Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress Security Tips & Tricks

WordPress Security Tips & Tricks

Chetan Prajapati

December 28, 2019
Tweet

More Decks by Chetan Prajapati

Other Decks in How-to & DIY

Transcript

  1. WORDPRESS SECURITY TIPS & TRICKS Chetan Prajapati Freelance WordPress Developer

    WordPress Core Contributor T/F/I: iamchetanp chetanprajapati.com
  2. Common Types of WordPress Vulnerabilities Outdated WordPress Files Backdoor Exploits

    Pharma Hacks Weak Passwords Malicious Redirects Vulnerabilities In The Hosting Platform Denial Of Service Attacks
  3. Checklist to choose a Theme or Plugin Changelog Last Update

    Security Updates Reviews Support Compatibility Child Theme Ready
  4. Use Better Usernames Avoid use of common usernames like –

    admin, administrator etc Use better username to prevent from guessing Weak usernames will be a reason for brute force attack
  5. Harden Admin Area Rename Login URL Limit failed login attempts

    Disable XML-RPC Use Two-Factor Authentication Log Out Idle Users
  6. Harden Your .htaccess and wp-config.php Files <files wp-config.php> order allow,deny

    deny from all </files> <Files .htaccess> order allow,deny deny from all </Files> <Files wp-login.php> order deny,allow Deny from all # allow access from my IP address allow from 192.168.1.1 </Files>
  7. Disable theme and plugin editing through your WordPress dashboard //

    DISALLOW FILE EDIT DEFINE( 'DISALLOW_FILE_EDIT', TRUE );
  8. Check and Change the File Permissions All directories should be

    755 or 750 All files should be 644 or 640 wp-config.php should be 600
  9. Keep Files Up to Date Update WordPress Update Theme Update

    Plugins Remove unnecessary themes or plugins Don’t miss to update security releases Don’t use nulled plugins or themes
  10. Change Your Database Prefix Avoid to use `wp_` database prefix

    Use strong database prefix You can change by Plugin or PHPMyAdmin
  11. Change Your WordPress Security Keys define('AUTH_KEY', 'put your unique phrase

    here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
  12. Disable Error Reporting You can disable this by adding the

    code below to your wp-config.php file: error_reporting(0); @ini_set(‘display_errors’, 0);
  13. Use Security Headers You can add them yourself by modifying

    your theme’s functions.php file. Cross-scripting attacks header('Content-Security-Policy: default-src https:’); X-XSS-Protection and X-Content-Type-Options header('X-XSS-Protection: 1; mode=block'); header('X-Content-Type-Options: nosniff');
  14. How to Recover From a Hack Confirm The Hack and

    Change Your Password Get In Touch With Your Hosting Company Use a Backup to Restore Your Site Scan Your Site For Malware Check Your Site Users Change Your Secret Keys Hire a Professional
  15. Wrapping Up WordPress is a powerful and popular CMS that

    makes it easy for anyone to create a website. But because it’s so popular, it’s also a favourite target for hackers.