How to increase security and protect your WordPress site against possible attacks. Rodrigo Donini share some of his experiences in projects he has already worked on.
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential HELLO! I’m Donini You can find me on Twitter, GitHub and LinkedIn as @donini My Site / Blog: www.donini.me
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Hire the top 3% of the best freelancers in the world. WHAT IS? >>> http://bit.ly/donini-toptal <<< @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Proper configuration ● Proper development / Good practices ● Update environment Security in WordPress https://codex.wordpress.org/Hardening_WordPress @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential WPScan ● Detect the WordPress version ● Enumerate vulnerabilities ● Enumerate users and break week passwords ● Enumerate installed plugins and themes ● Others http://wpscan.org https://wpvulndb.com @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Remove or change the users with Admin word and with ID 1. Users and Passwords @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Block the access to the users list Users and Passwords http://www.meu-site.com.br/?author=1 http://www.meu-site.com.br/authors/admin RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://www.meu-site.com.br.com/ [L,R=301] Url pattern: Add rules to your .htaceess file is one of the ways: @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Change your passwords with frequency, especially if you use public places. Use Strong Passwords https://en.support.wordpress.com/selecting-a-strong-password/ @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Increase the security with this hashes Secret Keys https://api.wordpress.org/secret-key/1.1/salt/ @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Use more layers of security with SMS, QRCode and PIN Two Step Authentication https://codex.wordpress.org/Two_Step_Authentication @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● The used constants: ● WP_DEBUG ● WP_DEBUG_LOG ● WP_DEBUG_DISPLAY Debug and your implications https://codex.wordpress.org/Debugging_in_WordPress @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Location and Protection of the Debug.log File ● Location of the file: wp-content/debug.log ● Permission: chmod 600
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Exposure of the Version ● Meta tag generator in the HTML y XHTML markup: ● Tag generator in feed ATOM, RSS 2 (posts and comments) and RDF ● In comments on HTML code ● In comments of the export file ● In URL parameters ● In core files: ● /readme.html ● /wp-admin/install.php ● /wp-admin/upgrade.php ● /wp-links-opml.php` @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Block the Exposure of the Version ● File that are not necessary: ● /readme.html ● /license.txt ● /wp-config-sample.php ● Temporary files: ● /wp-admin/install.php ● /wp-admin/upgrade.php public function remove_versio() { global $wp_version; $wp_version = 'version_hidden'; } add_action(‘init’,’remove_version’);
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● The FDP exposes the application path on the server disk. Full Path Disclosure @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Block the access of the files in the directory wp-includes Prevent Full Path Disclosure
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Proper permissions ● Prefix of tables How to protect your Data Base $table_prefix = ‘wpd_my_site_’; https://codex.wordpress.org/Database_Description @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Before you pick a plugin or theme, verify at WPScan Vulnerability Database if it’s clean ● Avoid SQL Injection in your themes and plugins: SQL Injection $sql = $wpdb->prepare( ‘[MY-QUERY-SQL]’, $variable ); $sql = $wpdb->prepare( ‘MY-QUERY-SQL-CON-STRING-%s-INT-%d- FLOAT- %f’, $integer, $string, $float); http://codex.wordpress.org/Class_Reference/wpdb @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Protect the URLs including AJAX calls ● Protect forms Nonces https://codex.wordpress.org/WordPress_Nonces @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Define to use SSL SSL in WordPress define( 'FORCE_SSL_LOGIN', true ); // Force the uses only on login define( 'FORCE_SSL_ADMIN', true ); // Force the uses in all administrative, including login RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 1 2 3 @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Where normally we put: Protect the File wp-config.php /public_html/wp-config.php ● Where is suggest to put: /wp-config.php https://codex.wordpress.org/Editing_wp-config.php @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Disallow_File_Edit Versus Disallow_file_Mods ● DISALLOW_FILE_EDIT: disable files changes in the themes and plugins ● DISALLOW_FILE_MODS: disable files changes and automatic updates. @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Almost 60% of the WordPress installations are outdated in the world. ● Like we talk before, maintain the environment updated minimize the vulnerability fails and the attempts of hacking. ● When we talk about update, we talk about update the WordPress core, themes, plugins and the operation system and all the related applications, like Apache/ Nginx, PHP, MySQL, etc. Outdated systems can leave doors open and turn more easy the intents of hacking. WordPress Updating https://codex.wordpress.org/Updating_WordPress @donini
Hire the top 3% of freelance talent www.toptal.com Toptal Confidential @donini https://github.com/donini/don-security https://wordpress.org/plugins/don-security/
donini
nacatl
ivargrimstad
heyitsmohit
terhechte
subomi
peaceiris
philipschwarz
stewemetal
yatasunshine
antonicg
amixedcolor
chriscoyier
smashingmag
ammeep
aarron
marktimemedia
quramy
searls
jensimmons
rocio
robhawkes
keathley
malarkey