staying Connected: Securing Your WordPress Website
Raymund Mitchell
 
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
Content Management System(CMS) & Basic WordPress
Shahadat Hossain Manik
 
WordPress Resources Nov 2014
Judy Wilson
 
WordPress Security Presentation
Andrew Paton
 
Seravo.com: WordPress Security 101
Seravo
 
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 
WordPress Security and Best Practices
Robert Vidal
 
Introduction to WordPress Security
Nile Flores
 
Ad

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Teaching material agriculture food technology
LiaRayya
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 

How to Secure your WordPress Website - WordCamp UK 2014

  • 1. WordCamp UK 2014 How to Secure your WordPress Website Mike Pead www.primaryimage.com
  • 2. About Me!  Web design for 15 years  Based in Essex & London  Founded Primary Image in 2010  Mainly work with small/medium sized businesses 2
  • 3. About Me!  Manage WordPress hosting for clients  100% WordPress  Handle all their security, including WordPress updates 3
  • 4.  Why worry about WordPress security?  Steps you can take to secure your site… Today’s Talk
  • 5. ? Why is WordPress vulnerable?
  • 6. % of WordPress Usage 23 60 All Websites CMS Websites % That’s over 70 million websites in the world! Half are self-hosted. Only a fraction of sites change from the default configuration. 6 1 2 3 %
  • 7. ! = WordPress is an attractive target to hackers due to its popularity – a victim of its own success!
  • 8. ? So why did I get interested in WordPress security?
  • 14. Most attacks are automated (i.e. bots)!
  • 15. Analysis by Wordfence Looked at 26 million "page not found“ reports from 30,000 websites 15
  • 16. Bot URL requests • 4th place: 102,800 requests: /wp-login.php • 7th place: 31,800 requests: /wp-login.php?action=register • 10th place: 24,000 requests: /wp-comments-post.php • 11th place: 22,300 requests: /administrator/ • 23rd place: 14,200 requests: /wp-content/themes/GeoPlaces/monetize/ • 45th place: 8,500 requests: /author=1 Source: http://www.wordfence.com/blog/2014/05/top-100-page-not-found-errors-for-wordpress/ 16
  • 18. ? So what does a botnet attack look like?
  • 19. Consequences of an attack… 19 Website becomes inaccessible Lose brand reputation Lose SEO / become blacklisted
  • 20. 20
  • 21. So is WordPress Secure? 21 • YES IT IS! • And trusted by some of the biggest names in the world:
  • 22. Are you sure it’s secure? • Most vulnerabilities are found in plugins and hosting environment, not the WordPress core. • WordPress is extremely good (& quick) at rolling out security fixes when issues are found. • Many techniques used to attack WordPress could be applied to other types of CMS too. 22
  • 23. But there are precautions you can take to secure your site …!
  • 24. And the WordPress Codex itself gives some tips: http://codex.wordpress.org/ Hardening_WordPress !
  • 25. ? What simple steps can I take to secure my site?
  • 26. 01 Keep WordPress updated • WHY? WordPress is open-source – means anyone can see what vulnerabilities have been fixed between versions. • HOW?  One-click upgrades are easy, quick & reliable. • Today you should all be using WordPress 3.9.1. 26
  • 27. 01 Keep WordPress updated • Survey of 350+ NHS WordPress websites: 27 Source: Terence Eden http://shkspr.mobi/blog/2014/03/2000-nhs-security/vulnerabilities-disclosed/
  • 28. 01 Keep WordPress updated • I alerted the Trade & Investment (UKTI) Government department in March they were using WP 3.4.2 for their blog: – released in 2012 – 9 security updates had been issued 28
  • 29. 02 Keep plugins updated • WHY? Can be a big hole for allowing attacks. • HOW?  If running multiple sites, use a service such as WP Remote (free) to check and install plugin updates in one dashboard. –How often do you check & install plugin updates? 29
  • 30. 03 Only use trusted plugins • WHY? Not all plugins can be trusted! • HOW?  Get the plugin from wordpress.org or a trusted source.  How many downloads / reviews has it got?  When was it last updated? 30
  • 31. 04 Only use trusted themes • WHY? Themes can have poorly written code, or worse – purposely malicious code included. • HOW?  Get the theme from a trusted source.  Examine the code yourself.  Be aware of Base64 code: TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGh pcyByZWFzb24sIGJ1dCBieSB0aGlzmd1aXNoZWQsIG5vdCft 31
  • 32. 05 Choose a secure password • WHY? Brute force attacks mainly rely on using dictionary words. • HOW?  Use characters, numbers, capitals, etc.  Use a unique password, don’t use the same for every login on the internet!  Change it regularly, at least every 3 months.  Make sure other users also have strong passwords.  This includes your FTP, cPanel & other passwords too! 32
  • 33. 06 No “admin” usernames • WHY? Any element of predictability gives hackers an edge. Bots will try this first! • HOW?  Setup a new admin account with a unique username.  Delete the existing admin account. 33
