SlideShare a Scribd company logo

WordPress Security Best Practices 2019 Update

Zero Point Development, profile picture
Zero Point Development

The document provides a comprehensive guide on WordPress security best practices, emphasizing the importance of using complex usernames and passwords, regularly updating software, and implementing security measures like firewalls and two-factor authentication. It highlights the need for ongoing vigilance against evolving threats, the significance of understanding user roles, and the necessity of backing up data frequently. Additionally, the document warns against using outdated or unsecure themes and plugins while advising on methods to reinforce site security effectively.

Internet
Related topics:
Web Security Overview Information Security
1 of 74
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
zeropointdevelopment.com for WordPress Sydney WordPress Security Best Practices 2019 Update
• Use complex usernames & passwords • Check file permissions have minimum access • Update software often & regularly • Use security firewalls & scan regularly • Consider using 2-factor authentication • Stick to reputable theme providers • Uninstall unused code/themes/plugins • Lock all doors, windows & switch off Internet! @DeveloperWil #wpsyd TL;DR
• Chinese General • Military Strategist • Philosopher • Born ~512BC Book: The Art of War http://www.classicly.com/read-the-art-of-war-online-free/page/1 @DeveloperWil #wpsyd Introducing Sun Tzu
“Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” Don’t wait until your site gets hacked first. Lock it down today and get ready to defend it! @DeveloperWil #wpsyd Sun Tzu Says…
“To know your Enemy, you must become your Enemy” Learn how hackers try to get into your site so you can pre-emptively fix it and be ready for what is to come. @DeveloperWil #wpsyd Sun Tzu Says…
“Even the finest sword plunged into salt water will eventually rust.” Just because your site is secure today, doesn’t mean it can’t get hacked tomorrow, next month or next year. Review & update regularly. @DeveloperWil #wpsyd Sun Tzu Says…
YOU ARE AT WAR WITH MULTIPLE UNKNOWN ENEMIES @DeveloperWil #wpsyd
There is always a current threat The worst type of threats are those you don’t know about You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack @DeveloperWil #wpsyd SO BE PREPARED Security Is Cyclic
Locked in a deep dark basement No internet connection No user interaction Switched off! = Pretty useless website = There is a balance to be had @DeveloperWil #wpsyd Ultimate Secure Site
Everything is Hackable @DeveloperWil #wpsyd Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car? https://www.youtube.com/watch?v=aLhWzMOccTg Before We Start
The most vulnerable part of your website is… YOU Buy this book! @DeveloperWil #wpsyd Before We Start
Do not leave new WordPress sites in “setup mode”. Complete the entire setup process. Hackers can find WordPress setup pages and install their own site – aka “WPSetup Attack” Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/ @DeveloperWil #wpsyd New WP Installations Fundamentals
Beware when ordering a new SSL certificate for a brand new WordPress website. Hackers monitor SSL certificate transparency report +30mins after new certificate being issued. They can take over your new site before you complete the installation process. Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/ @DeveloperWil #wpsyd New Sites & SSLs Fundamentals
Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, … @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Don’t replace letters with numbers or symbols. Simple character substitution is weak. butterfly → 8utt3rfly This no longer works and takes just a few days to crack! Ref: https://pages.nist.gov/800-63-3/sp800-63b.html @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Avoid personal / social information • Name and memorable bates: DoB, Marriage • Fav footie club name, car rego, house number Examples of Bad Passwords Bob1976 Swans2017 !2Nancy The Password Paradox And Why Our Personalities Will Get Us Hacked @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
1) Use a random 16 (at least) character password UPPER, lower, d1g1ts, punctuat!on b9G#Z4YVemTN^X6S 2) Use 4 random words stringed together: correct horse battery staple correcthorsebatterystaple @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Random character & multi-word passwords = difficult for you to remember  = difficult for hackers to guess ☺ Try to avoid reusing the same password on multiple sites. Read The Real Life Risks Of Re Using The Same Passwords @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Use a password service such as LastPass Local 256-bit encryption, SSL data transfer, 2-factor authentication Free 14-day Last Pass Trial @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Gives more flexibility than built-in WordPress @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/ @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Change the default WordPress salt keys in wp- config.php WordPress uses cookies to store session information. These are hashed with MD5 + salt keys in the wp-config.php file https://api.wordpress.org/secret-key/1.1/salt/ @DeveloperWil #wpsyd Session Safety: Salk Keys Fundamentals
