SlideShare a Scribd company logo

WordPress Security Best Practices 2019 Update

Zero Point Development
Zero Point Development

A comprehensive guide to securing your WordPress site including security for the paranoid! Presented at WordPress Sydney meetup group, July 2019

1 of 74
Download to read offline
zeropointdevelopment.com for WordPress Sydney WordPress Security Best Practices 2019 Update
• Use complex usernames & passwords • Check file permissions have minimum access • Update software often & regularly • Use security firewalls & scan regularly • Consider using 2-factor authentication • Stick to reputable theme providers • Uninstall unused code/themes/plugins • Lock all doors, windows & switch off Internet! @DeveloperWil #wpsyd TL;DR
• Chinese General • Military Strategist • Philosopher • Born ~512BC Book: The Art of War http://www.classicly.com/read-the-art-of-war-online-free/page/1 @DeveloperWil #wpsyd Introducing Sun Tzu
“Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” Don’t wait until your site gets hacked first. Lock it down today and get ready to defend it! @DeveloperWil #wpsyd Sun Tzu Says…
“To know your Enemy, you must become your Enemy” Learn how hackers try to get into your site so you can pre-emptively fix it and be ready for what is to come. @DeveloperWil #wpsyd Sun Tzu Says…
“Even the finest sword plunged into salt water will eventually rust.” Just because your site is secure today, doesn’t mean it can’t get hacked tomorrow, next month or next year. Review & update regularly. @DeveloperWil #wpsyd Sun Tzu Says…
YOU ARE AT WAR WITH MULTIPLE UNKNOWN ENEMIES @DeveloperWil #wpsyd
There is always a current threat The worst type of threats are those you don’t know about You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack @DeveloperWil #wpsyd SO BE PREPARED Security Is Cyclic
Locked in a deep dark basement No internet connection No user interaction Switched off! = Pretty useless website = There is a balance to be had @DeveloperWil #wpsyd Ultimate Secure Site
Everything is Hackable @DeveloperWil #wpsyd Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car? https://www.youtube.com/watch?v=aLhWzMOccTg Before We Start
The most vulnerable part of your website is… YOU Buy this book! @DeveloperWil #wpsyd Before We Start
Do not leave new WordPress sites in “setup mode”. Complete the entire setup process. Hackers can find WordPress setup pages and install their own site – aka “WPSetup Attack” Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/ @DeveloperWil #wpsyd New WP Installations Fundamentals
Beware when ordering a new SSL certificate for a brand new WordPress website. Hackers monitor SSL certificate transparency report +30mins after new certificate being issued. They can take over your new site before you complete the installation process. Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/ @DeveloperWil #wpsyd New Sites & SSLs Fundamentals
Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, … @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Don’t replace letters with numbers or symbols. Simple character substitution is weak. butterfly → 8utt3rfly This no longer works and takes just a few days to crack! Ref: https://pages.nist.gov/800-63-3/sp800-63b.html @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Avoid personal / social information • Name and memorable bates: DoB, Marriage • Fav footie club name, car rego, house number Examples of Bad Passwords Bob1976 Swans2017 !2Nancy The Password Paradox And Why Our Personalities Will Get Us Hacked @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
1) Use a random 16 (at least) character password UPPER, lower, d1g1ts, punctuat!on b9G#Z4YVemTN^X6S 2) Use 4 random words stringed together: correct horse battery staple correcthorsebatterystaple @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Random character & multi-word passwords = difficult for you to remember  = difficult for hackers to guess ☺ Try to avoid reusing the same password on multiple sites. Read The Real Life Risks Of Re Using The Same Passwords @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Use a password service such as LastPass Local 256-bit encryption, SSL data transfer, 2-factor authentication Free 14-day Last Pass Trial @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Gives more flexibility than built-in WordPress @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/ @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
Change the default WordPress salt keys in wp- config.php WordPress uses cookies to store session information. These are hashed with MD5 + salt keys in the wp-config.php file https://api.wordpress.org/secret-key/1.1/salt/ @DeveloperWil #wpsyd Session Safety: Salk Keys Fundamentals
Restrict the number of users with the Administrator role. You do need at least 1 Admin user to administer the site – do you need any more than that? Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content. @DeveloperWil #wpsyd Admin & Editor Users Fundamentals
Understanding Linux file permissions is key @DeveloperWil #wpsyd Linux File Permissions Files & Perms
