SlideShare a Scribd company logo

Securing WordPress by Jeff Hoffman

Jeff Hoffman, profile picture
Jeff Hoffman

The document provides various strategies for securing a WordPress site against hacking, detailing the importance of server security, strong passwords, and proper file permissions. It advises on specific configurations, regular updates, and the use of security plugins, while emphasizing the necessity for backups and cleanup post-installation. Additional tips include altering default settings and monitoring for vulnerabilities to reduce risk.

TechnologyBusiness
1 of 22
Downloaded 34 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
SECURING WORDPRESS Presented by Jeff K. Hoffman VP of R&D, MyLeadSystemPRO http://facebook.com/jeff.k.hoffman
WHY DO HACKERS HACK? • Easy SEO • Malware Distribution • Entertainment & Peer Recognition
HOW DO HACKERS HACK? • Bots - like the Google Bot, but Evil. • Widely available, frequently updated. • Viral spread
BEFORE YOU BEGIN • Backup your site! • Implement one tip and test, then another and test, etc. • If it’s over your head, just skip it (or, hire help.)
SECURE YOUR SERVER • Your blog is only as secure as your Web Host. • Ifa hacker gets into your hosting account (via FTP, SSH, etc.), they win before they even worry about hacking WordPress. • Use strong passwords. (StrongPasswordGenerator.com) • Ask your Web Host how to best secure your account.
PERMISSIONS • In general... • Files should be 644. • Folders should be 755. • /wp-content/uploads/ should be 775. • /wp-content/themes/ should be 775 for Theme Editor.
PERMISSIONS find /path/to/wordpress/ -type f -exec chmod 644 {} ; find /path/to/wordpress/ -type d -exec chmod 755 {} ; chmod -R 775 /path/to/wordpress/wp-content/uploads chmod -R 775 /path/to/wordpress/wp-content/themes
PERMISSIONS
DEFY CONVENTION • Change admin username • Never post as admin! • Move wp-config.php • Change database table prefix** • In wp-config.php • In your database
USE SECRET KEYS Edit wp-config.php... /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
CLEAN UP • After WordPress is installed, delete /wp-admin/install.php • Delete unused/inactive plugins & themes
UPDATE OFTEN • Always use the latest version of... • WordPress • Theme • Plugins
MAKE DAILY BACKUPS • BuyBackupBuddy.com ($75/year) • VaultPress.com ($180/year) • NOTE: Backups of a hacked site are ONLY useful for forensics!
STRONG PASSWORD • StrongPasswordGenerator.com • 1Password
AVOID DETECTION • Remove WordPress Footprints • Don’t use the Meta sidebar widget • http://wordpress.org/extend/plugins/secure-wordpress/
MINIMIZE PLUGINS • Every plugin you install increases risk • Popular, widely used plugins are less risky • Example: TimThumb
SECURE /WP-ADMIN* • http://www.cpanel.net/media/tutorials/passwdprotect.htm • Add to .htaccess... <FilesMatch ".(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>
SECURE /WP-ADMIN • SSL • http://codex.wordpress.org/Administration_Over_SSL
SECURE /WP-INCLUDES* • Add this to .htaccess... # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
BLOCK ATTACKS • WordPress Firewall 2 • Login Lockdown
MONITORING • Google Webmaster Tools • WordPress File Monitor
Q&A • http://mlspfanclub.com

More Related Content

PPTX
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
PPT
WordPress Security
Brad Williams
 
PPT
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
PPTX
WordPress End-User Security
Dre Armeda
 
PDF
WordPress Security WordCamp OC 2013
Brad Williams
 
PPT
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
PDF
Lockdown WordPress
Dre Armeda
 
PPT
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress End-User Security
Dre Armeda
 
WordPress Security WordCamp OC 2013
Brad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordCamp NYC 2009
Brad Williams
 

What's hot (20)

PDF
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
PPTX
Protect Your WordPress From The Inside Out
SiteGround.com
 
PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
PDF
Top Ten WordPress Security Tips for 2012
Brad Williams
 
PPT
Now That's What I Call WordPress Security 2010
Brad Williams
 
PPT
WordPress Security - WordCamp Boston 2010
Brad Williams
 
PDF
Google Hacking Basics
amiable_indian
 
PPTX
Website security
Akhilesh Kant
 
PPT
Secure All The Things!
Dougal Campbell
 
KEY
Higher Order WordPress Security
Dougal Campbell
 
PDF
Introduction to WordPress Security
Shawn Hooper
 
PDF
WordPress Security Presentation
Andrew Paton
 
PPTX
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
PDF
WordPress Security Best Practices 2019 Update
Zero Point Development
 