Restrict the number of users with the Administrator role. You do need at least 1 Admin user to administer the site – do you need any more than that? Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content. @DeveloperWil #wpsyd Admin & Editor Users Fundamentals
Understanding Linux file permissions is key @DeveloperWil #wpsyd Linux File Permissions Files & Perms
Each file and directory has three user based permission groups: • u – the user who owns the file or directory (owner) • g - the group to which the user belongs • o - all other users on the system (not owner or user’s group), this is the permission group that you want to watch the most. @DeveloperWil #wpsyd Permission Groups Files & Perms
Each file or directory has three basic permission types: • r - a user's capability to read the contents of the file • w - a user's capability to write or modify a file or directory • x - a user's capability to execute (run) a file or view the contents of a directory. @DeveloperWil #wpsyd Permission Types Files & Perms
In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may insist you set /wp-content/uploads to 777 Move to another hosting company! @DeveloperWil #wpsyd Files, Folders & Permissions Files & Perms
Probably your three most important sys files are: .htaccess (Apache Web Server) = permalinks, redirects, error files, directory pswds, etc This should be locked down to CHMOD 444 php.ini = PHP version, extensions, remote opens, file uploads, etc wp-config.php = WordPress DB username & password, Salts These should be locked down to CHMOD 440 @DeveloperWil #wpsyd Config Files & Permissions Files & Perms
Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $199.99 per site per year @DeveloperWil #wpsyd Malware Clean Server Files & Perms
Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com @DeveloperWil #wpsyd Update Regularly WordPress
Automatic Updates are in WordPress core for point releases only by default. For more control, in wp-config.php define( 'WP_AUTO_UPDATE_CORE', true ); • true - Development, minor, and major updates are all enabled • false - Development, minor, and major updates are all disabled • 'minor’ - Minor updates are enabled, development, and major updates are disabled @DeveloperWil #wpsyd Update Regularly WordPress
In your theme’s functions.php add_filter( 'auto_update_plugin', '__return_true’ ); add_filter( 'auto_update_theme', '__return_true’ ); For specific plugin & theme updates see: https://codex.wordpress.org/Configuring_Automatic_Background_Updates @DeveloperWil #wpsyd Update Plugins & Themes WordPress
Especially “free” themes and torrents – Likely to contain spam links & malware – Malware can read your wp-config.php file and email it to the hacker = you’re screwed – Don’t use themes or plugins from torrent sites! – Always try to download from original source Read: http://premium.wpmudev.org/blog/free-wordpress- themes-ultimate-guide/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
Not all Base64_decode function calls are evil! WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes. @DeveloperWil #wpsyd What is Base64?
In general • Not being maintained • No security issues being fixed • Uses outdated/flawed functions/practices • Known exploit vectors available on Interwebs @DeveloperWil #wpsyd Avoid Old Plugins WordPress
Popular image/thumbnail resizing script Bundled in many older themes and plugins Responsible for many many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the “fixed” version 2.8.14 https://code.google.com/p/timthumb/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
The nature of TimThumb still makes it potentially very dangerous to have on your site. TimThumb is no longer supported or maintained as of Sept 2014 http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ Read this: https://zeropointdevelopment.com/timthumb-is-evil/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at https://letsencrypt.org/docs/faq/ @DeveloperWil #wpsyd SSL Certificates
If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); @DeveloperWil #wpsyd HTTPS Dashboard WordPress
Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*, Cryptocurrency miners *premium functions @DeveloperWil #wpsyd Software Firewalls WordPress
New breed of malware (ref: The rise of cryptocurrency miners as malware). JS cryptocurrency miner (mostly Coinhive). Runs in browser when visitor opens infected page. Uses 100% of your computer’s CPU power. Grey area between legit use & as malware: • Some firewall & malware scanners look past mining code • Wordfence detects known miner scripts @DeveloperWil #wpsyd Cryptocurrency Miners New Threat
Brute force attacks try to repeatedly guess username & password. Block IP address after X number of unsuccessful login attempts within a time period. Limit Login Attempts Reloaded plugin https://wordpress.org/plugins/limit-login-attempts-reloaded/ @DeveloperWil #wpsyd Prevent Login Attempts WordPress
Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null'); @DeveloperWil #wpsyd Don’t Show Login Errors WordPress
There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email https://wordpress.org/plugins/updraftplus/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy https://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore! @DeveloperWil #wpsyd Back Your Site Up WordPress
@DeveloperWil #wpsyd Security for the Paranoid
Using another device to generate an authentication code e.g. Mobile phone app WP Login Details + Authenticator Code = 2FA Google Authenticator @DeveloperWil #wpsyd Two Factor/Two Step Authentication
WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP. Passwords themselves are not stored in the DB Password can be replaced in DB with MD5 hash. After login it’s replaced by a salted MD5 hash. @DeveloperWil #wpsyd PASSWORD TYPE PASSWORD HASH WordPress Password Storage
MD5 hash designed for high volume, not security. “collision resistance” ~264 MD5 has been broken but not resistance to preimages or second- preimages. MD5 + salts still poor choice as it’s designed to be fast. Modern GPUs generate billions of candidate passwords per second i.e. brute force Ref: https://en.wikipedia.org/wiki/MD5 Ref: https://en.wikipedia.org/wiki/Collision_attack Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since- 1996 @DeveloperWil #wpsyd Is MD5 Insecure?
Bcrypt is an adaptive hashing algorithm. Bcrypt intentionally takes a relatively long time to be calculated; over time, the iteration count can be increased to make it even slower. This is done intentionally to resist brute force attacks as computational power increases. Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd Bcrypt Alternative
Plugin: https://roots.io/plugins/bcrypt- password/ Note: requires PHP >= 5.5.0 @DeveloperWil #wpsyd Bcrypt Plugin
Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not-so- distant future. @DeveloperWil #wpsyd Biometric Authentication
@DeveloperWil #wpsyd Fingerprint via mobile phone https://wordpress.org/plugins/rapid-secure-login/ Fingerprint and facial recognition via mobile phone https://wordpress.org/plugins/launchkey/ Biometric Authentication
Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-coded wp-content location. @DeveloperWil #wpsyd Move wp-content Folder
Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner. @DeveloperWil #wpsyd Protect wp-config.php
Use .htaccess to stop SQL injection attacks on form fields and URLs. Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked. @DeveloperWil #wpsyd SQL Injection Protection
Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes @DeveloperWil #wpsyd Prevent Directory Browsing
Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/ @DeveloperWil #wpsyd Secure wp-admin Folder
Open the .htaccess file located in your /wp- admin/ folder (NOT the main .htaccess in root). In the wp-admin .htaccess file, paste the following code: <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> @DeveloperWil #wpsyd Allow Admin Ajax
Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true); @DeveloperWil #wpsyd Disable User File Editor
Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Prefix Changer https://wordpress.org/plugins/wp-prefix-changer/ @DeveloperWil #wpsyd Change Default Table Prefix
Does nothing to enhance security. Once an attacker has access to your DB they can easily find the table prefix. @DeveloperWil #wpsyd SELECT DISTINCT SUBSTRING(`TABLE_NAME` FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) ) FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%postmeta'; Output: wp_ Ref: Changing WordPress' default table prefix does nothing to enhance security Change Default Table Prefix
Monitor who does what on your WordPress site. Stream: http://wp-stream.com/ @DeveloperWil #wpsyd Be “Big Brother”
Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login @DeveloperWil #wpsyd Change wp-login.php
Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url’, ‘zpd_wpadmin_filter', 10, 3); function zpd_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } @DeveloperWil #wpsyd Change /wp-admin/ - Step 1
Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/ @DeveloperWil #wpsyd Change /wp-admin/ - Step 2
Add to .htaccess # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> Replace 123.123.123.123 with your own computer’s IP if you use the WordPress mobile app. Remove line 5 to completely block all XML-RCP requests to your site. Note: this will stop Jetpack, official WP mobile app, trackbacks and pingbacks from working. @DeveloperWil #wpsyd Disable XML-RPC
Known as DoS or DDoS (distributed). Consider using Cloudflare. @DeveloperWil #wpsyd Attack Without Cloudflare Attack With Cloudflare Denial of Service Attacks
Stay up to date with these additional security resources. National Vulnerability Database (WordPress) Wordfence Blog and Free Security Scan Sucuri Blog Hardening WordPress from wordpress.org WPScan Vulnerability Database Zero Point Development Blog @DeveloperWil #wpsyd More Resources
Get my free eBook. Yours to keep forever. @DeveloperWil #wpsyd Get My eBook goo.gl/k5brQE Free Ebook
Did I miss anything? Tweet to @DeveloperWil @DeveloperWil #wpsyd All Done!
[Cover] zeropointdevelopment.com [3] jamesclear.com/sun-tzu-habits [9] activerain.com [10] mybroadband.co.za [11] amazon.com [18] lastpass.com [23] zeropointdevelopment.com [29] managewp.com [33] wordpress.org [35] wordpress.org [39] promptwebhosting.com.au [45] zeropointdevelopment.com [47] zeropointdevelopment.com [48] mobyware.ru [52] roots.io [53] ibmsystemsmag.com [54] wordpress.org [55] wordpress.org [58] gobalakrishnan.com [59] trickytechs.com/wpbeginner.com [61] zeropointdevelopment.com [63] wp-stream.com [69] cloudflare.com [72] zeropointdevelopment.com [Back Cover] zeropointdevelopment.com Note: This presentation may contain affiliate links. Image Credits
▪ WordPress 2008+ ▪ Consultant & Developer ▪ Event Organiser @DeveloperWil Who Am I? zeropointdevelopment.com wp-wingman.com