Each file and directory has three user based permission groups: • u – the user who owns the file or directory (owner) • g - the group to which the user belongs • o - all other users on the system (not owner or user’s group), this is the permission group that you want to watch the most. @DeveloperWil #wpsyd Permission Groups Files & Perms
Each file or directory has three basic permission types: • r - a user's capability to read the contents of the file • w - a user's capability to write or modify a file or directory • x - a user's capability to execute (run) a file or view the contents of a directory. @DeveloperWil #wpsyd Permission Types Files & Perms
In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may insist you set /wp-content/uploads to 777 Move to another hosting company! @DeveloperWil #wpsyd Files, Folders & Permissions Files & Perms
Probably your three most important sys files are: .htaccess (Apache Web Server) = permalinks, redirects, error files, directory pswds, etc This should be locked down to CHMOD 444 php.ini = PHP version, extensions, remote opens, file uploads, etc wp-config.php = WordPress DB username & password, Salts These should be locked down to CHMOD 440 @DeveloperWil #wpsyd Config Files & Permissions Files & Perms
Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $199.99 per site per year @DeveloperWil #wpsyd Malware Clean Server Files & Perms
Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com @DeveloperWil #wpsyd Update Regularly WordPress
Automatic Updates are in WordPress core for point releases only by default. For more control, in wp-config.php define( 'WP_AUTO_UPDATE_CORE', true ); • true - Development, minor, and major updates are all enabled • false - Development, minor, and major updates are all disabled • 'minor’ - Minor updates are enabled, development, and major updates are disabled @DeveloperWil #wpsyd Update Regularly WordPress
In your theme’s functions.php add_filter( 'auto_update_plugin', '__return_true’ ); add_filter( 'auto_update_theme', '__return_true’ ); For specific plugin & theme updates see: https://codex.wordpress.org/Configuring_Automatic_Background_Updates @DeveloperWil #wpsyd Update Plugins & Themes WordPress
Especially “free” themes and torrents – Likely to contain spam links & malware – Malware can read your wp-config.php file and email it to the hacker = you’re screwed – Don’t use themes or plugins from torrent sites! – Always try to download from original source Read: http://premium.wpmudev.org/blog/free-wordpress- themes-ultimate-guide/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
Not all Base64_decode function calls are evil! WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes. @DeveloperWil #wpsyd What is Base64?
In general • Not being maintained • No security issues being fixed • Uses outdated/flawed functions/practices • Known exploit vectors available on Interwebs @DeveloperWil #wpsyd Avoid Old Plugins WordPress
Popular image/thumbnail resizing script Bundled in many older themes and plugins Responsible for many many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the “fixed” version 2.8.14 https://code.google.com/p/timthumb/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
The nature of TimThumb still makes it potentially very dangerous to have on your site. TimThumb is no longer supported or maintained as of Sept 2014 http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ Read this: https://zeropointdevelopment.com/timthumb-is-evil/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at https://letsencrypt.org/docs/faq/ @DeveloperWil #wpsyd SSL Certificates
If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); @DeveloperWil #wpsyd HTTPS Dashboard WordPress
Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*, Cryptocurrency miners *premium functions @DeveloperWil #wpsyd Software Firewalls WordPress
New breed of malware (ref: The rise of cryptocurrency miners as malware). JS cryptocurrency miner (mostly Coinhive). Runs in browser when visitor opens infected page. Uses 100% of your computer’s CPU power. Grey area between legit use & as malware: • Some firewall & malware scanners look past mining code • Wordfence detects known miner scripts @DeveloperWil #wpsyd Cryptocurrency Miners New Threat
Brute force attacks try to repeatedly guess username & password. Block IP address after X number of unsuccessful login attempts within a time period. Limit Login Attempts Reloaded plugin https://wordpress.org/plugins/limit-login-attempts-reloaded/ @DeveloperWil #wpsyd Prevent Login Attempts WordPress
Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null'); @DeveloperWil #wpsyd Don’t Show Login Errors WordPress
There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email https://wordpress.org/plugins/updraftplus/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy https://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore! @DeveloperWil #wpsyd Back Your Site Up WordPress
@DeveloperWil #wpsyd Security for the Paranoid
Using another device to generate an authentication code e.g. Mobile phone app WP Login Details + Authenticator Code = 2FA Google Authenticator @DeveloperWil #wpsyd Two Factor/Two Step Authentication
WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP. Passwords themselves are not stored in the DB Password can be replaced in DB with MD5 hash. After login it’s replaced by a salted MD5 hash. @DeveloperWil #wpsyd PASSWORD TYPE PASSWORD HASH WordPress Password Storage
