SlideShare a Scribd company logo

Securing your WordPress powered Website

P
Pratik Jagdishwala

This document discusses securing a WordPress website. It notes that over a quarter of the internet runs on WordPress but that plugins and themes can contain vulnerabilities. According to reports, over half of known WordPress vulnerabilities are in plugins and over a third are in the core platform. The document recommends various steps to secure a WordPress site such as keeping software updated, changing default credentials, limiting login attempts, using SSL, installing security plugins, and backing up the site regularly. Prevention through security best practices is emphasized over trying to cure issues after a site has been compromised.

Internet
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Securing your WordPress powered Website Pratik Jagdishwala
About Me Sr. Product Manager, Endurance APAC
Popularity ● 26% of Internet is powered by WordPress ● Great Community & Commercial support ● Freely available Themes, Plugins and Scripts
Issues ● Not possible to control all content available online ● Poorly written plugins, themes and scripts ● Usage of poorly managed repositories for addons ● Usage of cracked plugins, themes and scripts ● Un-optimized/Un-secure ● Bad practices ● Lack of long term maintenance strategy
Some numbers According to a recent report by wpscan.org, out of 3792 known WordPress security vulnerabilities ● 52% are from WordPress plugins ● 37% are from core WordPress ● 11% are from WordPress themes As per codex.wordpress.org ● 41% were hacked due to a security vulnerability on their hosting platform ● 29% were hacked via a security issue in WordPress theme being used ● 22% were hacked via a security issue in WordPress plugin being used ● 8% were hacked because of weak password
Repercussions ● Loss of traffic and SEO ● Warning in browser ● Host disabling of website ● Loss of reputation/trust ● Website flagged as distributing malware ● Readers complaining their AV’s flagging website ● Visible content changed without knowledge/authorization ● Iframes/pop-ups on opening of web site ● Monetary/Non-Monetary loss
How to Avoid? Prevention is better than cure! ● Keep WordPress, Themes, Plugins updated ● Move wp-config.php out of DocRoot ● Hide WordPress version number ● Disable PHP Error Reporting ● Change the Default Secret Keys ● Delete unused/unmaintained Themes/Plugins
How to Avoid? Prevention is better than cure! ● Disable directory listing ● Do not use default user, change admin username ● Use a secure password ● Consider Dual factor auth ● Limit login attempts ● Force SSL usage ● Move WP Login URL ● Protect wp-admin directory ● Disable XML-RPC is not needed
How to Avoid? Prevention is better than cure! ● Use strong MySQL password ● Change default WP DB Table Prefix ● Connect using secure methods (SFTP, SSH) ● Disable 777 perms ● Limited perms to 644 max ● Monitor for Malware
How to Avoid? Prevention is better than cure! ● Install a good security plugin ○ Jetpack (VaultPress) ○ WordFence ○ All in one WP Security ○ SiteLock ● Use CDN’s with WAFs
How to Avoid? Prevention is better than cure! ● Backup your WordPress Site regularly ● Use third party backup solutions and backup websites to Remote Locations
Questions? pratik.j@endurance.com https://twitter.com/pjagdishwala

More Related Content

PDF
Secure wordpress
Prabesh Thapa
 
PDF
The Slow Death of Passwords
ForgeRock Identity Tech Talks
 
PDF
Why WordPress Works
bekee
 
PPTX
IS/DPP for staff #5b - Passwords
Tommy Vandepitte
 
PPS
Flash Security
Ferruh Mavituna
 
PDF
Community Code: Macadamian
Sencha
 
PDF
Identifying a Compromised WordPress Site
Chris Burgess
 
PDF
WordPress Security 101: Practical Techniques & Best Practices
Jonathan Hall
 
Secure wordpress
Prabesh Thapa
 
The Slow Death of Passwords
ForgeRock Identity Tech Talks
 
Why WordPress Works
bekee
 
IS/DPP for staff #5b - Passwords
Tommy Vandepitte
 
Flash Security
Ferruh Mavituna
 
Community Code: Macadamian
Sencha
 
Identifying a Compromised WordPress Site
Chris Burgess
 
WordPress Security 101: Practical Techniques & Best Practices
Jonathan Hall
 

Similar to Securing your WordPress powered Website (20)

PPTX
Understanding word press security wwc-4-7-17
Nicholas Batik
 
PDF
Head Slapping WordPress Security
Chris Burgess
 
PDF
WordPress Security 101
Manifest Creative
 
PPTX
WordPress Security and Best Practices
Robert Vidal
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
PPTX
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
PPTX
Professional WordPress Security: Beyond Security Plugins
Chris Burgess
 