More Related Content

PPTX
WordPress Security Best Practices
Zero Point Development
 
PPTX
Protect Your WordPress From The Inside Out
SiteGround.com
 
PPT
WordPress Security
Brad Williams
 
KEY
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
PPTX
WordPress End-User Security
Dre Armeda
 
PPTX
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
PPT
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
PDF
WordPress Security WordCamp OC 2013
Brad Williams
 
WordPress Security Best Practices
Zero Point Development
 
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security
Brad Williams
 
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress End-User Security
Dre Armeda
 
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress Security WordCamp OC 2013
Brad Williams
 

What's hot (20)

PPTX
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
PDF
Top Ten WordPress Security Tips for 2012
Brad Williams
 
PPT
Now That's What I Call WordPress Security 2010
Brad Williams
 
PDF
Lockdown WordPress
Dre Armeda
 
PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
PPT
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
PPTX
WordPress Security Best Practices
Zero Point Development
 
PDF
Google Hacking Basics
amiable_indian
 
PPTX
WordPress Security
Nathan Platt
 
PPTX
Website security
Akhilesh Kant
 
PDF
Joomla! security jday2015
kriptonium
 
PPTX
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
PPT
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
KEY
Higher Order WordPress Security
Dougal Campbell
 
PDF
Web Security 101
Brent Shaffer
 
PDF
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPTX
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
PPTX
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Top Ten WordPress Security Tips for 2012
Brad Williams
 
Now That's What I Call WordPress Security 2010
Brad Williams
 
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
WordPress Security Best Practices
Zero Point Development
 
Google Hacking Basics
amiable_indian
 
WordPress Security
Nathan Platt
 
Website security
Akhilesh Kant
 
Joomla! security jday2015
kriptonium
 
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Higher Order WordPress Security
Dougal Campbell
 
Web Security 101
Brent Shaffer
 
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
Ad

Similar to WordPress Security Best Practices 2019 Update (20)

PDF
WordPress Security 101
Manifest Creative
 
PPTX
Wordpress security issues
Deepu Thomas
 
PPTX
Wordpress security 101 202
James Ruffer
 
PPTX
WordPress security
Shelley Magnezi
 
PPT
WordCamp Philly WordPress End-User Security
Dre Armeda
 
PDF
Types of Security Threats WordPress Websites Face: Part-1
WPWhiteBoard
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
PPTX
WordPress Plugins and Security
Think Media Inc.
 