MD5 hash designed for high volume, not security. “collision resistance” ~264 MD5 has been broken but not resistance to preimages or second- preimages. MD5 + salts still poor choice as it’s designed to be fast. Modern GPUs generate billions of candidate passwords per second i.e. brute force Ref: https://en.wikipedia.org/wiki/MD5 Ref: https://en.wikipedia.org/wiki/Collision_attack Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since- 1996 @DeveloperWil #wpsyd Is MD5 Insecure?
Bcrypt is an adaptive hashing algorithm. Bcrypt intentionally takes a relatively long time to be calculated; over time, the iteration count can be increased to make it even slower. This is done intentionally to resist brute force attacks as computational power increases. Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd Bcrypt Alternative
Plugin: https://roots.io/plugins/bcrypt- password/ Note: requires PHP >= 5.5.0 @DeveloperWil #wpsyd Bcrypt Plugin
Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not-so- distant future. @DeveloperWil #wpsyd Biometric Authentication
@DeveloperWil #wpsyd Fingerprint via mobile phone https://wordpress.org/plugins/rapid-secure-login/ Fingerprint and facial recognition via mobile phone https://wordpress.org/plugins/launchkey/ Biometric Authentication
Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-coded wp-content location. @DeveloperWil #wpsyd Move wp-content Folder
Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner. @DeveloperWil #wpsyd Protect wp-config.php
Use .htaccess to stop SQL injection attacks on form fields and URLs. Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked. @DeveloperWil #wpsyd SQL Injection Protection
Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes @DeveloperWil #wpsyd Prevent Directory Browsing
Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/ @DeveloperWil #wpsyd Secure wp-admin Folder
Open the .htaccess file located in your /wp- admin/ folder (NOT the main .htaccess in root). In the wp-admin .htaccess file, paste the following code: <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> @DeveloperWil #wpsyd Allow Admin Ajax
Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true); @DeveloperWil #wpsyd Disable User File Editor
Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Prefix Changer https://wordpress.org/plugins/wp-prefix-changer/ @DeveloperWil #wpsyd Change Default Table Prefix
Does nothing to enhance security. Once an attacker has access to your DB they can easily find the table prefix. @DeveloperWil #wpsyd SELECT DISTINCT SUBSTRING(`TABLE_NAME` FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) ) FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%postmeta'; Output: wp_ Ref: Changing WordPress' default table prefix does nothing to enhance security Change Default Table Prefix
Monitor who does what on your WordPress site. Stream: http://wp-stream.com/ @DeveloperWil #wpsyd Be “Big Brother”
Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login @DeveloperWil #wpsyd Change wp-login.php
Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url’, ‘zpd_wpadmin_filter', 10, 3); function zpd_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } @DeveloperWil #wpsyd Change /wp-admin/ - Step 1
Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/ @DeveloperWil #wpsyd Change /wp-admin/ - Step 2
Add to .htaccess # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> Replace 123.123.123.123 with your own computer’s IP if you use the WordPress mobile app. Remove line 5 to completely block all XML-RCP requests to your site. Note: this will stop Jetpack, official WP mobile app, trackbacks and pingbacks from working. @DeveloperWil #wpsyd Disable XML-RPC
Known as DoS or DDoS (distributed). Consider using Cloudflare. @DeveloperWil #wpsyd Attack Without Cloudflare Attack With Cloudflare Denial of Service Attacks
Stay up to date with these additional security resources. National Vulnerability Database (WordPress) Wordfence Blog and Free Security Scan Sucuri Blog Hardening WordPress from wordpress.org WPScan Vulnerability Database Zero Point Development Blog @DeveloperWil #wpsyd More Resources
Get my free eBook. Yours to keep forever. @DeveloperWil #wpsyd Get My eBook goo.gl/k5brQE Free Ebook
Did I miss anything? Tweet to @DeveloperWil @DeveloperWil #wpsyd All Done!
[Cover] zeropointdevelopment.com [3] jamesclear.com/sun-tzu-habits [9] activerain.com [10] mybroadband.co.za [11] amazon.com [18] lastpass.com [23] zeropointdevelopment.com [29] managewp.com [33] wordpress.org [35] wordpress.org [39] promptwebhosting.com.au [45] zeropointdevelopment.com [47] zeropointdevelopment.com [48] mobyware.ru [52] roots.io [53] ibmsystemsmag.com [54] wordpress.org [55] wordpress.org [58] gobalakrishnan.com [59] trickytechs.com/wpbeginner.com [61] zeropointdevelopment.com [63] wp-stream.com [69] cloudflare.com [72] zeropointdevelopment.com [Back Cover] zeropointdevelopment.com Note: This presentation may contain affiliate links. Image Credits
▪ WordPress 2008+ ▪ Consultant & Developer ▪ Event Organiser @DeveloperWil Who Am I? zeropointdevelopment.com wp-wingman.com
Ad

