WordPress Security Tips

WordPress
Mini Word Camp 7
Basic WordPress Security Tips

By Catch Internet Pvt. Ltd.

WordPress Security

• WordPress popularity and usage brings
in new threat

• WordPress basic security is necessary
for all the users

• Most hackers in the internet are looking
for the easy way

Purpose of the Presentation
Is to Scare the crap out of you!

Image by http://blog.mysanantonio.com

Purpose of the Presentation
And then make everyone feel better

What We Will Cover

• WordPress Hosting Servers

• Example of Link Injection Hacks

• How to Secure your WordPress site
basics

• WordPress Security Plugins

Do I Really Need To Secure WP

• There is nothing valuable on my site

• I only have limited visitors on my site

• I thought I already was secured

• Who is going to hack my site

• I already turned off the comments for
security

Yes You Have to Secure Your WP

Check your Hosting:
Well Known, Customer Service,
Secure, Review Check, Linux
Based, Control Panel, Backup
Server Minimum Requirements
• PHP 5.2.4 or greater
•MySQL 5.0 or greater
• The mod_rewrite Apache module

Recommended Hosting

•Bluehost

•MediaTemple

•WestHost

•DreamHost

• WordPress VIP, Choppa, VPS
(Premium Servers)

Hidden Link Injection Hacks
• Upload/ Plugin/ Themes (TimThumb)/Core
Wordpress/Multi WordPress

• Uses css to hide it in style. Display:none;

• Mostly used for get your SEO Ranking

• Mostly initiated by basicpills.com and many other
domains located at 212.117.161.190

• Another easy hacks

Hidden Link Injection Hacks
•These are some of the links you will see in an infected site:
<a href="http://basicpills .
com/">online prescription drugs without a prescription..
<a href="http://generic-ed-pharmacy . com/">Buy Generic Viagra Onlin.
<a href="http://getrxpills . com/buy/levitra.html”>levitra 10 mg..

•Mostly these spam links are all related to pharmacy products
leading you to one of the following domains:
antibioticsordrer.com, antibiotics-shop.com, basicpills.com,
buynolvadexcheap.com, cheappillsonline.net, dacompliasale.com
dlevitraonline.com, dzithromaxsbuy.com, generic-ed-pharmacy.com,
getrxpills.com, kamagrasorder.com, onlineacompliacheap.com,
onlinecialischeap.net, onlinelevitracheap.com, onlinelevitracheap.net,
onlineviagracheap.com, onlineviagracheap.net, peampicillinonline.com,
rx-prices.com, sclomidbuy.com, sdoxycyclinebuy.com, sviagrarbuy.com,
vicialisabuy.com, wpropecianonline.com

How to Secure your WP Site basics
• Keep your Core WordPress, Theme, Plugins
Updated.

• No Admin user account

• Use Secure Username and Password
(http://goodpassword.com/)

• Folder Permission: Rule of Thumb, file 644,
folder 755

•Remove WordPress Version from Header
//Removing wp version
generatorremove_action('wp_head',
'wp_generator');

•Use a Secret Key in wp-config.php
https://api.wordpress.org/secret-key/1.1/salt/

•Change WP Table Prefix in wp-config.php
$table_prefix = 'yourtable_12';

•Directories should not be left open for
public browsing
.htaccess
Options All –Indexes

•Nobody should be allowed to search your
entire server.
Do not use this search code in your search
form <?php echo $_SERVER ['PHP_SELF']; ?> and
use this instead <?phpbloginfo (‘home’); ?>

•Block WP-folder from being indexed by
Search Engine.
Best way to block, add the following code in
your robots.txt file
Disallow: /wp-*

• Prevent Unnecessary Info From Being
Displayed
Add the following filter in function.php
add_filter('login_errors',create_function('$a', "return null;"));

•Protect WordPress Admin:
Use .htaccess and allow only specific IP address
(http://whatismyip.com)
AuthUserFile/dev/null
AuthGroupFile/dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET>
order deny, allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</LIMIT>

• Restrict File Access to wp-content
WordPress doesn’t access the PHP files in the
plugins and theme directory via HHTP.
The Only request from web browser are for
images, havascripts and css.

In .htaccess file in wp-content
Oder Allow, Deny
Deny From all <Files ~ ".(css|jpe?g|png|gif|js)$">
Allow from all
</files>

• Protect from Script Injections
Protect from script injections and any attempt to
modify the PHP GLOBALS and
_REQUESTvariables.
In .htaccess file in wp-content
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

• Fight Back Against Content Scrapers
Protect you site against hot-linking and content
scrapers

Add the following code in your .htaccess file
RewriteEngine On
#Replace ?mysite.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+.)?mysite.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

• Protect your wp-config.php file
During the server problem, wp-config.php might
be shown
• To Make it secure by adding the following
code in .htaccess at root
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

• Backup Your Database and Files
Schedule backup your Database and File. You can use the following
plugins:
•VaultPress
•BAckupBuddy

WordPress Security Plugins
Signup in websitedefender.com

WordPress Security Basics
Thanks you
For more visit our site
Catchintenet.com
http://catchinternet.com/blog/wordpress-security-tips/

My personal Blog
Sakinshrestha.com
http://sakinshrestha.com/wordpress/fix-if-your-wordpress-
site-is-hacked/
http://sakinshrestha.com/wordpress/wordpress-security-tips/

WordPress Security Tips

More Related Content

What's hot (20)

Similar to WordPress Security Tips (20)

More from Catch Themes (10)

Recently uploaded (20)

WordPress Security Tips