PPT
WordPress Security - WordCamp NYC 2009
Brad Williams
 
PDF
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
Abul Khayer
 
PDF
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
PDF
There's No Crying In Wordpress! (an intro to WP)
Grace Solivan
 
PDF
Be Securious – Hack Your Own Site for Better Security
securiously
 
PPTX
Getting started with wordpress hosting and security
WP Pittsburgh Meetup Group
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
PDF
WordPress Security 2018
Adrian Mikeliunas
 
PDF
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
PPT
WordPress Security - WordCamp Boston 2010
Brad Williams
 
PPTX
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
WordPress Security 101
Manifest Creative
 
Wordpress security issues
Deepu Thomas
 
Wordpress security 101 202
James Ruffer
 
WordPress security
Shelley Magnezi
 
WordCamp Philly WordPress End-User Security
Dre Armeda
 
Types of Security Threats WordPress Websites Face: Part-1
WPWhiteBoard
 
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
WordPress Plugins and Security
Think Media Inc.
 
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
Abul Khayer
 
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
There's No Crying In Wordpress! (an intro to WP)
Grace Solivan
 
Be Securious – Hack Your Own Site for Better Security
securiously
 
Getting started with wordpress hosting and security
WP Pittsburgh Meetup Group
 
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
WordPress Security 2018
Adrian Mikeliunas
 
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
Ad

Recently uploaded (20)

PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 

WordPress Security Best Practices 2019 Update

  • 1. zeropointdevelopment.com for WordPress Sydney WordPress Security Best Practices 2019 Update
  • 2. • Use complex usernames & passwords • Check file permissions have minimum access • Update software often & regularly • Use security firewalls & scan regularly • Consider using 2-factor authentication • Stick to reputable theme providers • Uninstall unused code/themes/plugins • Lock all doors, windows & switch off Internet! @DeveloperWil #wpsyd TL;DR
  • 3. • Chinese General • Military Strategist • Philosopher • Born ~512BC Book: The Art of War http://www.classicly.com/read-the-art-of-war-online-free/page/1 @DeveloperWil #wpsyd Introducing Sun Tzu
  • 4. “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” Don’t wait until your site gets hacked first. Lock it down today and get ready to defend it! @DeveloperWil #wpsyd Sun Tzu Says…
  • 5. “To know your Enemy, you must become your Enemy” Learn how hackers try to get into your site so you can pre-emptively fix it and be ready for what is to come. @DeveloperWil #wpsyd Sun Tzu Says…
  • 6. “Even the finest sword plunged into salt water will eventually rust.” Just because your site is secure today, doesn’t mean it can’t get hacked tomorrow, next month or next year. Review & update regularly. @DeveloperWil #wpsyd Sun Tzu Says…
  • 7. YOU ARE AT WAR WITH MULTIPLE UNKNOWN ENEMIES @DeveloperWil #wpsyd
  • 8. There is always a current threat The worst type of threats are those you don’t know about You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack @DeveloperWil #wpsyd SO BE PREPARED Security Is Cyclic
  • 9. Locked in a deep dark basement No internet connection No user interaction Switched off! = Pretty useless website = There is a balance to be had @DeveloperWil #wpsyd Ultimate Secure Site
  • 10. Everything is Hackable @DeveloperWil #wpsyd Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car? https://www.youtube.com/watch?v=aLhWzMOccTg Before We Start
  • 11. The most vulnerable part of your website is… YOU Buy this book! @DeveloperWil #wpsyd Before We Start
  • 12. Do not leave new WordPress sites in “setup mode”. Complete the entire setup process. Hackers can find WordPress setup pages and install their own site – aka “WPSetup Attack” Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/ @DeveloperWil #wpsyd New WP Installations Fundamentals
  • 13. Beware when ordering a new SSL certificate for a brand new WordPress website. Hackers monitor SSL certificate transparency report +30mins after new certificate being issued. They can take over your new site before you complete the installation process. Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/ @DeveloperWil #wpsyd New Sites & SSLs Fundamentals
  • 14. Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, … @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 15. Don’t replace letters with numbers or symbols. Simple character substitution is weak. butterfly → 8utt3rfly This no longer works and takes just a few days to crack! Ref: https://pages.nist.gov/800-63-3/sp800-63b.html @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 16. Avoid personal / social information • Name and memorable bates: DoB, Marriage • Fav footie club name, car rego, house number Examples of Bad Passwords Bob1976 Swans2017 !2Nancy The Password Paradox And Why Our Personalities Will Get Us Hacked @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 17. 1) Use a random 16 (at least) character password UPPER, lower, d1g1ts, punctuat!on b9G#Z4YVemTN^X6S 2) Use 4 random words stringed together: correct horse battery staple correcthorsebatterystaple @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 18. Random character & multi-word passwords = difficult for you to remember  = difficult for hackers to guess ☺ Try to avoid reusing the same password on multiple sites. Read The Real Life Risks Of Re Using The Same Passwords @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 19. Use a password service such as LastPass Local 256-bit encryption, SSL data transfer, 2-factor authentication Free 14-day Last Pass Trial @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 20. Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Gives more flexibility than built-in WordPress @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 21. Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/ @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 22. Change the default WordPress salt keys in wp- config.php WordPress uses cookies to store session information. These are hashed with MD5 + salt keys in the wp-config.php file https://api.wordpress.org/secret-key/1.1/salt/ @DeveloperWil #wpsyd Session Safety: Salk Keys Fundamentals
  • 23. Restrict the number of users with the Administrator role. You do need at least 1 Admin user to administer the site – do you need any more than that? Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content. @DeveloperWil #wpsyd Admin & Editor Users Fundamentals
  • 24. Understanding Linux file permissions is key @DeveloperWil #wpsyd Linux File Permissions Files & Perms
  • 25. Each file and directory has three user based permission groups: • u – the user who owns the file or directory (owner) • g - the group to which the user belongs • o - all other users on the system (not owner or user’s group), this is the permission group that you want to watch the most. @DeveloperWil #wpsyd Permission Groups Files & Perms