  • 34. 07 You need decent hosting • WHY? Attacks can exploit vulnerabilities at a server-level. Don’t let your hosting account be the weak link. • HOW?  Choose a reputable host, perhaps those that specialise in WordPress.  Budget hosts may not always have their focus on security. 34
  • 35. 08 Keep regular backups! • WHY? If the worst comes to the worst, have a clean backup you can restore to! • HOW?  Download a copy to your computer.  Use an external service, e.g. myRepono.  Frequency to depend on how often your site is updated! 35
  • 36. ? Want more powerful steps to secure your WordPress site…
  • 37. 09 Restrict login attempts • WHY? Detect and block brute force attacks. • HOW?  Install a plugin such as iThemes Security. 37
  • 38. 09 Restrict login attempts 38 • Setup differently depending on whether it’s just you or members of the public logging-in!
  • 39. 09 Restrict login attempts • BUT THERE ARE FLAWS IN THIS METHOD: Botnet attacks can come from 1000s of IP addresses. 39
  • 40. 09 Restrict login attempts • How about BruteProtect? It logs every failed attempt community-wide. Botnet attacks can come from 1000s of IP addresses. 40
  • 41. 10 Switch on SSL encryption • WHY? Secures the traffic between the server and your computer, inc. your password. • HOW?  Buy an SSL certificate from your host.  Force WP-Admin SSL in iThemes Security. 41
  • 42. 11 Obscurity • WHY? Make it harder for bots to scan for your WordPress version. • HOW? 42
  • 43. 12 Change your database prefix • WHY? Default MySQL tables easy to guess. • HOW? Use iThemes Security or Change Database Prefix 43
  • 44. 404 detection blocking “Away mode” Set “allow” IP addresses Changing directory URLs as they can break plugins Automatic edits to key files Enforcing strong passwords for subscribers Blocking whole countries Things I don’t recommend:
  • 45. • WHY? Provides another hurdle for unauthorised users trying to login. • HOW?  Google Authenticator 45 13 Two-Factor Authentication
  • 46. 14 Monitor what’s happening • WHY? If you have a multi-author site, check what they’re doing! • HOW? Plainview Activity Monitor 46
  • 48. 15 Block access to system files • WHY? You don’t want prying eyes looking at these sensitive files! • HOW?  Add some rules to your .htaccess file. 48
  • 50. 15 Block access to system files # protect files <files wp-config.php> Order deny,allow Deny from all </files> <files readme.html> Order allow,deny Deny from all </files> 50 <files license.txt> Order allow,deny Deny from all </files> <files install.php> Order allow,deny Deny from all </files> <files error_log> Order allow,deny Deny from all </files>
  • 51. 15 Block access to system files Recommended on the WordPress Codex: # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> 51
  • 52. 16 Build your own firewall • WHY? Stop dodgy requests from even reaching your WordPress installation – block them at server level. • HOW?  Again, add some rules to the .htaccess file. 52
  • 53. 16 Build your own firewall Extract from 5G Blacklist (http://perishablepress.com/5g-blacklist-2013) # 5G:[QUERY STRINGS] <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} ("|%22).*(<|>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (|../|`|='$|=%27$) [NC,OR] RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR] RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|[|%) [NC] RewriteRule .* - [F] </IfModule> 53
  • 54. 16 Build your own firewall <IfModule mod_alias.c> RedirectMatch 403 (https?|ftp|php):// RedirectMatch 403 /(https?|ima|ucp)/ RedirectMatch 403 /(Permanent|Better)$ RedirectMatch 403 (='|=%27|/'/?|).css()$ RedirectMatch 403 (,|)+|/,/|{0}|(/(|...|+++|||"") RedirectMatch 403 .(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$ RedirectMatch 403 /(contac|fpw|install|pingserver|register).php$ RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107_) RedirectMatch 403 (eval(|_vti_|(null)|echo.*kae|config.xml) RedirectMatch 403 .well-known/host-meta RedirectMatch 403 /function.array-rand RedirectMatch 403 );$(this).html( RedirectMatch 403 proc/self/environ RedirectMatch 403 msnbot.htm)._ RedirectMatch 403 /ref.outcontrol RedirectMatch 403 com_cropimage RedirectMatch 403 indonesia.htm RedirectMatch 403 {$itemURL} RedirectMatch 403 function() RedirectMatch 403 labels.rdf RedirectMatch 403 /playing.php RedirectMatch 403 muieblackcat </IfModule> 54 More…!
