How to increase security and protect your WordPress site against possible attacks. Rodrigo Donini share some of his experiences in projects he has already worked on.
• Block the access to the users list Users and Passwords http://www.meu-site.com.br/?author=1 http://www.meu-site.com.br/authors/admin RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://www.meu-site.com.br.com/ [L,R=301] Url pattern: Add rules to your .htaceess file is one of the ways: @donini
• Change your passwords with frequency, especially if you use public places. Use Strong Passwords https://en.support.wordpress.com/selecting-a-strong-password/ @donini
• The used constants: • WP_DEBUG • WP_DEBUG_LOG • WP_DEBUG_DISPLAY Debug and your implications https://codex.wordpress.org/Debugging_in_WordPress @donini
Location and Protection of the Debug.log File • Location of the file: wp-content/debug.log • Permission: chmod 600 <Files debug.log> Order allow,deny Deny from all </Files> @donini
Exposure of the Version • Meta tag generator in the HTML y XHTML markup: • Tag generator in feed ATOM, RSS 2 (posts and comments) and RDF • In comments on HTML code • In comments of the export file • In URL parameters • In core files: • /readme.html • /wp-admin/install.php • /wp-admin/upgrade.php • /wp-links-opml.php` @donini
Block the Exposure of the Version • File that are not necessary: • /readme.html • /license.txt • /wp-config-sample.php • Temporary files: • /wp-admin/install.php • /wp-admin/upgrade.php public function remove_versio() { global $wp_version; $wp_version = 'version_hidden'; } add_action(‘init’,’remove_version’); <Files name-of-file> Order allow,deny Deny from all </Files> • Remove the version: @donini
• Block the access of the files in the directory wp-includes Prevent Full Path Disclosure <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> • Test if your function exists <?php if ( !function_exists( 'mi_function' ) ) exit; ?> @donini
• Proper permissions • Prefix of tables How to protect your Data Base $table_prefix = ‘wpd_my_site_’; https://codex.wordpress.org/Database_Description @donini
• Before you pick a plugin or theme, verify at WPScan Vulnerability Database if it’s clean • Avoid SQL Injection in your themes and plugins: SQL Injection $sql = $wpdb->prepare( ‘[MY-QUERY-SQL]’, $variable ); $sql = $wpdb->prepare( ‘MY-QUERY-SQL-CON-STRING-%s-INT-%d- FLOAT- %f’, $integer, $string, $float); http://codex.wordpress.org/Class_Reference/wpdb @donini
• Define to use SSL SSL in WordPress define( 'FORCE_SSL_LOGIN', true ); // Force the uses only on login define( 'FORCE_SSL_ADMIN', true ); // Force the uses in all administrative, including login RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 1 2 3 @donini
• Where normally we put: Protect the File wp-config.php /public_html/wp-config.php • Where is suggest to put: /wp-config.php https://codex.wordpress.org/Editing_wp-config.php @donini
Disallow_File_Edit Versus Disallow_file_Mods • DISALLOW_FILE_EDIT: disable files changes in the themes and plugins • DISALLOW_FILE_MODS: disable files changes and automatic updates. @donini
• Almost 60% of the WordPress installations are outdated in the world. • Like we talk before, maintain the environment updated minimize the vulnerability fails and the attempts of hacking. • When we talk about update, we talk about update the WordPress core, themes, plugins and the operation system and all the related applications, like Apache/ Nginx, PHP, MySQL, etc. Outdated systems can leave doors open and turn more easy the intents of hacking. WordPress Updating https://codex.wordpress.org/Updating_WordPress @donini