SlideShare a Scribd company logo

WordPress Security Best Practices

Download as PPTX, PDF
Zero Point Development
Zero Point Development

Comprehensive guide to securing your WordPress site including security for the paranoid! Presented at WordPress Sydney April 2016 meetup

Related slideshows

Web Security 101
Web Security 101Web Security 101
Web Security 101
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPress
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
1 of 55
Wil Brown @DeveloperWil zeropointdevelopment.com for WordPress Sydney Best Practices 2016 Update
• Use complex usernames & passwords • Check file permissions have minimum access • Update software often & regularly • Use security firewalls & scan regularly • Consider using 2-factor authentication • Stick to reputable theme providers • Uninstall unused code/themes/plugins • Lock all doors, windows & switch off Internet! @DeveloperWil #wpsyd
There is always a current threat The worst type of threats are those you don’t know about You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack The Art of War - Sun Tzu ~512BC http://www.classicly.com/read-the-art-of-war-online-free/page/1 @DeveloperWil #wpsyd SO BE PREPARED
Got the T-Shirt @DeveloperWil #wpsyd
Locked away in a deep dark basement No internet connection No user interaction = Pretty useless website = There is a balance to be had @DeveloperWil #wpsyd
Everything is Hackable Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car? @DeveloperWil #wpsyd
The most vulnerable part of your website is… YOU Read this book! @DeveloperWil #wpsyd
Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, … @DeveloperWil #wpsyd
No personal information such as DoB e.g. bob1976  No footie clubs, car regos, pet or family names Use a random 16 (at least) character password UPPER, lower, digits, punctuation e.g. b9G#Z4YVemTN^X6S @DeveloperWil #wpsyd
Random character passwords = difficult for you to remember  = difficult for hackers to guess  Use a password service such as LastPass Local 256-bit encryption, SSL data transfer, 2-factor authentication https://lastpass.com @DeveloperWil #wpsyd
Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Gives more flexibility than built-in WordPress @DeveloperWil #wpsyd
Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/ @DeveloperWil #wpsyd
Change the default WordPress salt keys in wp- config.php WordPress uses cookies to store session information. These are hashed with MD5 + salt keys in the wp-config.php file https://api.wordpress.org/secret-key/1.1/salt/ @DeveloperWil #wpsyd
Restrict the number of users with the Administrator role. You do need at lease 1 Admin user – do you need any more than that? Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content. @DeveloperWil #wpsyd
Understanding Linux file permissions is key @DeveloperWil #wpsyd
In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may recommend you set /wp-content/uploads to 777 Move to another hosting company! @DeveloperWil #wpsyd
Probably your three most important sys files are: .htaccess (Apache) or nginx.conf (nginx) = permalinks, redirects, etc This should be locked down to CHMOD 444 php.ini = PHP settings wp-config.php = WordPress DB username & pass These should be locked down to CHMOD 440 @DeveloperWil #wpsyd
Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $89.99 /site /year @DeveloperWil #wpsyd
Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com @DeveloperWil #wpsyd
Automatic Updates are in WordPress core for point releases only by default More control = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/ Choose to update Core, Themes and/or Plugins @DeveloperWil #wpsyd
Especially “free” themes and torrents – Very common to “insert” links into footer areas – Code can read your wp-config.php file and email/send it elsewhere = you’re screwed – Don’t use themes or plugins from Torrent sites! – Always try to download from original source Read: http://premium.wpmudev.org/blog/free-wordpress- themes-ultimate-guide/ @DeveloperWil #wpsyd
Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ @DeveloperWil #wpsyd
Not all Base64_decode function calls are evil WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes. @DeveloperWil #wpsyd
Popular image/thumbnail resizing script Bundled in many themes and plugins Responsible for many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ @DeveloperWil #wpsyd
Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the “fixed” version 2.8.14 https://code.google.com/p/timthumb/ @DeveloperWil #wpsyd
