SlideShare a Scribd company logo

WordPress Security - WordPress Meetup Copenhagen 2013

Download as PPTX, PDF
Thor Kristiansen
Thor Kristiansen

WordPress Security document outlines security stats, a hack example, and top security tips. It provides recommendations to keep WordPress updated, secure login credentials, lock down admin access, use trusted sources for themes and plugins, and utilize security plugins and services like Login Lockdown, Sucuri Scanner, and Exploit Scanner. The document emphasizes the importance of common sense practices like strong unique passwords, backups, and limiting administrator accounts.

1 of 38
Downloaded 19 times
WordPress Security Copenhagen September 2013
• Thor Kristiansen – Self-employed WP-Developer and Business Consultant – Long time meditator • First WP Blog: The Pure View: http://pureview.dk – 200-400 visitors a day, 90% traffic is US, non-profit – Former Sr. Business Analyst & QA Mgr. at Dell – Portfolio website: http://shivaweb.dk
• Security Stats • Example Hack • Top Security Tips • Recommended Plugins & Services • Resources
Security Stats
700+ million websites May 2012 (Netcraft) 300 million websites in 2011 (Pingdom) 10+ billion indexed pages (WorldWebSize) Projected: • 1 Billion websites by 2013 • 2 Billion websites by 2015 0 500 1000 1500 2000 2500 2011 2012 2013 2015 Websites Websites
WordPress Stats • 73+ Million WordPress powered websites • 18.9% of all websites are running WordPress • 22 out of every 100 new domains in the U.S. launches with WordPress • Projected 300-500 Million WordPress sites by 2015
Web Malware Stats • 403 Million unique variants of malware in 2011 (Symantec) • 140% growth since 2010 • 81% increase in malicious web-based attacks between 2010 - 2011
In Summary – Be Scared!
Hack Example
Link Injection Hacker bots look for known exploits (SQL Injection, folder permissions, etc) This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.
Link Injection 375 spam links per page, only shown to search engines
Securing WordPress
1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.5.x ) do NOT add new features. They contain bug fixes and security patches
1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
1. Update Update Update NO EXCUSES! UPDATE!
2.Do you login with username admin?
WordPress Security - WordPress Meetup Copenhagen 2013
3. Delete the Admin user account UPDATE wp_users SET user_login=‘Thor' WHERE user_login='admin'; Change the admin username in MySQL: Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account WordPress will allow you to reassign all content written by admin to an account of your choice.
3. Delete the Admin user account WordPress lets you set the username during the installation process! DON'T USE ADMIN!
3. Delete the Admin user account Knowing your username is half the battle. Don't make it easy on the hackers.
4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above If your host requires 777…SWITCH HOSTS!
4. File and Folder Permissions find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
5. Move wp-config.php WordPress features the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
6. Lock Down WP Login and WP Admin
6. Lock Down WP Login and WP Admin define('FORCE_SSL_LOGIN', true); Add the code below to wp-config.php to force SSL (https) on login Add the code below to wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true); Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping
6. Lock Down WP Login and WP Admin AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.* 1. Create an .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-admin 2. Add the following lines of code:
7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8 Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
7. Use Trusted Sources for Themes & Plugins Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/ The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies
8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date • Ensure you’re patching or installing updates ASAP • Automatic updates rock! Install an anti-virus solution • Ensure you’re keeping definitions current • Automatic updates aren’t a bad idea here either! Yes, personal firewalls still apply!
8. Be Secure Locally It’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet Connection Use SSL whenever possible, especially on an unverified connection. • HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind. Connecting To Your Site(s) Consider using sFTP or SSH vs. FTP •Still widely marketed, but did you know your credentials are passed unencrypted when using FTP? •If unavoidable, do not allow anonymous logins, limit connections, practice least privilege. •Don’t store your credentials in your FTP client.
9. Use Common Sense • Use a strong password • BAD: bradisawesome • GOOD: SCrEE79joLly$ • A=@, E=3, S=$, O=0 (This is not unique, they know this) • Update passwords regularly (Monthly, make a schedule) • Know your admins, limit number of accounts (WP, FTP, Hosting, etc) • Backup, Backup, Backup (Use BackupBuddy for scheduled backups) • http://strongpasswordgenerator.com/
Plugins & Services
Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
Sucuri Security SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner/ • Scan your site for malware, SPAM injections, errors, and more • Hardening of key WordPress directories • Verify core WordPress files have not been modified
Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/ • Scans your files and database for potentially malicious code • Does not remove code, only detects it
• Free Website Malware Scanner: http://sitecheck.sucuri.net/scanner/ • Website monitoring • Hack cleanup services • Sucuri Security Plugin • Free to clients • Web Application Firewall • Integrity Monitoring • Auditing • Hardening http://Sucuri.net
• Security Related Articles • http://codex.wordpress.org/Hardening_WordPress • http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html • http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is- locked.html • http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web- malware-company.html • Clean a Hacked Site • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://www.marketingtechblog.com/wordpress-hacked/ • Support Forums • Hacked: http://wordpress.org/tags/hacked • Malware: http://wordpress.org/tags/malware
• Mail: Thor@pureview.dk • Twitter: @ThorK108 • Linkedin: in/ThorKristiansen • Web: Shivaweb.dk • Facebook: Wordpress Fan
Ad