Recommended

WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
Zero Point Development
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
Zero Point Development
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Nathan Platt
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Brent Shaffer
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
Ad

More Related Content

What's hot (20)

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
Zero Point Development
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Nathan Platt
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Brent Shaffer
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
Zero Point Development
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Nathan Platt
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Brent Shaffer
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 

Similar to WordPress Security Best Practices 2019 Update (20)

40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
Faraz Ahmed
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
Bastian Grimm
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordPress Customization and Security
WordPress Customization and SecurityWordPress Customization and Security
WordPress Customization and Security
Joe Casabona
 
NEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityNEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & Security
Michelle Davies (Hryvnak)
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
Christina Hawkins
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
Chetan Gole
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
Kayleigh Thorpe
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
Prabesh Thapa
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
Faraz Ahmed
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
Bastian Grimm
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordPress Customization and Security
WordPress Customization and SecurityWordPress Customization and Security
WordPress Customization and Security
Joe Casabona
 
NEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityNEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & Security
Michelle Davies (Hryvnak)
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
Christina Hawkins
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
Chetan Gole
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
Kayleigh Thorpe
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
Prabesh Thapa
 
Ad

Recently uploaded (19)

Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Ad

WordPress Security Best Practices 2019 Update

  • 1. zeropointdevelopment.com for WordPress Sydney WordPress Security Best Practices 2019 Update
  • 2. • Use complex usernames & passwords • Check file permissions have minimum access • Update software often & regularly • Use security firewalls & scan regularly • Consider using 2-factor authentication • Stick to reputable theme providers • Uninstall unused code/themes/plugins • Lock all doors, windows & switch off Internet! @DeveloperWil #wpsyd TL;DR
  • 3. • Chinese General • Military Strategist • Philosopher • Born ~512BC Book: The Art of War http://www.classicly.com/read-the-art-of-war-online-free/page/1 @DeveloperWil #wpsyd Introducing Sun Tzu
  • 4. “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” Don’t wait until your site gets hacked first. Lock it down today and get ready to defend it! @DeveloperWil #wpsyd Sun Tzu Says…
  • 5. “To know your Enemy, you must become your Enemy” Learn how hackers try to get into your site so you can pre-emptively fix it and be ready for what is to come. @DeveloperWil #wpsyd Sun Tzu Says…
  • 6. “Even the finest sword plunged into salt water will eventually rust.” Just because your site is secure today, doesn’t mean it can’t get hacked tomorrow, next month or next year. Review & update regularly. @DeveloperWil #wpsyd Sun Tzu Says…
  • 7. YOU ARE AT WAR WITH MULTIPLE UNKNOWN ENEMIES @DeveloperWil #wpsyd
  • 8. There is always a current threat The worst type of threats are those you don’t know about You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack @DeveloperWil #wpsyd SO BE PREPARED Security Is Cyclic
  • 9. Locked in a deep dark basement No internet connection No user interaction Switched off! = Pretty useless website = There is a balance to be had @DeveloperWil #wpsyd Ultimate Secure Site
  • 10. Everything is Hackable @DeveloperWil #wpsyd Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car? https://www.youtube.com/watch?v=aLhWzMOccTg Before We Start
  • 11. The most vulnerable part of your website is… YOU Buy this book! @DeveloperWil #wpsyd Before We Start
