Abstract image of a woman sitting on books and studying on a laptop

WordPress Security 101

Download as PPTX, PDF
Shady A. Sharaf, profile picture
Shady A. Sharaf

WordPress Security 101 outlines key steps for securing a WordPress site. It discusses preventing hacks through measures like enforcing HTTPS, strong passwords, 2FA, input sanitization and updating software. Detection methods include integrity checks of files, audit logs and uptime monitoring. If hacked, one should backup data, scan for infections, restore from backups, reset access credentials, and investigate logs to understand the breach. Advance preparation includes regular backups and following best practices for prevention.

Software
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
WordPress Security 101 By Shady Sharaf Senior Engineer at Human Made Global, a WordPress VIP Partner. WordPress Core Contributor, and Arabic Polyglot team member. @shadyvb - linkedin.com/in/shadyvb - github.com/shadyvb
Agenda - What are the pillars of InfoSec systems - What are the concerns of site security ? - How can my site be hacked ? - How can I secure my site ? - How to know when my site is hacked ? - What to do when my site is hacked ? - What to do before my site is hacked ?
Information Security ( InfoSec ) pillars Infosec programs are built around the following core objectives: maintaining the confidentiality, integrity and availability of IT systems and business data. These objectives ensure that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data (integrity) and guarantee the data can be accessed by authorized parties when requested (availability).
Site security revolves around four mains stages: - Prevention - Detection - Auditing - Recovery Information Security ( InfoSec ) preps
a. Prevention
How can my site be hacked ? - Leaked credentials, Brute-forcing - XSS / Cross Site Scripting, Phishing attacks - Security vulnerabilities in code - In 3rd party code - or yours! - Security vulnerabilities in servers
How can I secure my site against .. Leaked access and Brute-force - Enforce HTTPS. ( It’s free now, you know! ) - Enforce strong passwords - Use 2FA ( you should use it everywhere, ie Facebook, Google, etc.. ) - Use (re)captcha for login - Change the default admin user - Limit login attempts
How can I secure my site against .. XSS, and Phishing attacks - Use Akismet to prevent spam comments - Properly sanitize ALL user input EVERYWHERE from EVERYONE - Properly escape ALL user-generated output, in case the above didn’t work
How can I secure my site against .. Security vulnerabilities /Code - Update WordPress! - Minimize amount of plugins you use - Update those plugins! - Subscribe to WP Security mailing lists - WPScan @ https://wpvulndb.com/ - WordFence @ https://www.wordfence.com/ - Scan your site using WPScan / Sucuri Security - Install a security plugin - WordFence - Sucuri Security - iThemes Security - Check plugins reviews, and their Tide score (soon) - UPDATE ALL THE THINGS!
How can I secure my site against .. Security vulnerabilities /Code - Learn about WordPress Coding Standards - Integrate PHP CodeSniffer ( and WPCS ) it in your code editor - Write proper unit-tests - Use version control, Git - Use pre-commit scripts / Continuous Integration to notify you of WPCS violations and to run unit-tests automatically on each commit - Hack yourself first! Develop with the mindset of a hacker. - … - UPDATE ALL THE THINGS! - And yeah, salt up your config!
How can I secure my site against .. Security vulnerabilities /Server - Disable filesystem changes by WordPress - Stay away from shared servers! - Use WordPress managed hosting, or setup your own VPS - Hack yourself first! Scan your server using online tools. - Use SSH / SCP in place of FTP. - Disable SSH root login, create a user with minimum control for frequent tasks. - Disable password login, use private keys instead. - .. - UPDATE ALL THE THINGS!
b/c. Detection and Auditing
How do I know when my site is hacked ? - Integrity checks - Audit Logs - Uptime monitoring - User feedback
Integrity checks - Use security plugins to perform periodic integrity checks for file modifications - iThemes Security - Sucuri Security - … - They email you once they detect any of the site files have changed unexpectedtly.
Audit Logs - Use auditing plugins to store and keep track of actions around your site - Stream - Audit Trail - … - They keep track of different actions, like: - Content updates ( posts, terms, etc ) - User login, creation, deletion - Some has the ability to notify via email when specific action happens.
Uptime monitoring - Use online services to notify you when your site is down - Check if your host has a way to notify you when your site/server is down
User feedback - Users are your friends, keep a feedback channel open to report any unexpected behavior. - Register your site in Google Webmasters to receive critical updates on the state of your site and possible important updates that you need to do. - Ask Google if your site is hacked http://www.google.com/safebrowsing/diagnostic?site=your domain name
d. Recovery
What do I do when my site is hacked ?
What do I do when my site is hacked ? - BACKUP all files and databases, or snapshot your server. For later auditing. - Scan your site using online services, while it is still infected - Restore files and database from the nearest backup, or your last server snapshot - Review any plugins you recently installed, disable those you don’t require - Reset all access, SSH, cPanel, FTP, MySQL, WordPress Users, etc. - Monitor your audit logger for any suspicious behavior - Once that’s all done. Start digging what happened, by getting another isolated instance of your site/server up, and digging up the audit logs from WordPress, access/error logs of PHP and NginX/Apache/etc, and comparing files to the nearest backup you have. Or just hire a security consultant to do that for you!
What to do before my site is hacked ? - BACKUP everything - BACKUP periodically - BACKUP automatically - .. refer to Prevention
Further reading - Hardening WordPress https://codex.wordpress.org/Hardening_WordPress - WordPress Security whitepaper from Sucuri https://sucuri.net/guides/wordpress-security - WordPress: What to do when my site is hacked https://codex.wordpress.org/FAQ_My_site_was_hacked
Questions ?

