NIRJHOR ANJUM

Head of Engineering, ADN Digital

Faculty Head, PeopleNTech Institute of IT

WordPress Security

Type of Attacks

that are Threat

to our WordPress Sites

SQL Injection Attack

Attack Types [1]

Cross Site Scripting (XSS)

Attack Types [2]

Brute Force Attack

Attack Types [3]

Session Hijacking Attack

Attack Types [4]

Cross Site Reference Forgery (CSRF) Attack

Attack Types [5]

And more…

Topics of Discussion

• General Measures of Security

• Security Measures using Plugin while Developing a Website

• Advance Security Measures while Developing Website with less dependency on Plugin

• Advanced Security Measures while Developing Plugin/Theme

Topics of Discussion!

General

Measures of Security

General Measures of Security [1]

• Quality Web Hosting– Always up to date

– Backup provision

– Web Application Firewall (WAF) provision

– Get Virus Scanner, like ClamAV

• SSL Certificate– Security through Data Encryption

• Use CDN, like CloudFlare– A Layer in Internet Ecosystem

General Measures of Security [2]

• Keep your Website up to Date– Get latest security updates

– Stay safe from latest threats

• Use Safe Theme/Plugin– Avoid Nulled or Cracked things

– Avoid Low Rated or Untested things

– Remove unused Theme/Plugins

General Measures of Security [3]

• Use Captcha in Login Forms– Stay away from Brute-Force Attack

– Stay safe from Bot Attempts

• Use Spam Protection Mechanism– Use Akismet, the best one

– Use Antispam Bee

General Measures of Security [4]

• Use Safer Password– Make it using Alphabet, Letter, Symbol

– Make it Long

– Never save it on a Open File or Browser

• Hide the Admin Name– Don’t use default username “admin”

– Rename the Nick and Username of System Admin

General Measures of Security [5]

• Change your Secret Keys in “wp-config.php”

Source: https://api.WordPress.org/Secret-Key/1.1/Salt/

Security Measures

using Plugin

while Developing a

Website

Security Measures using Plugin [1]

• Creates Firewall

• Real-time Monitoring

• Stronger Login Practice

• Repair Files by Overwriting

• Scans Suspicious Contents

• Block various type of Threats Attempts

• Sends Alert on Vulnerability over Email

• Scan Core, Plugins, Themes, and other Files

• Finds Injections, Redirection Codes etc

Security Measures using Plugin [2]

• Limits Login Attempts

• Customize Login Page URL

• Prevent Brute Force Attacks

• Restrict Access from IP

• Log Users Attempts

• Block User on Prohibited Username Attempt

• Adds reCaptcha

• Disable Right Click

• Removes Version Info from CSS/JS

• Removes WP Generated Meta from HTML

• Backup of Security Settings

• Scheduled Database Backup

Security Measures using Plugin [3]

• Track Post/Page/Tag/Comments Activities

• Track Widget/Menu Change

• Track Core and System Settings Change

• Track User/Profile Changes

• Track Forum, Ecommerce Shop Changes

Security Measures using Plugin [4]

• Change Theme Style File-name

• Change Plugins URL

• Change Individual Plugin URLs

• Custom Upload URL

• Remove WordPress Version

Security Measures using Plugin [5]

• SQL Injection Attack Prevention

• XSS and CSRF Attack Prevention

• Brute Force Attack Prevention

• Blocks Direct Access to PHP Files

• Disable Directory Listing

• Minify CSS

Security Measures using Plugin [6]

• Backup Database, Settings, Theme, Plugin, Images etc.

• Download Backup as Zip or Tar

• Run Schedule Backup as Daily / Weekly / Monthly

• Store Backup on Remote FTP Server

• Store Backup on Dropbox/Google Drive

• Send Backup to Email Address

Security Measures using Plugin [7]

• On-Change File Comparison to check Vulnerability

• Can Expire Password to Reset new Password

• Generates Strong Password with Salt

• Two Factor Authentication

• Malware Scanner

• Login Captcha

Advance Security Measures

while Developing Website

with less dependency on Plugin

Advanced Security Measures without Plugin [1]

Add an Extra Layer of Protection on Login Page:

<Files wp-login.php>AuthUserFile ~/.htpasswdAuthName "Private Access"AuthType Basicrequire user MySecretUsername</Files>

MySecretUsername:$apr1$KW5IPd9r$/C4HkGhAX7WqaOrJ1k9my1

.htaccess .htpasswd

Hash Pass Generator: http://www.htaccesstools.com/htpasswd-generator/

Restrict visiting Admin Panel by IP:

# Block Access to WP-Adminorder deny, allowallow from 172.0.0.1 deny from all

.htaccess

Advanced Security Measures without Plugin [2]

Disable Directory Listing:

Options All -Indexes

.htaccess

Advanced Security Measures without Plugin [3]

Show Error Page while User is trying Unknown URLs/Pages:

