Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Useful Tips Shield Your WordPress Site

Useful Tips Shield Your WordPress Site

How to increase security and protect your WordPress site against possible attacks. Rodrigo Donini share some of his experiences in projects he has already worked on.

Rodrigo Donini

June 29, 2017
Tweet

More Decks by Rodrigo Donini

Other Decks in Programming

Transcript

  1. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    HELLO! I’m Donini You can find me on Twitter, GitHub and LinkedIn as @donini My Site / Blog: www.donini.me
  2. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Hire the top 3% of the best freelancers in the world. WHAT IS? >>> http://bit.ly/donini-toptal <<< @donini
  3. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Proper configuration • Proper development / Good practices • Update environment Security in WordPress https://codex.wordpress.org/Hardening_WordPress @donini
  4. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    WPScan • Detect the WordPress version • Enumerate vulnerabilities • Enumerate users and break week passwords • Enumerate installed plugins and themes • Others http://wpscan.org https://wpvulndb.com @donini
  5. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Remove or change the users with Admin word and with ID 1. Users and Passwords @donini
  6. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Block the access to the users list Users and Passwords http://www.meu-site.com.br/?author=1 http://www.meu-site.com.br/authors/admin RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://www.meu-site.com.br.com/ [L,R=301] Url pattern: Add rules to your .htaceess file is one of the ways: @donini
  7. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Change your passwords with frequency, especially if you use public places. Use Strong Passwords https://en.support.wordpress.com/selecting-a-strong-password/ @donini
  8. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Increase the security with this hashes Secret Keys https://api.wordpress.org/secret-key/1.1/salt/ @donini
  9. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Use more layers of security with SMS, QRCode and PIN Two Step Authentication https://codex.wordpress.org/Two_Step_Authentication @donini
  10. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • The used constants: • WP_DEBUG • WP_DEBUG_LOG • WP_DEBUG_DISPLAY Debug and your implications https://codex.wordpress.org/Debugging_in_WordPress @donini
  11. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Location and Protection of the Debug.log File • Location of the file: wp-content/debug.log • Permission: chmod 600 <Files debug.log> Order allow,deny Deny from all </Files> @donini
  12. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Exposure of the Version • Meta tag generator in the HTML y XHTML markup: • Tag generator in feed ATOM, RSS 2 (posts and comments) and RDF • In comments on HTML code • In comments of the export file • In URL parameters • In core files: • /readme.html • /wp-admin/install.php • /wp-admin/upgrade.php • /wp-links-opml.php` @donini
  13. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Block the Exposure of the Version • File that are not necessary: • /readme.html • /license.txt • /wp-config-sample.php • Temporary files: • /wp-admin/install.php • /wp-admin/upgrade.php public function remove_versio() { global $wp_version; $wp_version = 'version_hidden'; } add_action(‘init’,’remove_version’); <Files name-of-file> Order allow,deny Deny from all </Files> • Remove the version: @donini
  14. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • The FDP exposes the application path on the server disk. Full Path Disclosure @donini
  15. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Block the access of the files in the directory wp-includes Prevent Full Path Disclosure <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> • Test if your function exists <?php if ( !function_exists( 'mi_function' ) ) exit; ?> @donini
  16. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Proper permissions • Prefix of tables How to protect your Data Base $table_prefix = ‘wpd_my_site_’; https://codex.wordpress.org/Database_Description @donini
  17. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Before you pick a plugin or theme, verify at WPScan Vulnerability Database if it’s clean • Avoid SQL Injection in your themes and plugins: SQL Injection $sql = $wpdb->prepare( ‘[MY-QUERY-SQL]’, $variable ); $sql = $wpdb->prepare( ‘MY-QUERY-SQL-CON-STRING-%s-INT-%d- FLOAT- %f’, $integer, $string, $float); http://codex.wordpress.org/Class_Reference/wpdb @donini
  18. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Protect the URLs including AJAX calls • Protect forms Nonces https://codex.wordpress.org/WordPress_Nonces @donini
  19. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Define to use SSL SSL in WordPress define( 'FORCE_SSL_LOGIN', true ); // Force the uses only on login define( 'FORCE_SSL_ADMIN', true ); // Force the uses in all administrative, including login RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 1 2 3 @donini
  20. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Apache configuration file: Directory Protection <Directory /var/www/html> Options -Indexes </Directory> • • . .htaccess file: # Deshabilitar la lista de directorios Options -Indexes • index.html and index.php files: <?php // Silence is Golden 1 2 3 @donini
  21. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Where normally we put: Protect the File wp-config.php /public_html/wp-config.php • Where is suggest to put: /wp-config.php https://codex.wordpress.org/Editing_wp-config.php @donini
  22. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    Disallow_File_Edit Versus Disallow_file_Mods • DISALLOW_FILE_EDIT: disable files changes in the themes and plugins • DISALLOW_FILE_MODS: disable files changes and automatic updates. @donini
  23. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Almost 60% of the WordPress installations are outdated in the world. • Like we talk before, maintain the environment updated minimize the vulnerability fails and the attempts of hacking. • When we talk about update, we talk about update the WordPress core, themes, plugins and the operation system and all the related applications, like Apache/ Nginx, PHP, MySQL, etc. Outdated systems can leave doors open and turn more easy the intents of hacking. WordPress Updating https://codex.wordpress.org/Updating_WordPress @donini
  24. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    • Wordfence - www.wordfence.com • Sitelock - www.sitelock.com • iThemes Security - ithemes.com/security Others Security Plugins @donini
  25. Hire the top 3% of freelance talent www.toptal.com Toptal Confidential

    @donini https://github.com/donini/don-security https://wordpress.org/plugins/don-security/
  26. THANKS! You can find me on Twitter, GitHub and LinkedIn

    as @donini My Site / Blog: www.donini.me ASK SOMETHING?