  • 26. Each file or directory has three basic permission types: • r - a user's capability to read the contents of the file • w - a user's capability to write or modify a file or directory • x - a user's capability to execute (run) a file or view the contents of a directory. @DeveloperWil #wpsyd Permission Types Files & Perms
  • 27. In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may insist you set /wp-content/uploads to 777 Move to another hosting company! @DeveloperWil #wpsyd Files, Folders & Permissions Files & Perms
  • 28. Probably your three most important sys files are: .htaccess (Apache Web Server) = permalinks, redirects, error files, directory pswds, etc This should be locked down to CHMOD 444 php.ini = PHP version, extensions, remote opens, file uploads, etc wp-config.php = WordPress DB username & password, Salts These should be locked down to CHMOD 440 @DeveloperWil #wpsyd Config Files & Permissions Files & Perms
  • 29. Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $199.99 per site per year @DeveloperWil #wpsyd Malware Clean Server Files & Perms
  • 30. Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com @DeveloperWil #wpsyd Update Regularly WordPress
  • 31. Automatic Updates are in WordPress core for point releases only by default. For more control, in wp-config.php define( 'WP_AUTO_UPDATE_CORE', true ); • true - Development, minor, and major updates are all enabled • false - Development, minor, and major updates are all disabled • 'minor’ - Minor updates are enabled, development, and major updates are disabled @DeveloperWil #wpsyd Update Regularly WordPress
  • 32. In your theme’s functions.php add_filter( 'auto_update_plugin', '__return_true’ ); add_filter( 'auto_update_theme', '__return_true’ ); For specific plugin & theme updates see: https://codex.wordpress.org/Configuring_Automatic_Background_Updates @DeveloperWil #wpsyd Update Plugins & Themes WordPress
  • 33. Especially “free” themes and torrents – Likely to contain spam links & malware – Malware can read your wp-config.php file and email it to the hacker = you’re screwed – Don’t use themes or plugins from torrent sites! – Always try to download from original source Read: http://premium.wpmudev.org/blog/free-wordpress- themes-ultimate-guide/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
  • 34. Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
  • 35. Not all Base64_decode function calls are evil! WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes. @DeveloperWil #wpsyd What is Base64?
  • 36. In general • Not being maintained • No security issues being fixed • Uses outdated/flawed functions/practices • Known exploit vectors available on Interwebs @DeveloperWil #wpsyd Avoid Old Plugins WordPress
  • 37. Popular image/thumbnail resizing script Bundled in many older themes and plugins Responsible for many many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
  • 38. Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the “fixed” version 2.8.14 https://code.google.com/p/timthumb/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
  • 39. The nature of TimThumb still makes it potentially very dangerous to have on your site. TimThumb is no longer supported or maintained as of Sept 2014 http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ Read this: https://zeropointdevelopment.com/timthumb-is-evil/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
  • 40. Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at https://letsencrypt.org/docs/faq/ @DeveloperWil #wpsyd SSL Certificates
  • 41. If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); @DeveloperWil #wpsyd HTTPS Dashboard WordPress
  • 42. Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*, Cryptocurrency miners *premium functions @DeveloperWil #wpsyd Software Firewalls WordPress
  • 43. New breed of malware (ref: The rise of cryptocurrency miners as malware). JS cryptocurrency miner (mostly Coinhive). Runs in browser when visitor opens infected page. Uses 100% of your computer’s CPU power. Grey area between legit use & as malware: • Some firewall & malware scanners look past mining code • Wordfence detects known miner scripts @DeveloperWil #wpsyd Cryptocurrency Miners New Threat
  • 44. Brute force attacks try to repeatedly guess username & password. Block IP address after X number of unsuccessful login attempts within a time period. Limit Login Attempts Reloaded plugin https://wordpress.org/plugins/limit-login-attempts-reloaded/ @DeveloperWil #wpsyd Prevent Login Attempts WordPress
  • 45. Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null'); @DeveloperWil #wpsyd Don’t Show Login Errors WordPress
  • 46. There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email https://wordpress.org/plugins/updraftplus/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy https://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore! @DeveloperWil #wpsyd Back Your Site Up WordPress
  • 48. Using another device to generate an authentication code e.g. Mobile phone app WP Login Details + Authenticator Code = 2FA Google Authenticator @DeveloperWil #wpsyd Two Factor/Two Step Authentication