More Related Content

PPTX
Locking down word press
Zachary Russell
 
PPTX
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
PDF
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
PDF
8 Ways to Hack a WordPress website
SiteGround.com
 
PDF
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
PDF
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
PDF
WordPress Security 2018
Adrian Mikeliunas
 
PDF
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Vlad Lasky
 
Locking down word press
Zachary Russell
 
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
8 Ways to Hack a WordPress website
SiteGround.com
 
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
WordPress Security 2018
Adrian Mikeliunas
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Vlad Lasky
 

What's hot (20)

PPT
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
PPTX
Website security
Akhilesh Kant
 
PDF
WordPress Security
Christina Hawkins
 
PPT
Technology 101
DJ Chuang
 
PDF
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
PDF
WordPress Security Presentation
Andrew Paton
 
PDF
WordPress Security WordCamp OC 2013
Brad Williams
 
PPT
WordPress Security
Brad Williams
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
PPTX
WordPress security for everyone
Vladimír Smitka
 
PDF
Introduction to WordPress Security
Shawn Hooper
 
PPTX
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
PPTX
Building Secure WordPress Sites
Catch Themes
 
PPTX
Locking Down Your WordPress Site
Frank Corso
 
PDF
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
PDF
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
KEY
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
PDF
WordPress Security
Jennifer Riehle McFarland
 
PPTX
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 
PDF
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
Website security
Akhilesh Kant
 
WordPress Security
Christina Hawkins
 
Technology 101
DJ Chuang
 
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
WordPress Security Presentation
Andrew Paton
 
WordPress Security WordCamp OC 2013
Brad Williams
 
WordPress Security
Brad Williams
 
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
WordPress security for everyone
Vladimír Smitka
 
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
Building Secure WordPress Sites
Catch Themes
 
Locking Down Your WordPress Site
Frank Corso
 
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress Security
Jennifer Riehle McFarland
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
Ad

Similar to WordPress Security 101 (20)

PDF
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
PPTX
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
PPTX
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
PPTX
Security Function
Samuel Soon
 
PDF
Your WordPress Site is and is not Hacked - You don't know until you check
Angela Bowman
 