  • 55. 16 Build your own firewall RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader)[NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00)[NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|)|(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner)[NC,OR] RewriteCond %{THE_REQUEST} (?|*|%2a)+(%20+|s+|%20+s+|s+%20+|s+%20+s+)HTTP(:/|/)[NC,OR] RewriteCond %{THE_REQUEST} etc/passwd[NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|r|n)[NC,OR] RewriteCond %{REQUEST_URI} owssvr.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00)[NC,OR] RewriteCond %{HTTP_REFERER} .opendirviewer.[NC,OR] RewriteCond %{HTTP_REFERER} users.skynet.be.* [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http://[NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (../|%2e%2e%2f|%2e%2e/|..%2f|%2e.%2f|%2e./|.%2e%2f|.%2e/)[NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http:[NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} =|w| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$[NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E)[NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*embed.*(>|%3E)[NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*object.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E)[NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*)[NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*)[NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2})[OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})[OR] RewriteCond %{QUERY_STRING} ^.*((|)|<|>|%3c|%3e).*[NC,OR] RewriteCond %{QUERY_STRING} ^.*(x00|x04|x08|x0d|x1b|x20|x3c|x3e|x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (.{1,}/)+(motd|etc|bin)[NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1)[NC,OR] RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00)[NC,OR] RewriteCond %{QUERY_STRING} concat[^(]*([NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} -[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode)[NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql)[NC] RewriteRule ^(.*)$ - [F,L] # END BPSQSE BPS QUERY STRING EXPLOITS 55 BulletProof Security adds 43 lines of rules to the .htaccess file!
  • 56. 16 Build your own firewall • CHECK OUT…  The 5G 2013 list: http://perishablepress.com/5g- blacklist-2013/  The htaccess file generated by BulletProof Security  WordPress Codex 56
  • 57. 17 Hide the .htaccess file itself! • HOW? # STRONG HTACCESS PROTECTION <Files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files> 57
  • 58. 18 Protect your WP-Admin area • Problem with login limits plugins: –Query database for every request –Run a lot of server processes –Fill up your MySQL database 58
  • 59. 18 Protect your WP-Admin area 59 WP-Admin MySQL Database
  • 60. 18 Protect your WP-Admin area STEP 1: Use your hosting control panel to password protect the WP-Admin directory 60
  • 61. 18 Protect your WP-Admin area End up with this: 61
  • 62. 18 Protect your WP-Admin area • STEP 2: New htaccess file in the WP-Admin folder: AuthType basic AuthUserFile "/home/example.co.uk/wp-admin//.htpasswd" AuthGroupFile /dev/null AuthName "ENTER YOUR LOGIN DETAILS" Require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> ErrorDocument 401 /401error.html 62
  • 63. 18 Protect your WP-Admin area • STEP 3: Add this to your root htaccess: <Files wp-login.php> AuthType Basic AuthUserFile "/home/example.co.uk/wp-admin//.htpasswd" AuthGroupFile /dev/null AuthName "ENTER YOUR LOGIN DETAILS" Require valid-user </Files> ErrorDocument 401 /401error.html 63
  • 64. 18 Protect your WP-Admin area 64 Presented to the user:
  • 65. 18 Protect your WP-Admin area 65 Create a custom 401 error page:
  • 66. 18 Protect your WP-Admin area • Benefits: –Blocks bad bots at server-level –Less server resources needed than firing up WordPress –Works ok with public logins if using a front- end login form (e.g. ‘Theme My Login’ plugin with the front-end widget) 66
  • 67. 19 Block PHP in Uploads folder • WHY? Uploads folder can be used by other users. • HOW?  Create a .htaccess file in the WP-Content/Uploads folder, with the following: <Files *.php> Deny from All </Files> 67
  • 68. 20 Tighten PHP configuration • WHY? Helps block PHP code injection vulnerabilities caused by bad input filtering. • HOW?  Add a php.ini file in your root directory and paste in some code… 68
  • 69. 20 Tighten PHP configuration ; Disable allow_url_fopen in php.ini for security reasons allow_url_fopen = Off ; Disable allow_url_include in php.ini for security reasons allow_url_include = Off ; Disable display_errors in php.ini for security reasons display_errors = Off log_errors = On 69
  • 70. 21 Create your own encryption keys • WHY? Makes an attackers job harder. • HOW?  Open up wp-config.php, scroll down to “Authentication Unique Keys and Salts”.  Generate your own keys at: https://api.wordpress.org/secret-key/1.1/salt/ 70
  • 71. 22 Move WP-Config location • WHY? Take wp-config.php out of a publicly accessible location. • HOW? Move it one level up, outside of your public_html folder: 71
  • 72. 23 Folder permissions • WHY? Can be a security hole if permissions are not strong enough. • HOW?  Use your FTP software’s CHMOD feature. 72
  • 73. 23 Folder permissions  All folders should have a CHMOD of 755.  All "wp-" PHP files = 644.  wp-config.php = 640.  htaccess files = 644.  robot.txt = 755.  sitemap.xml = 666. 73
  • 74. Don’t forget the basics: • Keep WordPress and your plugins updated. • Have a secure password. • Get decent quality hosting.
  • 75. www.primaryimage.com Twitter: @primaryimage Also find us on Facebook, Google+ & LinkedIn