  • 12. Do not leave new WordPress sites in “setup mode”. Complete the entire setup process. Hackers can find WordPress setup pages and install their own site – aka “WPSetup Attack” Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/ @DeveloperWil #wpsyd New WP Installations Fundamentals
  • 13. Beware when ordering a new SSL certificate for a brand new WordPress website. Hackers monitor SSL certificate transparency report +30mins after new certificate being issued. They can take over your new site before you complete the installation process. Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/ @DeveloperWil #wpsyd New Sites & SSLs Fundamentals
  • 14. Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, … @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 15. Don’t replace letters with numbers or symbols. Simple character substitution is weak. butterfly → 8utt3rfly This no longer works and takes just a few days to crack! Ref: https://pages.nist.gov/800-63-3/sp800-63b.html @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 16. Avoid personal / social information • Name and memorable bates: DoB, Marriage • Fav footie club name, car rego, house number Examples of Bad Passwords Bob1976 Swans2017 !2Nancy The Password Paradox And Why Our Personalities Will Get Us Hacked @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 17. 1) Use a random 16 (at least) character password UPPER, lower, d1g1ts, punctuat!on b9G#Z4YVemTN^X6S 2) Use 4 random words stringed together: correct horse battery staple correcthorsebatterystaple @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 18. Random character & multi-word passwords = difficult for you to remember  = difficult for hackers to guess ☺ Try to avoid reusing the same password on multiple sites. Read The Real Life Risks Of Re Using The Same Passwords @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 19. Use a password service such as LastPass Local 256-bit encryption, SSL data transfer, 2-factor authentication Free 14-day Last Pass Trial @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 20. Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Gives more flexibility than built-in WordPress @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 21. Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/ @DeveloperWil #wpsyd Usernames & Passwords Fundamentals
  • 22. Change the default WordPress salt keys in wp- config.php WordPress uses cookies to store session information. These are hashed with MD5 + salt keys in the wp-config.php file https://api.wordpress.org/secret-key/1.1/salt/ @DeveloperWil #wpsyd Session Safety: Salk Keys Fundamentals
  • 23. Restrict the number of users with the Administrator role. You do need at least 1 Admin user to administer the site – do you need any more than that? Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content. @DeveloperWil #wpsyd Admin & Editor Users Fundamentals
  • 24. Understanding Linux file permissions is key @DeveloperWil #wpsyd Linux File Permissions Files & Perms
  • 25. Each file and directory has three user based permission groups: • u – the user who owns the file or directory (owner) • g - the group to which the user belongs • o - all other users on the system (not owner or user’s group), this is the permission group that you want to watch the most. @DeveloperWil #wpsyd Permission Groups Files & Perms
  • 26. Each file or directory has three basic permission types: • r - a user's capability to read the contents of the file • w - a user's capability to write or modify a file or directory • x - a user's capability to execute (run) a file or view the contents of a directory. @DeveloperWil #wpsyd Permission Types Files & Perms
  • 27. In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may insist you set /wp-content/uploads to 777 Move to another hosting company! @DeveloperWil #wpsyd Files, Folders & Permissions Files & Perms
  • 28. Probably your three most important sys files are: .htaccess (Apache Web Server) = permalinks, redirects, error files, directory pswds, etc This should be locked down to CHMOD 444 php.ini = PHP version, extensions, remote opens, file uploads, etc wp-config.php = WordPress DB username & password, Salts These should be locked down to CHMOD 440 @DeveloperWil #wpsyd Config Files & Permissions Files & Perms
  • 29. Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $199.99 per site per year @DeveloperWil #wpsyd Malware Clean Server Files & Perms
  • 30. Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com @DeveloperWil #wpsyd Update Regularly WordPress