# Way OneErrorDocument 404 "<H1>Page not found</H1>"

# Way TwoErrorDocument 404 /not-found/

.htaccess

Advanced Security Measures without Plugin [4]

Restrict visiting WordPress Configuration File:

# PROTECT CONFIG FILE<files wp-config.php>Order deny, allowDeny from all</files>

.htaccess

Advanced Security Measures without Plugin [5]

Restrict Execution of PHP Code in “Uploads” Directory:

# Kill PHP EXECUTION

<Files ~ "\.ph(?:p[345]?|t|tml)$">deny from all

</Files>

.htaccess

Advanced Security Measures without Plugin [5]

Implement Security using “mod_rewrite”, the Module

Enable HTTP Strict Transport SecurityEnable (XSS) FilterHide Server Application InformationRestrict Visiting Open DirectoriesBlock Access to Hidden Files

And, many more…

Source: http://htaccess.DB-Dzine.com/en-us

Advanced Security Measures without Plugin [6]

Disable File Editing in the WordPress Dashboard/Panel

Force Admin to use https:// (SSL Certificate enabled Path)

# Disable Editing in Dashboarddefine('DISALLOW_FILE_EDIT', true);

wp-config.php

Advanced Security Measures without Plugin [7]

# Force Admin to use SSLdefine('FORCE_SSL_ADMIN', true);

wp-config.php

If Host has the Provision, then allow FTPS

If Host has the Provision, then allow SFTP

# Enable FTPSdefine('FTP_SSL', true);

wp-config.php

Advanced Security Measures without Plugin [7]

# Enable SFTPdefine('FS_METHOD', 'ssh2');

wp-config.php

Disable Creating Error Log

Disable Showing Error Log

# Disable Debug Modedefine('WP_DEBUG', false);

wp-config.php

Advanced Security Measures without Plugin [8]

# Disable Front-end Error Loggingdefine('WP_DEBUG_DISPLAY', false);

wp-config.php

Enable Auto WordPress Version Update

Get Security Updates and more… Stay safe…

# Enable Auto WordPress Updatedefine('WP_AUTO_UPDATE_CORE', true);

wp-config.php

Advanced Security Measures without Plugin [8]

Advanced Security Measures

while Developing Plugin/Theme

Follow the Important Rules

Don’t Trust any Data

Rely on the WordPress API

Keep your codes Up to Date

Security while Developing Plugin/Theme [1]

Validate your Data using PHP Functions

Security while Developing Plugin/Theme [2]

Functions Description

isset() , empty() Value has or not

mb_strlen() , strlen() Identify whether String length is valid or not

preg_match() , strpos() Find certain characters inside String

in_array() Find whether your element exists in the Array or not

strip_tags() Removes HTML Tags from your String

filter_var() Identify Email, URL, Variable Type etc.

md5() , sha1() Secure your Password

Validate your Data using WordPress Functions

Security while Developing Plugin/Theme [2]

Functions Description

is_user_logged_in() Whether current user is Logged-in or Not

username_exists() , email_exists() Whether Username or Email exists or not

term_exists() Whether a Tag, Category or Term exists or not

validate_file() Whether a File Path valid or not

is_admin_bar_showing() Whether Admin Bar is visible or not

Secure your Input Data (Sanitize) using WordPress Functions

Security while Developing Plugin/Theme [3]

Functions Description

sanitize_email() Filters Email Address

sanitize_file_name() Filters File Name

sanitize_key() Filters the Internal Keys

sanitize_user() Filters the Username

sanitize_text_field() Filters the Input Fields

sanitize_title() Filters the Title

sanitize_sql_orderby() Filters Order By Clauses of SQL Queries

Sample Code: sanitize_####( $email );

Secure your Output Data (Escape) using WordPress Functions

Security while Developing Plugin/Theme [4]

Functions Description

esc_html() Prints safe HTML code, Removes Tags

esc_url() Prints safe URL, Removes unsafe Characters

esc_js()Helps executing PHP codes inside JavaScript, escaping Single

Quotes, HTML Special Characters and fixing Line Endings

esc_sql() Helps to filter the Strings within SQL Queries

esc_attr() Helps to filter the Attributes inside HTML tags for keeping XSS Safe

Sample Code: <h2><?php echo esc_####( $url ); ?></h2>

Use “Nonces” to Prevent CSRF Attacks

Security while Developing Plugin/Theme [4]

Helps to add a Token while moving from an URL to another

Avoid writing Traditional Query

Security while Developing Plugin/Theme [5]

Unsafe

Avoid writing Traditional Query

You can hide Database Errors for Safety

Security while Developing Plugin/Theme [5]

Safe

Avoid using Deprecated Codes

Test your WordPress Website Online

Security while Developing Plugin/Theme [6]

https://developer.wordpress.org/reference/

https://wpscans.com/

www.Nirjhor.net

www.Facebook.com/AnjumNirjhor

019 55 77 88 22

Anjum@Nirjhor.Net