The nature of TimThumb still makes it potentially very dangerous to have on your site. TimThumb is no longer supported or maintained as of Sept 2014 http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ Read this: http://www.limecanvas.com/timthumb-is-evil/ @DeveloperWil #wpsyd
Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates @DeveloperWil #wpsyd
If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); @DeveloperWil #wpsyd
Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans* *premium functions @DeveloperWil #wpsyd
Brute force attacks try to repeatedly guess username & password. Block IP address after X number of login attempts within a period. Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/ @DeveloperWil #wpsyd
Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null'); @DeveloperWil #wpsyd
There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy http://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore! @DeveloperWil #wpsyd
@DeveloperWil #wpsyd
Using another device to generate an authentication code e.g. Mobile phone app Verification code + login = 2 factor auth Google Authenticator http://wordpress.org/plugins/google-authenticator/ @DeveloperWil #wpsyd
WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP. Passwords themselves are not stored in the DB Password can be replaced in DB with MD5 hash. After login it’s replaced by a salted MD5 hash. @DeveloperWil #wpsyd PASSWORD TYPE PASSWORD HASH
MD5 hash designed for high volume, not security. “collision resistance” ~264 MD5 has been broken but not resistance to preimages or second- preimages. MD5 + salts still poor choice as it’s designed to be fast. Modern GPUs generate billions of candidate passwords per second i.e. brute force Ref: https://en.wikipedia.org/wiki/MD5 Ref: https://en.wikipedia.org/wiki/Collision_attack Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996 @DeveloperWil #wpsyd
Bcrypt is an adaptive hashing algorithm. Bcrypt intentionally takes a relatively long time to be calculated; over time, the iteration count can be increased to make it even slower. This is done intentionally to resist brute force attacks as computational power increases. Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd
Plugin: https://roots.io/plugins/bcrypt-password/ Note: requires PHP >= 5.5.0 Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd
Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not so distant future. @DeveloperWil #wpsyd
VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/ @DeveloperWil #wpsyd
Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-coded wp-content location. @DeveloperWil #wpsyd
Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner. @DeveloperWil #wpsyd
Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked. @DeveloperWil #wpsyd
Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes @DeveloperWil #wpsyd
Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress- admin-wp-admin-directory/ @DeveloperWil #wpsyd
Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true); @DeveloperWil #wpsyd
Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/ @DeveloperWil #wpsyd
Monitor who does what on your WordPress site. Stream: http://wp-stream.com/ @DeveloperWil #wpsyd
Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login @DeveloperWil #wpsyd
Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3); function lc_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } @DeveloperWil #wpsyd
Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/ @DeveloperWil #wpsyd
Known as DoS or DDoS (distributed). Consider using CloudFlare. @DeveloperWil #wpsyd Attack Without CloudFlare Attack With CloudFlare
[Cover] zeropointdevelopment.com [4] zeropointdevelopment.com [5] activerain.com [6] mybroadband.co.za [7] wired.com [15] zzee.com [15] acm.uiuc.edu [15] danielmiessler.com [19] managewp.com [22] wordpress.org [27] promptwebhosting.com.au [31] bestwpthemez.com [33] blog.eternalvigilance.me [34] mobyware.ru [38] roots.io [39] ibmsystemsmag.com [40] disruptive.io [44] gobalakrishnan.com [45] trickytechs.com [45] wpbeginner.com [46] zeropointdevelopment.com [48] wp-stream.com [52] cloudflare.com [Back Cover] zeropointdevelopment.com @DeveloperWil #wpsyd
 20+ years in IT: Dev & SysOps  WordPress Developer since 2008  Plugins, APIs, Security & Systems Integrations  Organiser WPSyd & WordCamp Sydney zeropointdevelopment.com @DeveloperWil ♥ Pizza & Craft Beer @DeveloperWil #wpsyd
@DeveloperWil #wpsyd @DeveloperWil