PDF
Your WordPress Website Is/Not Hacked
Angela Bowman
 
PPT
Securing Your WordPress Website by Vlad Lasky
wordcampgc
 
PDF
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
PDF
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
PPT
Joomla Security
Ruth Cheesley
 
PPT
Joomla Security
ViryaTechnologies
 
PDF
Security Presentation for Boulder WordPress Meetup
Angela Bowman
 
PPT
Phpnw security-20111009
Paul Lemon
 
PDF
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
PPTX
WordPress End-User Security
Dre Armeda
 
PPTX
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
ODP
LAMP security practices
Amit Kejriwal
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
 
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
Security Function
Samuel Soon
 
Your WordPress Site is and is not Hacked - You don't know until you check
Angela Bowman
 
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Securing Your WordPress Website by Vlad Lasky
wordcampgc
 
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
Joomla Security
Ruth Cheesley
 
Joomla Security
ViryaTechnologies
 
Security Presentation for Boulder WordPress Meetup
Angela Bowman
 
Phpnw security-20111009
Paul Lemon
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
WordPress End-User Security
Dre Armeda
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
LAMP security practices
Amit Kejriwal
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Security Testing for Mobile and Web Apps
DrKaramHatim
 
Ad

Recently uploaded (20)

PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PDF
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PDF
BoxLang Dynamic AWS Lambda - Japan Edition
Ortus Solutions, Corp
 
PDF
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
PPTX
Airline CRS | Airline CRS Systems | CRS System
yugababu033
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PDF
E-Commerce Website Development Companyin india
Digital India
 
PDF
Guide to Food Delivery App Development.pdf
Lilac infotech
 
PDF
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PDF
Workplace Software and Skills - OpenStax
tranviettoan19672001
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PPTX
Python is a high-level, interpreted programming language
kesavansa2002
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PDF
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
PDF
novaPDF Pro 11.9.482 Crack + License Key [Latest 2025]
viktamscs
 
PDF
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
BoxLang Dynamic AWS Lambda - Japan Edition
Ortus Solutions, Corp
 
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
Airline CRS | Airline CRS Systems | CRS System
yugababu033
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
E-Commerce Website Development Companyin india
Digital India
 
Guide to Food Delivery App Development.pdf
Lilac infotech
 
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
Workplace Software and Skills - OpenStax
tranviettoan19672001
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
Python is a high-level, interpreted programming language
kesavansa2002
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
novaPDF Pro 11.9.482 Crack + License Key [Latest 2025]
viktamscs
 