  • 49. WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP. Passwords themselves are not stored in the DB Password can be replaced in DB with MD5 hash. After login it’s replaced by a salted MD5 hash. @DeveloperWil #wpsyd PASSWORD TYPE PASSWORD HASH WordPress Password Storage
  • 50. MD5 hash designed for high volume, not security. “collision resistance” ~264 MD5 has been broken but not resistance to preimages or second- preimages. MD5 + salts still poor choice as it’s designed to be fast. Modern GPUs generate billions of candidate passwords per second i.e. brute force Ref: https://en.wikipedia.org/wiki/MD5 Ref: https://en.wikipedia.org/wiki/Collision_attack Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since- 1996 @DeveloperWil #wpsyd Is MD5 Insecure?
  • 51. Bcrypt is an adaptive hashing algorithm. Bcrypt intentionally takes a relatively long time to be calculated; over time, the iteration count can be increased to make it even slower. This is done intentionally to resist brute force attacks as computational power increases. Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd Bcrypt Alternative
  • 53. Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not-so- distant future. @DeveloperWil #wpsyd Biometric Authentication
  • 54. @DeveloperWil #wpsyd Fingerprint via mobile phone https://wordpress.org/plugins/rapid-secure-login/ Fingerprint and facial recognition via mobile phone https://wordpress.org/plugins/launchkey/ Biometric Authentication
  • 55. Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-coded wp-content location. @DeveloperWil #wpsyd Move wp-content Folder
  • 56. Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner. @DeveloperWil #wpsyd Protect wp-config.php
  • 57. Use .htaccess to stop SQL injection attacks on form fields and URLs. Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked. @DeveloperWil #wpsyd SQL Injection Protection
  • 58. Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes @DeveloperWil #wpsyd Prevent Directory Browsing
  • 59. Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/ @DeveloperWil #wpsyd Secure wp-admin Folder
  • 60. Open the .htaccess file located in your /wp- admin/ folder (NOT the main .htaccess in root). In the wp-admin .htaccess file, paste the following code: <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> @DeveloperWil #wpsyd Allow Admin Ajax
  • 61. Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true); @DeveloperWil #wpsyd Disable User File Editor
  • 62. Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Prefix Changer https://wordpress.org/plugins/wp-prefix-changer/ @DeveloperWil #wpsyd Change Default Table Prefix
  • 63. Does nothing to enhance security. Once an attacker has access to your DB they can easily find the table prefix. @DeveloperWil #wpsyd SELECT DISTINCT SUBSTRING(`TABLE_NAME` FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) ) FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%postmeta'; Output: wp_ Ref: Changing WordPress' default table prefix does nothing to enhance security Change Default Table Prefix
  • 64. Monitor who does what on your WordPress site. Stream: http://wp-stream.com/ @DeveloperWil #wpsyd Be “Big Brother”
  • 65. Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login @DeveloperWil #wpsyd Change wp-login.php
  • 66. Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url’, ‘zpd_wpadmin_filter', 10, 3); function zpd_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } @DeveloperWil #wpsyd Change /wp-admin/ - Step 1
  • 67. Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/ @DeveloperWil #wpsyd Change /wp-admin/ - Step 2
  • 68. Add to .htaccess # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> Replace 123.123.123.123 with your own computer’s IP if you use the WordPress mobile app. Remove line 5 to completely block all XML-RCP requests to your site. Note: this will stop Jetpack, official WP mobile app, trackbacks and pingbacks from working. @DeveloperWil #wpsyd Disable XML-RPC
  • 69. Known as DoS or DDoS (distributed). Consider using Cloudflare. @DeveloperWil #wpsyd Attack Without Cloudflare Attack With Cloudflare Denial of Service Attacks
  • 70. Stay up to date with these additional security resources. National Vulnerability Database (WordPress) Wordfence Blog and Free Security Scan Sucuri Blog Hardening WordPress from wordpress.org WPScan Vulnerability Database Zero Point Development Blog @DeveloperWil #wpsyd More Resources
  • 71. Get my free eBook. Yours to keep forever. @DeveloperWil #wpsyd Get My eBook goo.gl/k5brQE Free Ebook
  • 72. Did I miss anything? Tweet to @DeveloperWil @DeveloperWil #wpsyd All Done!
  • 73. [Cover] zeropointdevelopment.com [3] jamesclear.com/sun-tzu-habits [9] activerain.com [10] mybroadband.co.za [11] amazon.com [18] lastpass.com [23] zeropointdevelopment.com [29] managewp.com [33] wordpress.org [35] wordpress.org [39] promptwebhosting.com.au [45] zeropointdevelopment.com [47] zeropointdevelopment.com [48] mobyware.ru [52] roots.io [53] ibmsystemsmag.com [54] wordpress.org [55] wordpress.org [58] gobalakrishnan.com [59] trickytechs.com/wpbeginner.com [61] zeropointdevelopment.com [63] wp-stream.com [69] cloudflare.com [72] zeropointdevelopment.com [Back Cover] zeropointdevelopment.com Note: This presentation may contain affiliate links. Image Credits
  • 74. ▪ WordPress 2008+ ▪ Consultant & Developer ▪ Event Organiser @DeveloperWil Who Am I? zeropointdevelopment.com wp-wingman.com