More Related Content

WordPress Security Best Practices

  • 1. Wil Brown @DeveloperWil zeropointdevelopment.com for WordPress Sydney Best Practices 2016 Update
  • 2. • Use complex usernames & passwords • Check file permissions have minimum access • Update software often & regularly • Use security firewalls & scan regularly • Consider using 2-factor authentication • Stick to reputable theme providers • Uninstall unused code/themes/plugins • Lock all doors, windows & switch off Internet! @DeveloperWil #wpsyd
  • 3. There is always a current threat The worst type of threats are those you don’t know about You need to understand your weaknesses You need to build a solid defence You need to have a plan of attack The Art of War - Sun Tzu ~512BC http://www.classicly.com/read-the-art-of-war-online-free/page/1 @DeveloperWil #wpsyd SO BE PREPARED
  • 5. Locked away in a deep dark basement No internet connection No user interaction = Pretty useless website = There is a balance to be had @DeveloperWil #wpsyd
  • 6. Everything is Hackable Best we can do is make our site less attractive than others to hack into. Would you attempt to break into this car? @DeveloperWil #wpsyd
  • 7. The most vulnerable part of your website is… YOU Read this book! @DeveloperWil #wpsyd
  • 8. Not just WordPress cPanel, email, FTP, SSH, MySQL, WordPress Avoid typical “Administrator” usernames admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, … @DeveloperWil #wpsyd
  • 9. No personal information such as DoB e.g. bob1976  No footie clubs, car regos, pet or family names Use a random 16 (at least) character password UPPER, lower, digits, punctuation e.g. b9G#Z4YVemTN^X6S @DeveloperWil #wpsyd
  • 10. Random character passwords = difficult for you to remember  = difficult for hackers to guess  Use a password service such as LastPass Local 256-bit encryption, SSL data transfer, 2-factor authentication https://lastpass.com @DeveloperWil #wpsyd
  • 11. Consider forcing users to have a strong password Force Strong Passwords plugin. http://wordpress.org/plugins/force-strong- passwords/ Gives more flexibility than built-in WordPress @DeveloperWil #wpsyd
  • 12. Only allow one login per device. Restrict logins under same username on multiple devices (i.e. username/pass sharing) WordPress Bouncer plugin http://wordpress.org/plugins/wp-bouncer/ @DeveloperWil #wpsyd
  • 13. Change the default WordPress salt keys in wp- config.php WordPress uses cookies to store session information. These are hashed with MD5 + salt keys in the wp-config.php file https://api.wordpress.org/secret-key/1.1/salt/ @DeveloperWil #wpsyd
  • 14. Restrict the number of users with the Administrator role. You do need at lease 1 Admin user – do you need any more than that? Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content. @DeveloperWil #wpsyd
  • 15. Understanding Linux file permissions is key @DeveloperWil #wpsyd
  • 16. In general… WordPress folders/directories = 755 WordPress files = 644 Some hosting companies may recommend you set /wp-content/uploads to 777 Move to another hosting company! @DeveloperWil #wpsyd
  • 17. Probably your three most important sys files are: .htaccess (Apache) or nginx.conf (nginx) = permalinks, redirects, etc This should be locked down to CHMOD 444 php.ini = PHP settings wp-config.php = WordPress DB username & pass These should be locked down to CHMOD 440 @DeveloperWil #wpsyd
  • 18. Malware can be hidden in Themes, Plugins & other server scripts Sucuri detects and cleans malware on servers De-blacklists your server/site Notify by SMS, Email, Private Twitter etc http://sucuri.net/ USD $89.99 /site /year @DeveloperWil #wpsyd
  • 19. Update WordPress Core, Themes and Plugins regularly = at least weekly ManageWP service good for multiple sites https://managewp.com @DeveloperWil #wpsyd
  • 20. Automatic Updates are in WordPress core for point releases only by default More control = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/ Choose to update Core, Themes and/or Plugins @DeveloperWil #wpsyd
  • 21. Especially “free” themes and torrents – Very common to “insert” links into footer areas – Code can read your wp-config.php file and email/send it elsewhere = you’re screwed – Don’t use themes or plugins from Torrent sites! – Always try to download from original source Read: http://premium.wpmudev.org/blog/free-wordpress- themes-ultimate-guide/ @DeveloperWil #wpsyd
  • 22. Search through files for: Base64_decode edoced_46esaB and eval Decode at: http://www.base64decode.org/ Use Theme Authenticity Checker http://wordpress.org/plugins/tac/ Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ @DeveloperWil #wpsyd
  • 23. Not all Base64_decode function calls are evil WordPress uses the function extensively throughout the core. Should be easy to decode and work out if good or bad in plugins or themes. @DeveloperWil #wpsyd
  • 24. Popular image/thumbnail resizing script Bundled in many themes and plugins Responsible for many WordPress security breaches “The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.” Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ @DeveloperWil #wpsyd
  • 25. Script was “fixed” of exploits however old versions still lurk out there. Search for TimThumb and check you are using the “fixed” version 2.8.14 https://code.google.com/p/timthumb/ @DeveloperWil #wpsyd
  • 26. The nature of TimThumb still makes it potentially very dangerous to have on your site. TimThumb is no longer supported or maintained as of Sept 2014 http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ Read this: http://www.limecanvas.com/timthumb-is-evil/ @DeveloperWil #wpsyd
  • 27. Won’t make your site “secure” from hacks Will encrypt the data transmitted between computer and server More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates @DeveloperWil #wpsyd