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 

WordPress Security 101

  • 1. WordPress Security 101 By Shady Sharaf Senior Engineer at Human Made Global, a WordPress VIP Partner. WordPress Core Contributor, and Arabic Polyglot team member. @shadyvb - linkedin.com/in/shadyvb - github.com/shadyvb
  • 2. Agenda - What are the pillars of InfoSec systems - What are the concerns of site security ? - How can my site be hacked ? - How can I secure my site ? - How to know when my site is hacked ? - What to do when my site is hacked ? - What to do before my site is hacked ?
  • 3. Information Security ( InfoSec ) pillars Infosec programs are built around the following core objectives: maintaining the confidentiality, integrity and availability of IT systems and business data. These objectives ensure that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data (integrity) and guarantee the data can be accessed by authorized parties when requested (availability).
  • 4. Site security revolves around four mains stages: - Prevention - Detection - Auditing - Recovery Information Security ( InfoSec ) preps
  • 6. How can my site be hacked ? - Leaked credentials, Brute-forcing - XSS / Cross Site Scripting, Phishing attacks - Security vulnerabilities in code - In 3rd party code - or yours! - Security vulnerabilities in servers
  • 7. How can I secure my site against .. Leaked access and Brute-force - Enforce HTTPS. ( It’s free now, you know! ) - Enforce strong passwords - Use 2FA ( you should use it everywhere, ie Facebook, Google, etc.. ) - Use (re)captcha for login - Change the default admin user - Limit login attempts
  • 8. How can I secure my site against .. XSS, and Phishing attacks - Use Akismet to prevent spam comments - Properly sanitize ALL user input EVERYWHERE from EVERYONE - Properly escape ALL user-generated output, in case the above didn’t work
  • 9. How can I secure my site against .. Security vulnerabilities /Code - Update WordPress! - Minimize amount of plugins you use - Update those plugins! - Subscribe to WP Security mailing lists - WPScan @ https://wpvulndb.com/ - WordFence @ https://www.wordfence.com/ - Scan your site using WPScan / Sucuri Security - Install a security plugin - WordFence - Sucuri Security - iThemes Security - Check plugins reviews, and their Tide score (soon) - UPDATE ALL THE THINGS!
  • 10. How can I secure my site against .. Security vulnerabilities /Code - Learn about WordPress Coding Standards - Integrate PHP CodeSniffer ( and WPCS ) it in your code editor - Write proper unit-tests - Use version control, Git - Use pre-commit scripts / Continuous Integration to notify you of WPCS violations and to run unit-tests automatically on each commit - Hack yourself first! Develop with the mindset of a hacker. - … - UPDATE ALL THE THINGS! - And yeah, salt up your config!
  • 11. How can I secure my site against .. Security vulnerabilities /Server - Disable filesystem changes by WordPress - Stay away from shared servers! - Use WordPress managed hosting, or setup your own VPS - Hack yourself first! Scan your server using online tools. - Use SSH / SCP in place of FTP. - Disable SSH root login, create a user with minimum control for frequent tasks. - Disable password login, use private keys instead. - .. - UPDATE ALL THE THINGS!
  • 12. b/c. Detection and Auditing
  • 13. How do I know when my site is hacked ? - Integrity checks - Audit Logs - Uptime monitoring - User feedback
  • 14. Integrity checks - Use security plugins to perform periodic integrity checks for file modifications - iThemes Security - Sucuri Security - … - They email you once they detect any of the site files have changed unexpectedtly.
  • 15. Audit Logs - Use auditing plugins to store and keep track of actions around your site - Stream - Audit Trail - … - They keep track of different actions, like: - Content updates ( posts, terms, etc ) - User login, creation, deletion - Some has the ability to notify via email when specific action happens.
  • 16. Uptime monitoring - Use online services to notify you when your site is down - Check if your host has a way to notify you when your site/server is down
  • 17. User feedback - Users are your friends, keep a feedback channel open to report any unexpected behavior. - Register your site in Google Webmasters to receive critical updates on the state of your site and possible important updates that you need to do. - Ask Google if your site is hacked http://www.google.com/safebrowsing/diagnostic?site=your domain name
  • 19. What do I do when my site is hacked ?
  • 20. What do I do when my site is hacked ? - BACKUP all files and databases, or snapshot your server. For later auditing. - Scan your site using online services, while it is still infected - Restore files and database from the nearest backup, or your last server snapshot - Review any plugins you recently installed, disable those you don’t require - Reset all access, SSH, cPanel, FTP, MySQL, WordPress Users, etc. - Monitor your audit logger for any suspicious behavior - Once that’s all done. Start digging what happened, by getting another isolated instance of your site/server up, and digging up the audit logs from WordPress, access/error logs of PHP and NginX/Apache/etc, and comparing files to the nearest backup you have. Or just hire a security consultant to do that for you!
  • 21. What to do before my site is hacked ? - BACKUP everything - BACKUP periodically - BACKUP automatically - .. refer to Prevention
  • 22. Further reading - Hardening WordPress https://codex.wordpress.org/Hardening_WordPress - WordPress Security whitepaper from Sucuri https://sucuri.net/guides/wordpress-security - WordPress: What to do when my site is hacked https://codex.wordpress.org/FAQ_My_site_was_hacked