WordPress Security
2 likes539 views
WordPress Security Few Simple Steps Oct 16, 2010 Pune, India The document discusses basic steps for securing a WordPress website including changing the database prefix, securing directories and files, renaming the default 'admin' account, securing the wp-admin area, disabling the version info, disabling directory indexes, moving the WordPress installation location, hardening wp-admin with HTTP authentication, using SSL for logins, adding a salt key for cookies, regularly updating WordPress and changing passwords, monitoring logs, using security plugins, and being careful about content on blogs.
WordPress Security
- 1. WordPress Security Few Simple Steps @ Null Meet 16th Oct 2010 Pune Gaurav Pant http://www.gauravpant.com gauravggs@gmail.com
- 2. Agenda ● What is wordpress ● Installation ● Few basic steps for security ● Social aspects
- 3. WordPress ● weBlog Engine ● Written in PHP(mostly) ● Used for websites ● Approx 80% weblogs run on wordpress ● 20% on version 2.x ● 15% on version 3.x ● Ver 1.x: Jan 3 2004 -- Dec 2005 ● Ver 2.x: Dec 31 2005 – June 2009 ● Ver 3.x: June 17 2010 – and updating
- 4. WP installation ● Is Simple ● Need a web server with Apache, MySQL and PHP ● Download WP from wordpress.org ● Create/Request DB User and Pass ● Unpack to document root of server ● Edit/Create wp-config.php ● Go to webpage and follow instructions ● Demo
- 5. Basic Security Steps ● FIX you Table Prefix – Change Table prefix (this can be generally done during install) – edit your wp-config for prefix – regular table prefix is wp_table – vulnerable to standard SQL injections
- 6. Basic Security Steps... ● Securing the directories and files – wordpress root / perms: writable by user acc. – .htaccess writable by Wordpress if automatic update is requreid – other sub-dirs to be writable only by user acc – /wp-contents/ sub dirs perms will vary according to plugins and themes – Uploaded images dir ● need to be WP writable for automatic uploads ● DO MANUAL UPLOADS uncomfortable but safe
- 7. Basic Security Steps... ● Renaming 'admin' account: ● Run the query: – update TablePrefix_users set user_login='newusername' where user_login='admin' ● Do all this before you start posting ● Do not write posts as admin ● Create generic user to create/write/ posts/pages
- 8. Basic Security Steps... ● Securing the /wp-admin/ area ● Move you wordpress installation to different dir ● Standard loc: – www.site.com/wp-admin/ ● Move or install wordpress in subdir – www.site.com/mysecretinstall/wp-admin ● Users will still get your site from – www.site.com
- 9. Basic Security Steps... ● Version info can be dangerous ● Disable version info ● Also from ● code meta tags ● Edit functions.php add: – remove_action('wp_head', 'wp_generator');
- 10. Basic Security Steps... ● Disable dir index view ● Simple way: – just add a blank index.html to all directories (which do not have any index) ● Or add/modify .htaccess line – Option Indexes – TO – Option -Indexes
- 11. Basic Security Steps... ● Moving wordpress: ● Edit wordpress url from wordpress panel ● copy index.php and .htaccess to root or new location ● edit index.php and add following lines – require('./wp-blog-header.php'); – TO – require('./secretloc/wp-blog-header.php'); ● New login location will be – http://yoursite/secretloc/wp-admin/
- 12. Basic Security Steps... ● Hardening /wp-admin/ with .htaccess ● Create a .htaccess in wp-admin dir ● AuthUserFile /home/dexter/.htpasswd ● AuthName "Verify yourself" ● AuthType Basic ● require valid-user ● Create a .htpasswd – /home/dexter/.htpasswd – #htpasswd -b /home/dexter/.htpasswd dede dede123
- 13. Basic Security Steps... ● USE SSL for admin/logins ● can be added to wp-config.php ● define('FORCE_SSL_LOGIN',true) ● define('FORCE_SSL_ADMIN',true) ● Add Salt: to wp-config: for better cookie security ● define('AUTH_KEY', 'kie938rjmd903kdmr904'); ● define('SECURE_AUTH_KEY','9485ekdfmsk43 98'); ● define('LOGGED_IN_KEY', '9i7j6k[9md38'); ● define('NONCE_KEY', 'kdkflow932034');
- 14. Basic Security Steps. ● Very BASIC but important: ● Don't be lazy – – Update WP to latest version – Change Passwords REGULARY – Dont be a log Observer LOGS – USE Passcode not just a word – Backup DateBase regularly – Report Bugs – Use security Plugins like: ● lockdown, WP Security Scan, Captcha, Secure Wordpress etc.
- 15. BLOGS... ● If its on the blog its no more personal ● If you put it on blog have good enough material to defend it ● Do not use copy paste – check copy rights ● Acknowledge/Quote stuff used from other places ● Be original ● Be Safe