Recommended

Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
Dre Armeda
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
Angela Bowman
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
Brecht Ryckaert
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
Christina Hawkins
 
Ad

More Related Content

What's hot (20)

Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
Angela Bowman
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
Brecht Ryckaert
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
Dre Armeda
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
Angela Bowman
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
Brecht Ryckaert
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 

Similar to WordPress Security - WordPress Meetup Copenhagen 2013 (20)

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
Christina Hawkins
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
Judy Wilson
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
Michael Carnell
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
Chetan Gole
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
Prabesh Thapa
 
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
jaunelia596
 
Essential WordPress Security Tips to Protect Your Website in 2024.pdf
Essential WordPress Security Tips to Protect Your Website in 2024.pdfEssential WordPress Security Tips to Protect Your Website in 2024.pdf
Essential WordPress Security Tips to Protect Your Website in 2024.pdf
jaunelia596
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Nile Flores
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
Trainings Webversity
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
Christina Hawkins
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
Judy Wilson
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
Michael Carnell
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
Chetan Gole
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
Prabesh Thapa
 
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
EssentiEssential WordPress Security Tips to Protect Your Website in 2024al Wo...
jaunelia596
 
Essential WordPress Security Tips to Protect Your Website in 2024.pdf
Essential WordPress Security Tips to Protect Your Website in 2024.pdfEssential WordPress Security Tips to Protect Your Website in 2024.pdf
Essential WordPress Security Tips to Protect Your Website in 2024.pdf
jaunelia596
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Nile Flores
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
Trainings Webversity
 
Ad

Recently uploaded (20)

Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Ad

WordPress Security - WordPress Meetup Copenhagen 2013

  • 2. • Thor Kristiansen – Self-employed WP-Developer and Business Consultant – Long time meditator • First WP Blog: The Pure View: http://pureview.dk – 200-400 visitors a day, 90% traffic is US, non-profit – Former Sr. Business Analyst & QA Mgr. at Dell – Portfolio website: http://shivaweb.dk
  • 3. • Security Stats • Example Hack • Top Security Tips • Recommended Plugins & Services • Resources
  • 5. 700+ million websites May 2012 (Netcraft) 300 million websites in 2011 (Pingdom) 10+ billion indexed pages (WorldWebSize) Projected: • 1 Billion websites by 2013 • 2 Billion websites by 2015 0 500 1000 1500 2000 2500 2011 2012 2013 2015 Websites Websites
  • 6. WordPress Stats • 73+ Million WordPress powered websites • 18.9% of all websites are running WordPress • 22 out of every 100 new domains in the U.S. launches with WordPress • Projected 300-500 Million WordPress sites by 2015
  • 7. Web Malware Stats • 403 Million unique variants of malware in 2011 (Symantec) • 140% growth since 2010 • 81% increase in malicious web-based attacks between 2010 - 2011
  • 8. In Summary – Be Scared!
  • 10. Link Injection Hacker bots look for known exploits (SQL Injection, folder permissions, etc) This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.
  • 11. Link Injection 375 spam links per page, only shown to search engines
  • 13. 1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.5.x ) do NOT add new features. They contain bug fixes and security patches
  • 14. 1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
  • 15. 1. Update Update Update NO EXCUSES! UPDATE!
  • 16. 2.Do you login with username admin?
  • 18. 3. Delete the Admin user account UPDATE wp_users SET user_login=‘Thor' WHERE user_login='admin'; Change the admin username in MySQL: Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account WordPress will allow you to reassign all content written by admin to an account of your choice.
  • 19. 3. Delete the Admin user account WordPress lets you set the username during the installation process! DON'T USE ADMIN!
  • 20. 3. Delete the Admin user account Knowing your username is half the battle. Don't make it easy on the hackers.
  • 21. 4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above If your host requires 777…SWITCH HOSTS!
  • 22. 4. File and Folder Permissions find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
  • 23. 5. Move wp-config.php WordPress features the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
  • 24. 6. Lock Down WP Login and WP Admin
  • 25. 6. Lock Down WP Login and WP Admin define('FORCE_SSL_LOGIN', true); Add the code below to wp-config.php to force SSL (https) on login Add the code below to wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true); Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping
  • 26. 6. Lock Down WP Login and WP Admin AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.* 1. Create an .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-admin 2. Add the following lines of code:
  • 27. 7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8 Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
  • 28. 7. Use Trusted Sources for Themes & Plugins Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/ The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies
  • 29. 8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date • Ensure you’re patching or installing updates ASAP • Automatic updates rock! Install an anti-virus solution • Ensure you’re keeping definitions current • Automatic updates aren’t a bad idea here either! Yes, personal firewalls still apply!
  • 30. 8. Be Secure Locally It’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet Connection Use SSL whenever possible, especially on an unverified connection. • HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind. Connecting To Your Site(s) Consider using sFTP or SSH vs. FTP •Still widely marketed, but did you know your credentials are passed unencrypted when using FTP? •If unavoidable, do not allow anonymous logins, limit connections, practice least privilege. •Don’t store your credentials in your FTP client.
  • 31. 9. Use Common Sense • Use a strong password • BAD: bradisawesome • GOOD: SCrEE79joLly$ • A=@, E=3, S=$, O=0 (This is not unique, they know this) • Update passwords regularly (Monthly, make a schedule) • Know your admins, limit number of accounts (WP, FTP, Hosting, etc) • Backup, Backup, Backup (Use BackupBuddy for scheduled backups) • http://strongpasswordgenerator.com/
  • 34. Sucuri Security SiteCheck Malware Scanner http://wordpress.org/plugins/sucuri-scanner/ • Scan your site for malware, SPAM injections, errors, and more • Hardening of key WordPress directories • Verify core WordPress files have not been modified
  • 35. Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/ • Scans your files and database for potentially malicious code • Does not remove code, only detects it
  • 36. • Free Website Malware Scanner: http://sitecheck.sucuri.net/scanner/ • Website monitoring • Hack cleanup services • Sucuri Security Plugin • Free to clients • Web Application Firewall • Integrity Monitoring • Auditing • Hardening http://Sucuri.net
  • 37. • Security Related Articles • http://codex.wordpress.org/Hardening_WordPress • http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html • http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is- locked.html • http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web- malware-company.html • Clean a Hacked Site • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://www.marketingtechblog.com/wordpress-hacked/ • Support Forums • Hacked: http://wordpress.org/tags/hacked • Malware: http://wordpress.org/tags/malware
  • 38. • Mail: [email protected] Twitter: @ThorK108 • Linkedin: in/ThorKristiansen • Web: Shivaweb.dk • Facebook: Wordpress Fan