WP Security

Transcript

1. Wordpress Security Techniques to harden your site.

2. 1 Protection 2 Detection 3 Recovery

3. Protection - Core Ideas 1. Understanding your environment. 2. Obscuring

   - Make it as non-default as possible, less easy to detect 3. Functionality - Only include what you truly need. 4. Enforce strong information

4. Protection - The Environment Server - LAMP Linux* Apache** MYSQL

   PHP * Windows ** NGINX Wordpress Core Themes Plugins User (interaction/input)

5. Protection - Hosting Shared Private

6. Protection - Vulnerabilities Injection - Inserting extra code Remote File

   Inclusion - include extra files Remote File Execution - like RFI may send data else where or inject another server script from remote source Brute Force / Data Dictionary - constantly hitting / DB of common words / phrases

7. Protection - Connecting / Editing 1. SSH/SFTP 2. Keep Each

   site in a separate DB with separate user 3. Only give permissions that are actually need to mysql user 4. Make sure file permissions are correct
 755 directories - find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
 
 644 files - find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;


8. Protection - wp-config.php 1. Move wp-config.php outside of public directory


   wordpress will automatically look one directory up 2. Generate Fresh Auth Keys and Salts 3. Do not use “wp_” as the table prefix, 
 make it random
 $table_prefix = 'icn_'; 4. Disable File editing
 define(‘DISALLOW_FILE_EDIT’, true);

9. Protection - wp-config.php 5. rename the wp-content
 
 define('APP_ROOT', __DIR__);


   define('WP_HOME', 'http://localhost:8080');
 define('WP_SITEURL', WP_HOME);
 define('WP_CONTENT_DIR', APP_ROOT.'/content');
 define('WP_CONTENT_URL', WP_HOME.’/content');

10. Protection - functions.php 1. Clean up head 
 
 remove_action('wp_head',

    'wp_generator');
 remove_action('wp_head', 'wlwmanifest_link');
 remove_action('wp_head', 'rsd_link');

11. Protection - Install 1. Don’t use admin, user, or some

    generic username 2. Super Saiyan Password, use a generator, 10+ chars

12. Protection - .htaccess 1. HTML5 Boilerplate common security Fixes. 2.

    Block Include Files Extras 1. Lock down login to IP 2. Block users by IP 3. Black list known offenders

13. Protection - WP 1. Force secure passwords (2 step auth

    for extra security) 2. Limit login attempts 3. Keep everything up to date 4. Keep permissions slim 5. Use a security plugin (iTheme Security) 6. Remove unused plugins and themes

14. Detection 1. Antivirus 2. Scan for vulnerabilities
 - Securi Site

    Check http://sitecheck.sucuri.net 3. Monitor for file changes

15. Recovery 1. Backup files
 - GIT, or another version control


    - http://ithemes.com/purchase/backupbuddy/ 2. Backup Database
 - http://wordpress.org/plugins/wp-db-backup/
 - PHPmyAdmin export

16. Resources 1. http://codex.wordpress.org/Hardening_WordPress 2. http://moz.com/blog/the-definitive-guide-to- wordpress-security 3. http://blog.sucuri.net/2012/08/wordpress-security- cutting-through-the-bs.html 4.

    http://blog.getclef.com/wordpress-security-checklist/ 5. https://github.com/h5bp/html5-boilerplate

17. Jake Chamberlain [email protected] @JakeChamberlain https://github.com/jchamb