PDF
Staying Connected: Securing Your WordPress Website
Raymund Mitchell
 
PDF
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
PDF
Word camp2011 introwordpresssecurity
David Wilemski
 
PDF
WordPress security 101 - WP Turku Meetup 2.2.2017
Otto Kekäläinen
 
PPT
Secure All The Things!
Dougal Campbell
 
PDF
WordPress Security Essentials
Angela Bowman
 
PDF
Security Presentation for Boulder WordPress Meetup
Angela Bowman
 
PPTX
How secure is WordPress ?
Er. Narayan Koirala
 
PDF
Seravo.com: WordPress Security 101
Seravo
 
PDF
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
PDF
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
PPTX
WordPress Security - What to do, What NOT to do
WordPress Trivandrum
 
PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Understanding word press security wwc-4-7-17
Nicholas Batik
 
Head Slapping WordPress Security
Chris Burgess
 
WordPress Security 101
Manifest Creative
 
WordPress Security and Best Practices
Robert Vidal
 
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
Professional WordPress Security: Beyond Security Plugins
Chris Burgess
 
Staying Connected: Securing Your WordPress Website
Raymund Mitchell
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
Word camp2011 introwordpresssecurity
David Wilemski
 
WordPress security 101 - WP Turku Meetup 2.2.2017
Otto Kekäläinen
 
Secure All The Things!
Dougal Campbell
 
WordPress Security Essentials
Angela Bowman
 
Security Presentation for Boulder WordPress Meetup
Angela Bowman
 
How secure is WordPress ?
Er. Narayan Koirala
 
Seravo.com: WordPress Security 101
Seravo
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
WordPress Security - What to do, What NOT to do
WordPress Trivandrum
 
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Ad

Recently uploaded (20)

PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Funds Management Learning Material for Beg
NKKumar16
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
Internet___Basics___Styled_ presentation
poonam62133
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Ad

Securing your WordPress powered Website

  • 1. Securing your WordPress powered Website Pratik Jagdishwala
  • 2. About Me Sr. Product Manager, Endurance APAC
  • 3. Popularity ● 26% of Internet is powered by WordPress ● Great Community & Commercial support ● Freely available Themes, Plugins and Scripts
  • 4. Issues ● Not possible to control all content available online ● Poorly written plugins, themes and scripts ● Usage of poorly managed repositories for addons ● Usage of cracked plugins, themes and scripts ● Un-optimized/Un-secure ● Bad practices ● Lack of long term maintenance strategy
  • 5. Some numbers According to a recent report by wpscan.org, out of 3792 known WordPress security vulnerabilities ● 52% are from WordPress plugins ● 37% are from core WordPress ● 11% are from WordPress themes As per codex.wordpress.org ● 41% were hacked due to a security vulnerability on their hosting platform ● 29% were hacked via a security issue in WordPress theme being used ● 22% were hacked via a security issue in WordPress plugin being used ● 8% were hacked because of weak password
  • 6. Repercussions ● Loss of traffic and SEO ● Warning in browser ● Host disabling of website ● Loss of reputation/trust ● Website flagged as distributing malware ● Readers complaining their AV’s flagging website ● Visible content changed without knowledge/authorization ● Iframes/pop-ups on opening of web site ● Monetary/Non-Monetary loss
  • 7. How to Avoid? Prevention is better than cure! ● Keep WordPress, Themes, Plugins updated ● Move wp-config.php out of DocRoot ● Hide WordPress version number ● Disable PHP Error Reporting ● Change the Default Secret Keys ● Delete unused/unmaintained Themes/Plugins
  • 8. How to Avoid? Prevention is better than cure! ● Disable directory listing ● Do not use default user, change admin username ● Use a secure password ● Consider Dual factor auth ● Limit login attempts ● Force SSL usage ● Move WP Login URL ● Protect wp-admin directory ● Disable XML-RPC is not needed
  • 9. How to Avoid? Prevention is better than cure! ● Use strong MySQL password ● Change default WP DB Table Prefix ● Connect using secure methods (SFTP, SSH) ● Disable 777 perms ● Limited perms to 644 max ● Monitor for Malware
  • 10. How to Avoid? Prevention is better than cure! ● Install a good security plugin ○ Jetpack (VaultPress) ○ WordFence ○ All in one WP Security ○ SiteLock ● Use CDN’s with WAFs
  • 11. How to Avoid? Prevention is better than cure! ● Backup your WordPress Site regularly ● Use third party backup solutions and backup websites to Remote Locations