Useful Tips Shield Your WordPress Site

Transcript

1. Useful Tips to Shield Your WordPress Site By Rodrigo Donini

   @donini

2. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   HELLO! I’m Donini You can find me on Twitter, GitHub and LinkedIn as @donini My Site / Blog: www.donini.me

3. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   Hire the top 3% of the best freelancers in the world. WHAT IS? >>> http://bit.ly/donini-toptal <<< @donini

4. @donini

5. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   • Proper configuration • Proper development / Good practices • Update environment Security in WordPress https://codex.wordpress.org/Hardening_WordPress @donini

6. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   WPScan • Detect the WordPress version • Enumerate vulnerabilities • Enumerate users and break week passwords • Enumerate installed plugins and themes • Others http://wpscan.org https://wpvulndb.com @donini

7. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   • Remove or change the users with Admin word and with ID 1. Users and Passwords @donini

8. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   • Block the access to the users list Users and Passwords http://www.meu-site.com.br/?author=1 http://www.meu-site.com.br/authors/admin RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://www.meu-site.com.br.com/ [L,R=301] Url pattern: Add rules to your .htaceess file is one of the ways: @donini

9. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

   • Change your passwords with frequency, especially if you use public places. Use Strong Passwords https://en.support.wordpress.com/selecting-a-strong-password/ @donini

10. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Increase the security with this hashes Secret Keys https://api.wordpress.org/secret-key/1.1/salt/ @donini

11. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Use more layers of security with SMS, QRCode and PIN Two Step Authentication https://codex.wordpress.org/Two_Step_Authentication @donini

12. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • The used constants: • WP_DEBUG • WP_DEBUG_LOG • WP_DEBUG_DISPLAY Debug and your implications https://codex.wordpress.org/Debugging_in_WordPress @donini

13. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Location and Protection of the Debug.log File • Location of the file: wp-content/debug.log • Permission: chmod 600 <Files debug.log> Order allow,deny Deny from all </Files> @donini

14. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Exposure of the Version • Meta tag generator in the HTML y XHTML markup: • Tag generator in feed ATOM, RSS 2 (posts and comments) and RDF • In comments on HTML code • In comments of the export file • In URL parameters • In core files: • /readme.html • /wp-admin/install.php • /wp-admin/upgrade.php • /wp-links-opml.php` @donini

15. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Block the Exposure of the Version • File that are not necessary: • /readme.html • /license.txt • /wp-config-sample.php • Temporary files: • /wp-admin/install.php • /wp-admin/upgrade.php public function remove_versio() { global $wp_version; $wp_version = 'version_hidden'; } add_action(‘init’,’remove_version’); <Files name-of-file> Order allow,deny Deny from all </Files> • Remove the version: @donini

16. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • The FDP exposes the application path on the server disk. Full Path Disclosure @donini

17. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Block the access of the files in the directory wp-includes Prevent Full Path Disclosure <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> • Test if your function exists <?php if ( !function_exists( 'mi_function' ) ) exit; ?> @donini

18. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Proper permissions • Prefix of tables How to protect your Data Base $table_prefix = ‘wpd_my_site_’; https://codex.wordpress.org/Database_Description @donini

19. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Before you pick a plugin or theme, verify at WPScan Vulnerability Database if it’s clean • Avoid SQL Injection in your themes and plugins: SQL Injection $sql = $wpdb->prepare( ‘[MY-QUERY-SQL]’, $variable ); $sql = $wpdb->prepare( ‘MY-QUERY-SQL-CON-STRING-%s-INT-%d- FLOAT- %f’, $integer, $string, $float); http://codex.wordpress.org/Class_Reference/wpdb @donini

20. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Protect the URLs including AJAX calls • Protect forms Nonces https://codex.wordpress.org/WordPress_Nonces @donini

21. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Define to use SSL SSL in WordPress define( 'FORCE_SSL_LOGIN', true ); // Force the uses only on login define( 'FORCE_SSL_ADMIN', true ); // Force the uses in all administrative, including login RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 1 2 3 @donini

22. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Apache configuration file: Directory Protection <Directory /var/www/html> Options -Indexes </Directory> • • . .htaccess file: # Deshabilitar la lista de directorios Options -Indexes • index.html and index.php files: <?php // Silence is Golden 1 2 3 @donini

23. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Where normally we put: Protect the File wp-config.php /public_html/wp-config.php • Where is suggest to put: /wp-config.php https://codex.wordpress.org/Editing_wp-config.php @donini

24. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Disallow_File_Edit Versus Disallow_file_Mods • DISALLOW_FILE_EDIT: disable files changes in the themes and plugins • DISALLOW_FILE_MODS: disable files changes and automatic updates. @donini

25. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Almost 60% of the WordPress installations are outdated in the world. • Like we talk before, maintain the environment updated minimize the vulnerability fails and the attempts of hacking. • When we talk about update, we talk about update the WordPress core, themes, plugins and the operation system and all the related applications, like Apache/ Nginx, PHP, MySQL, etc. Outdated systems can leave doors open and turn more easy the intents of hacking. WordPress Updating https://codex.wordpress.org/Updating_WordPress @donini

26. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Wordfence - www.wordfence.com • Sitelock - www.sitelock.com • iThemes Security - ithemes.com/security Others Security Plugins @donini

27. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    @donini https://github.com/donini/don-security https://wordpress.org/plugins/don-security/

28. THANKS! You can find me on Twitter, GitHub and LinkedIn

    as @donini My Site / Blog: www.donini.me ASK SOMETHING?