  • 31. Automatic Updates are in WordPress core for point releases only by default. For more control, in wp-config.php define( 'WP_AUTO_UPDATE_CORE', true ); • true - Development, minor, and major updates are all enabled • false - Development, minor, and major updates are all disabled • 'minor’ - Minor updates are enabled, development, and major updates are disabled @DeveloperWil #wpsyd Update Regularly WordPress
  • 32. In your theme’s functions.php add_filter( 'auto_update_plugin', '__return_true’ ); add_filter( 'auto_update_theme', '__return_true’ ); For specific plugin & theme updates see: https://codex.wordpress.org/Configuring_Automatic_Background_Updates @DeveloperWil #wpsyd Update Plugins & Themes WordPress
  • 33. Especially “free” themes and torrents – Likely to contain spam links & malware – Malware can read your wp-config.php file and email it to the hacker = you’re screwed – Don’t use themes or plugins from torrent sites! – Always try to download from original source Read: http://premium.wpmudev.org/blog/free-wordpress- themes-ultimate-guide/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
  • 34. Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ @DeveloperWil #wpsyd Beware “Free” Premium Downloads
  • 35. Not all Base64_decode function calls are evil! WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes. @DeveloperWil #wpsyd What is Base64?
  • 36. In general • Not being maintained • No security issues being fixed • Uses outdated/flawed functions/practices • Known exploit vectors available on Interwebs @DeveloperWil #wpsyd Avoid Old Plugins WordPress
  • 37. Popular image/thumbnail resizing script Bundled in many older themes and plugins Responsible for many many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
  • 38. Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the “fixed” version 2.8.14 https://code.google.com/p/timthumb/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
  • 39. The nature of TimThumb still makes it potentially very dangerous to have on your site. TimThumb is no longer supported or maintained as of Sept 2014 http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ Read this: https://zeropointdevelopment.com/timthumb-is-evil/ @DeveloperWil #wpsyd Beware of TimThumb WordPress
  • 40. Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at https://letsencrypt.org/docs/faq/ @DeveloperWil #wpsyd SSL Certificates
  • 41. If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); @DeveloperWil #wpsyd HTTPS Dashboard WordPress
  • 42. Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*, Cryptocurrency miners *premium functions @DeveloperWil #wpsyd Software Firewalls WordPress
  • 43. New breed of malware (ref: The rise of cryptocurrency miners as malware). JS cryptocurrency miner (mostly Coinhive). Runs in browser when visitor opens infected page. Uses 100% of your computer’s CPU power. Grey area between legit use & as malware: • Some firewall & malware scanners look past mining code • Wordfence detects known miner scripts @DeveloperWil #wpsyd Cryptocurrency Miners New Threat
  • 44. Brute force attacks try to repeatedly guess username & password. Block IP address after X number of unsuccessful login attempts within a time period. Limit Login Attempts Reloaded plugin https://wordpress.org/plugins/limit-login-attempts-reloaded/ @DeveloperWil #wpsyd Prevent Login Attempts WordPress
  • 45. Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null'); @DeveloperWil #wpsyd Don’t Show Login Errors WordPress
  • 46. There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email https://wordpress.org/plugins/updraftplus/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy https://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore! @DeveloperWil #wpsyd Back Your Site Up WordPress
  • 48. Using another device to generate an authentication code e.g. Mobile phone app WP Login Details + Authenticator Code = 2FA Google Authenticator @DeveloperWil #wpsyd Two Factor/Two Step Authentication
  • 49. WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP. Passwords themselves are not stored in the DB Password can be replaced in DB with MD5 hash. After login it’s replaced by a salted MD5 hash. @DeveloperWil #wpsyd PASSWORD TYPE PASSWORD HASH WordPress Password Storage
  • 50. MD5 hash designed for high volume, not security. “collision resistance” ~264 MD5 has been broken but not resistance to preimages or second- preimages. MD5 + salts still poor choice as it’s designed to be fast. Modern GPUs generate billions of candidate passwords per second i.e. brute force Ref: https://en.wikipedia.org/wiki/MD5 Ref: https://en.wikipedia.org/wiki/Collision_attack Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since- 1996 @DeveloperWil #wpsyd Is MD5 Insecure?
