Hardening WordPress Security
-
Upload
shadowdroid -
Category
Internet
-
view
834 -
download
0
Transcript of Hardening WordPress Security
![Page 1: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/1.jpg)
Hardening WordPress Security
WordPress Day 2015 - Pordenone, Italy
![Page 2: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/2.jpg)
What is security?(http://codex.wordpress.org/Hardening_WordPress#What_is_Security.3F)
![Page 3: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/3.jpg)
Risk reduction
![Page 4: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/4.jpg)
SECURITYBecause sometimes a Rottweiler is not enough
![Page 5: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/5.jpg)
Why we need more security?
![Page 6: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/6.jpg)
WordPress Popularity, Market Share and Responsibility
![Page 7: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/7.jpg)
No CMS
WordPress
Joomla
Drupal
0 10 20 30 40 50 60 70
Usage of content management systems for websites
Market Share Usage
http://w3techs.com/technologies/overview/content_management/all
![Page 8: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/8.jpg)
What are the dangers?
![Page 9: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/9.jpg)
- Social Engineering- Human Mistakes- Brute Force Attacks- WordPress Vulnerabilities- Web Server Vulnerabilities- Network Vulnerabilities- FTP- File Permissions- And other beautiful things…
![Page 10: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/10.jpg)
![Page 11: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/11.jpg)
Solutions
![Page 12: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/12.jpg)
Backup!Modern Task Runner for PHP
![Page 13: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/13.jpg)
Use strong passwords
Insecure examples
adminmysite123mysitenamemyname4321password
Secure examples
-yCpHuHJ68fRtB805i"kaN4Y]99Z)[/ylaJN&3388wu1530Cx;73kRz\N1/K>9'51]9~495°1'N434g&h51I78x3?M
![Page 14: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/14.jpg)
Stay updated!
Update WordPress CoreUpdate ThemesUpdate Plugins
![Page 15: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/15.jpg)
Remove Version Reference
![Page 16: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/16.jpg)
Deny access / delete readme.html
![Page 17: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/17.jpg)
Deny access / delete readme.html
# .htaccess<files readme.html>Order allow,denyDeny from all</files>
![Page 18: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/18.jpg)
Remove WordPress Version
// ** functions.phpfunction wp_remove_version() { return '';}add_filter('the_generator', 'wp_remove_version');
![Page 19: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/19.jpg)
Secure your login
![Page 20: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/20.jpg)
Secure your login- .htaccess Authentication- Limit attempts- Restrict to certain IPs- Hide- Capcha- Two Factor Authentication- HTTPS
![Page 21: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/21.jpg)
.htaccess Authentication(example with http://www.htaccesstools.com/)
![Page 22: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/22.jpg)
.htaccess Authentication(example with http://www.htaccesstools.com/)
![Page 23: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/23.jpg)
Limit attempts
![Page 24: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/24.jpg)
Restrict to certain IPs
# .htaccessorder deny,allowdeny from allallow from 1.2.3.4
![Page 25: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/25.jpg)
Restrict to certain IPs
![Page 26: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/26.jpg)
Hide your login# BEGIN Hidden loginRewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L]RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-adminRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.phpRewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-areaRewriteCond %{QUERY_STRING} !^action=logoutRewriteCond %{QUERY_STRING} !^action=lostpasswordRewriteCond %{REQUEST_METHOD} !POSTRewriteRule ^wp-login\.php http://%{SERVER_NAME}/secured-area? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=trueRewriteRule . http://%{SERVER_NAME}/? [L]# END Hidden login
![Page 27: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/27.jpg)
Hide your login
![Page 28: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/28.jpg)
Captcha on login
![Page 29: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/29.jpg)
Two-Factor Authentication
![Page 30: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/30.jpg)
Is there anything more?
![Page 31: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/31.jpg)
Admin user
![Page 32: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/32.jpg)
Admin user- Don’t use «admin» as username- Or change «admin» role
![Page 33: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/33.jpg)
Change WordPress Structure
![Page 34: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/34.jpg)
Change WordPress Structure
From this..