  • 28. If you have an SSL certificate.. Force all Dashboard and Logins to use HTTPS In wp-config.php define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); @DeveloperWil #wpsyd
  • 29. Gives additional level of security. WordFence plugin is recommended: http://www.wordfence.com/ Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans* *premium functions @DeveloperWil #wpsyd
  • 30. Brute force attacks try to repeatedly guess username & password. Block IP address after X number of login attempts within a period. Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/ @DeveloperWil #wpsyd
  • 31. Don’t give the hackers a helping hand Remove that info! Add this to functions.php add_filter(‘login_errors', '__return_null'); @DeveloperWil #wpsyd
  • 32. There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/ Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/ Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/ Backup Buddy http://ithemes.com/purchase/backupbuddy/ VaultPress http://vaultpress.com/ Set your retention frequency. Can you restore from an issue that’s been happening for 2 months? Check your backup files – do a test restore! @DeveloperWil #wpsyd
  • 34. Using another device to generate an authentication code e.g. Mobile phone app Verification code + login = 2 factor auth Google Authenticator http://wordpress.org/plugins/google-authenticator/ @DeveloperWil #wpsyd
  • 35. WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP. Passwords themselves are not stored in the DB Password can be replaced in DB with MD5 hash. After login it’s replaced by a salted MD5 hash. @DeveloperWil #wpsyd PASSWORD TYPE PASSWORD HASH
  • 36. MD5 hash designed for high volume, not security. “collision resistance” ~264 MD5 has been broken but not resistance to preimages or second- preimages. MD5 + salts still poor choice as it’s designed to be fast. Modern GPUs generate billions of candidate passwords per second i.e. brute force Ref: https://en.wikipedia.org/wiki/MD5 Ref: https://en.wikipedia.org/wiki/Collision_attack Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996 @DeveloperWil #wpsyd
  • 37. Bcrypt is an adaptive hashing algorithm. Bcrypt intentionally takes a relatively long time to be calculated; over time, the iteration count can be increased to make it even slower. This is done intentionally to resist brute force attacks as computational power increases. Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd
  • 38. Plugin: https://roots.io/plugins/bcrypt-password/ Note: requires PHP >= 5.5.0 Ref: https://en.wikipedia.org/wiki/Bcrypt @DeveloperWil #wpsyd
  • 39. Is two factor authentication not enough for you? Biometric authentication uses part of our own body as the second verification part. This is going to be the normal way of authenticating with systems in the not so distant future. @DeveloperWil #wpsyd
  • 40. VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/ @DeveloperWil #wpsyd
  • 41. Move the wp-content folder to a new location. Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */ define ('WP_CONTENT_DIR','/full/path/to/your/content/dir'); define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url'); Warning: badly developed plugins & themes may have hard-coded wp-content location. @DeveloperWil #wpsyd
  • 42. Use .htaccess to protect your wp-config.php file <files wp-config.php> order allow,deny deny from all </files> Nobody can access the wp-config.php file now except for the web server owner. @DeveloperWil #wpsyd
  • 43. Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Any requests or changes to global variables containing <script> gets blocked. @DeveloperWil #wpsyd
  • 44. Many hosts allow directories to be browsed. Use .htaccess to stop directory browsing Options –Indexes @DeveloperWil #wpsyd
  • 45. Password protect wp-admin folder using cPanel and .htaccess + .htpasswd http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress- admin-wp-admin-directory/ @DeveloperWil #wpsyd
  • 46. Remove the WordPress dashboard Editor for themes and plugins Add to wp-config.php define('DISALLOW_FILE_EDIT', true); @DeveloperWil #wpsyd
  • 47. Default MySQL DB table prefix is wp_ Change before installing new WordPress sites. Add to wp-config.php $table_prefix = ‘mynewprefix_'; Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/ @DeveloperWil #wpsyd
  • 48. Monitor who does what on your WordPress site. Stream: http://wp-stream.com/ @DeveloperWil #wpsyd
  • 49. Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] Now login to your site using: http://www.mywebsite.com/login @DeveloperWil #wpsyd
  • 50. Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3); function lc_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } @DeveloperWil #wpsyd
  • 51. Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L] Now login to your site using: http://www.mysite.com/secret-folder/ @DeveloperWil #wpsyd
  • 52. Known as DoS or DDoS (distributed). Consider using CloudFlare. @DeveloperWil #wpsyd Attack Without CloudFlare Attack With CloudFlare
  • 53. [Cover] zeropointdevelopment.com [4] zeropointdevelopment.com [5] activerain.com [6] mybroadband.co.za [7] wired.com [15] zzee.com [15] acm.uiuc.edu [15] danielmiessler.com [19] managewp.com [22] wordpress.org [27] promptwebhosting.com.au [31] bestwpthemez.com [33] blog.eternalvigilance.me [34] mobyware.ru [38] roots.io [39] ibmsystemsmag.com [40] disruptive.io [44] gobalakrishnan.com [45] trickytechs.com [45] wpbeginner.com [46] zeropointdevelopment.com [48] wp-stream.com [52] cloudflare.com [Back Cover] zeropointdevelopment.com @DeveloperWil #wpsyd
  • 54.  20+ years in IT: Dev & SysOps  WordPress Developer since 2008  Plugins, APIs, Security & Systems Integrations  Organiser WPSyd & WordCamp Sydney zeropointdevelopment.com @DeveloperWil ♥ Pizza & Craft Beer @DeveloperWil #wpsyd