  • 51. Bcrypt is an adaptive hashing algorithm. Bcrypt intentionally takes a relatively long time to be calculated; over time, the iteration count can be increased to make it even slower. This is done intentionally to resist brute force attacks as computational power increases. Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd Bcrypt Alternative
  • 53. Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not-so- distant future. @DeveloperWil #wpsyd Biometric Authentication
  • 54. @DeveloperWil #wpsyd Fingerprint via mobile phone https://wordpress.org/plugins/rapid-secure-login/ Fingerprint and facial recognition via mobile phone https://wordpress.org/plugins/launchkey/ Biometric Authentication
  • 55. Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-coded wp-content location. @DeveloperWil #wpsyd Move wp-content Folder
  • 56. Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner. @DeveloperWil #wpsyd Protect wp-config.php
  • 57. Use .htaccess to stop SQL injection attacks on form fields and URLs. Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked. @DeveloperWil #wpsyd SQL Injection Protection
  • 58. Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes @DeveloperWil #wpsyd Prevent Directory Browsing
  • 59. Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/ @DeveloperWil #wpsyd Secure wp-admin Folder
  • 60. Open the .htaccess file located in your /wp- admin/ folder (NOT the main .htaccess in root). In the wp-admin .htaccess file, paste the following code: <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> @DeveloperWil #wpsyd Allow Admin Ajax
  • 61. Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true); @DeveloperWil #wpsyd Disable User File Editor
  • 62. Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Prefix Changer https://wordpress.org/plugins/wp-prefix-changer/ @DeveloperWil #wpsyd Change Default Table Prefix
  • 63. Does nothing to enhance security. Once an attacker has access to your DB they can easily find the table prefix. @DeveloperWil #wpsyd SELECT DISTINCT SUBSTRING(`TABLE_NAME` FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) ) FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%postmeta'; Output: wp_ Ref: Changing WordPress' default table prefix does nothing to enhance security Change Default Table Prefix
  • 64. Monitor who does what on your WordPress site. Stream: http://wp-stream.com/ @DeveloperWil #wpsyd Be “Big Brother”
  • 65. Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login @DeveloperWil #wpsyd Change wp-login.php
  • 66. Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url’, ‘zpd_wpadmin_filter', 10, 3); function zpd_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } @DeveloperWil #wpsyd Change /wp-admin/ - Step 1
  • 67. Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/ @DeveloperWil #wpsyd Change /wp-admin/ - Step 2
  • 68. Add to .htaccess # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> Replace 123.123.123.123 with your own computer’s IP if you use the WordPress mobile app. Remove line 5 to completely block all XML-RCP requests to your site. Note: this will stop Jetpack, official WP mobile app, trackbacks and pingbacks from working. @DeveloperWil #wpsyd Disable XML-RPC
  • 69. Known as DoS or DDoS (distributed). Consider using Cloudflare. @DeveloperWil #wpsyd Attack Without Cloudflare Attack With Cloudflare Denial of Service Attacks
  • 70. Stay up to date with these additional security resources. National Vulnerability Database (WordPress) Wordfence Blog and Free Security Scan Sucuri Blog Hardening WordPress from wordpress.org WPScan Vulnerability Database Zero Point Development Blog @DeveloperWil #wpsyd More Resources
  • 71. Get my free eBook. Yours to keep forever. @DeveloperWil #wpsyd Get My eBook goo.gl/k5brQE Free Ebook
  • 72. Did I miss anything? Tweet to @DeveloperWil @DeveloperWil #wpsyd All Done!
  • 73. [Cover] zeropointdevelopment.com [3] jamesclear.com/sun-tzu-habits [9] activerain.com [10] mybroadband.co.za [11] amazon.com [18] lastpass.com [23] zeropointdevelopment.com [29] managewp.com [33] wordpress.org [35] wordpress.org [39] promptwebhosting.com.au [45] zeropointdevelopment.com [47] zeropointdevelopment.com [48] mobyware.ru [52] roots.io [53] ibmsystemsmag.com [54] wordpress.org [55] wordpress.org [58] gobalakrishnan.com [59] trickytechs.com/wpbeginner.com [61] zeropointdevelopment.com [63] wp-stream.com [69] cloudflare.com [72] zeropointdevelopment.com [Back Cover] zeropointdevelopment.com Note: This presentation may contain affiliate links. Image Credits
  • 74. ▪ WordPress 2008+ ▪ Consultant & Developer ▪ Event Organiser @DeveloperWil Who Am I? zeropointdevelopment.com wp-wingman.com