![Page 35: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/35.jpg)
Change WordPress Structure
..to this
![Page 36: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/36.jpg)
Change WordPress Structure# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine OnRewriteBase /RewriteRule ^index\.php$ - [L]
# RedirectRewriteRule ^wp-admin$ wp-admin/ [R,L]RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f [OR]RewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^ - [L]RewriteRule ^(.*\.php)$ /$1 [L]RewriteRule . /index.php [L]
</IfModule># END WordPress
![Page 37: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/37.jpg)
Change WordPress Structure
// ** index.phpdefine( 'WP_USE_THEMES', true );require( __DIR__ . '/application/wp-blog-header.php‘ );
// ** wp-config.phpdefine('WP_CONTENT_DIR', dirname(__FILE__) . '/public' );define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' );define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' );define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
![Page 38: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/38.jpg)
Htaccess Tips and Tricks
![Page 39: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/39.jpg)
Disable Directory Browsing
# .htaccessOptions All -Indexes
![Page 40: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/40.jpg)
Protect your .htaccess
# .htaccess<files .htaccess>Order allow,denyDeny from all</files>
![Page 41: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/41.jpg)
Protect your configuration
# .htaccess<files wp-config.php>Order allow,denyDeny from all</files>
![Page 42: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/42.jpg)
Deny access to xmlrpc.php
# .htaccess<files xmlrpc.php>Order allow,denyDeny from all</files>
![Page 43: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/43.jpg)
Prevent WordPress users listing
http://www.yourbeautifulsite.org/?author=1http://www.yourbeautifulsite.org/?author=2http://www.yourbeautifulsite.org/?author=3http://www.yourbeautifulsite.org/?author=4[…]
# .htaccessRewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
![Page 44: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/44.jpg)
Deny php execution from upload directory
# /path/to/upload-folder/.htaccess<Files ~ "\.(xls|doc|rtf|pdf|zip|mp3|flv|swf|png|gif|jpg|ico|js|css|kmz|ttf|woff|woff2)$">Allow from all</Files>
![Page 45: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/45.jpg)
Rewrite assets permalinks
# .htaccessRewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L]RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L]RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
![Page 46: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/46.jpg)
WP-config Tricks
![Page 47: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/47.jpg)
WP-config Tricks
- Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/)
- Override File Permissions- Change WP Db Prefix
![Page 48: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/48.jpg)
Disable Plugins install/updates
// ** wp-config.phpdefine( DISALLOW_FILE_EDIT', true );define( DISALLOW_FILE_MODS', true );
![Page 49: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/49.jpg)
Check installed Themes/Plugins
- Remove inactive themes/plugins- Remove useless themes/plugins- Evaluate code integration
![Page 50: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/50.jpg)
Blackhole
![Page 51: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/51.jpg)
![Page 52: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/52.jpg)
Blackhole(http://perishablepress.com/blackhole-bad-bots/)
# END Blackholde
<ifModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|register|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L]</ifModule>
# END Blackhole
![Page 53: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/53.jpg)
Tools
![Page 54: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/54.jpg)
Tools
Sucury Security Plugin
![Page 55: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/55.jpg)
Help us to check our WordPress Project Vulnerabilities
![Page 56: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/56.jpg)
Monitoring time series database for monitoring your application
https://influxdb.com/
![Page 57: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/57.jpg)
Web Server Infrastructure
![Page 58: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/58.jpg)
Codex References
http://codex.wordpress.org/Hardening_WordPresshttp://codex.wordpress.org/Administration_Over_SSLhttp://codex.wordpress.org/Editing_wp-config.php
![Page 59: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/59.jpg)
Questions?
NO
![Page 60: Hardening WordPress Security](https://reader036.fdocuments.in/reader036/viewer/2022062904/587e89f01a28ab672b8b46ad/html5/thumbnails/60.jpg)
Thanks
Mattia Piovano@shadow_droid
https://joind.in/15557