PDF
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
PDF
8 Ways to Hack a WordPress website
SiteGround.com
 
PPTX
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
PPT
Wordpress Security Tips
Lalit Nama
 
PDF
Joomla! on Heroku
Yireo
 
PDF
Joomla! security
Yireo
 
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Top Ten WordPress Security Tips for 2012
Brad Williams
 
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Google Hacking Basics
amiable_indian
 
Website security
Akhilesh Kant
 
Secure All The Things!
Dougal Campbell
 
Higher Order WordPress Security
Dougal Campbell
 
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Presentation
Andrew Paton
 
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
WordPress Security Best Practices 2019 Update
Zero Point Development
 
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
8 Ways to Hack a WordPress website
SiteGround.com
 
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
Wordpress Security Tips
Lalit Nama
 
Joomla! on Heroku
Yireo
 
Joomla! security
Yireo
 
Ad

Viewers also liked (20)

PPT
How2 Start Ocw
Terri Bays
 
KEY
Internet Marketing: Conversation marketing
Ian Lurie
 
PPT
Collaborating in the Clouds: selecting tools
Bobbi Newman
 
PPTX
2013 Enterprise Strategy Outlook
Miha Kralj
 
PPT
Final Mobile Youth Net Project
Rede Jovem
 
PDF
Community keynote
Sidu Ponnappa
 
PPT
MiT6 - Anne Kustritz
Julie Levin Russo
 
PPT
5 Things
Con Morris
 
PDF
The Universe Problem: Poll results, Facebook and the 2012 Presidential campaign
Ian Lurie
 
PPTX
Presentation to SA National Treasury on National Broadband Funding
Brian Pinnock
 
PDF
This is all such bullshit
Jason Falls
 
PDF
Jeremy Vickers Liquidity Hub
deimos
 
PPS
Pod Barcelona Paris
Alexandru S
 
PPTX
Improving audience engagement in your ILTA 2011 conference sessions
Peter Buck
 
PPTX
How metrics shape decisions f2psummit
Pascal Zuta
 
PDF
Introducing the Open Container Project
Andrew Kennedy
 
PPTX
Zookeeper's guide to architecture frameworks
Miha Kralj
 
KEY
I can haz HTTP - Consuming and producing HTTP APIs in the Ruby ecosystem
Sidu Ponnappa
 
PPT
Debate a la OAE y a Empresas Públicas de Neiva
Carlos Mauricio Iriarte
 
PDF
Simulating Production with Clocker
Andrew Kennedy
 
How2 Start Ocw
Terri Bays
 
Internet Marketing: Conversation marketing
Ian Lurie
 
Collaborating in the Clouds: selecting tools
Bobbi Newman
 
2013 Enterprise Strategy Outlook
Miha Kralj
 
Final Mobile Youth Net Project
Rede Jovem
 
Community keynote
Sidu Ponnappa
 
MiT6 - Anne Kustritz
Julie Levin Russo
 
5 Things
Con Morris
 
The Universe Problem: Poll results, Facebook and the 2012 Presidential campaign
Ian Lurie
 
Presentation to SA National Treasury on National Broadband Funding
Brian Pinnock
 
This is all such bullshit
Jason Falls
 
Jeremy Vickers Liquidity Hub
deimos
 
Pod Barcelona Paris
Alexandru S
 
Improving audience engagement in your ILTA 2011 conference sessions
Peter Buck
 
How metrics shape decisions f2psummit
Pascal Zuta
 
Introducing the Open Container Project
Andrew Kennedy
 
Zookeeper's guide to architecture frameworks
Miha Kralj
 
I can haz HTTP - Consuming and producing HTTP APIs in the Ruby ecosystem
Sidu Ponnappa
 
Debate a la OAE y a Empresas Públicas de Neiva
Carlos Mauricio Iriarte
 
Simulating Production with Clocker
Andrew Kennedy
 
Ad

Similar to Securing WordPress by Jeff Hoffman (20)

PPTX
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
Abul Khayer
 
PPTX
WordPress security
Shelley Magnezi
 
PPSX
WordPress Security by Nirjhor Anjum
Abul Khayer
 
PPT
WordCamp Philly WordPress End-User Security
Dre Armeda
 
PDF
WordPress Security 101
Manifest Creative
 
PPTX
WordPress Plugins and Security
Think Media Inc.
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
PDF
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Bastian Grimm
 
PPTX
WordPress Security Best Practices
Zero Point Development
 
PPT
Securing Word Press Blog
Chetan Gole
 
PDF
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
PDF
WordPress Security
Christina Hawkins
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
PDF
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
PPTX
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
PPTX
WordPress Security Best Practices
Zero Point Development
 
ODP
WordPress Security & Backup
Randy Barnes
 
PDF
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
Brecht Ryckaert
 
PPTX
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
Abul Khayer
 
WordPress security
Shelley Magnezi
 
WordPress Security by Nirjhor Anjum
Abul Khayer
 
WordCamp Philly WordPress End-User Security
Dre Armeda
 
WordPress Security 101
Manifest Creative
 
WordPress Plugins and Security
Think Media Inc.
 
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Bastian Grimm
 
WordPress Security Best Practices
Zero Point Development
 
Securing Word Press Blog
Chetan Gole
 
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
WordPress Security
Christina Hawkins
 
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
WordPress Security Best Practices
Zero Point Development
 
WordPress Security & Backup
Randy Barnes
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
Brecht Ryckaert
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 

Recently uploaded (20)

PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Encapsulation theory and applications.pdf
gurumoop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Securing WordPress by Jeff Hoffman

  • 1. SECURING WORDPRESS Presented by Jeff K. Hoffman VP of R&D, MyLeadSystemPRO http://facebook.com/jeff.k.hoffman
  • 2. WHY DO HACKERS HACK? • Easy SEO • Malware Distribution • Entertainment & Peer Recognition
  • 3. HOW DO HACKERS HACK? • Bots - like the Google Bot, but Evil. • Widely available, frequently updated. • Viral spread
  • 4. BEFORE YOU BEGIN • Backup your site! • Implement one tip and test, then another and test, etc. • If it’s over your head, just skip it (or, hire help.)
  • 5. SECURE YOUR SERVER • Your blog is only as secure as your Web Host. • Ifa hacker gets into your hosting account (via FTP, SSH, etc.), they win before they even worry about hacking WordPress. • Use strong passwords. (StrongPasswordGenerator.com) • Ask your Web Host how to best secure your account.
  • 6. PERMISSIONS • In general... • Files should be 644. • Folders should be 755. • /wp-content/uploads/ should be 775. • /wp-content/themes/ should be 775 for Theme Editor.
  • 7. PERMISSIONS find /path/to/wordpress/ -type f -exec chmod 644 {} ; find /path/to/wordpress/ -type d -exec chmod 755 {} ; chmod -R 775 /path/to/wordpress/wp-content/uploads chmod -R 775 /path/to/wordpress/wp-content/themes
  • 9. DEFY CONVENTION • Change admin username • Never post as admin! • Move wp-config.php • Change database table prefix** • In wp-config.php • In your database
  • 10. USE SECRET KEYS Edit wp-config.php... /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
  • 11. CLEAN UP • After WordPress is installed, delete /wp-admin/install.php • Delete unused/inactive plugins & themes
  • 12. UPDATE OFTEN • Always use the latest version of... • WordPress • Theme • Plugins
  • 13. MAKE DAILY BACKUPS • BuyBackupBuddy.com ($75/year) • VaultPress.com ($180/year) • NOTE: Backups of a hacked site are ONLY useful for forensics!
  • 15. AVOID DETECTION • Remove WordPress Footprints • Don’t use the Meta sidebar widget • http://wordpress.org/extend/plugins/secure-wordpress/
  • 16. MINIMIZE PLUGINS • Every plugin you install increases risk • Popular, widely used plugins are less risky • Example: TimThumb
  • 17. SECURE /WP-ADMIN* • http://www.cpanel.net/media/tutorials/passwdprotect.htm • Add to .htaccess... <FilesMatch ".(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>
  • 18. SECURE /WP-ADMIN • SSL • http://codex.wordpress.org/Administration_Over_SSL
  • 19. SECURE /WP-INCLUDES* • Add this to .htaccess... # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
  • 20. BLOCK ATTACKS • WordPress Firewall 2 • Login Lockdown
  • 21. MONITORING • Google Webmaster Tools • WordPress File Monitor

Editor's Notes