Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your site safe

Jeremy Herve
November 03, 2015

Keep your site safe

A few important WordPress security principles

http://jeremy.hu/wpbudapest-security/

Jeremy Herve

November 03, 2015
Tweet

More Decks by Jeremy Herve

Other Decks in Technology

Transcript

  1. SECU-WHAT? • Link injections • Defacement of your whole site

    • Information gathering Take the time to learn and understand.
  2. WHY? • Money • Hack other sites through your site

    • Information gathering • Hacktivism • For the lulz What makes hackers tick
  3. WRONG! • “I’m not a target” • “I’m safe, I

    use X security plugin” • “I’m safe, I hide my WP version / log in page” • “WordPress is not secure” Common WP security misconceptions
  4. GOOD PRACTICES • PHP version • Specialized in WordPress •

    Update policy • Brute Force prevention measures • SSH access Pick a good host
  5. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  6. GOOD PRACTICES // Can't enable user registrations function jeherve_option_users_can_register( $value

    ) { return '0'; } add_filter( 'pre_option_users_can_register', 'jeherve_option_users_can_register' ); // Default role to subscriber function jeherve_option_default_role( $value ) { return 'subscriber'; } add_filter( 'pre_option_default_role', 'jeherve_option_default_role' ); Lock down registrations
  7. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  8. GOOD PRACTICES • Don’t keep deactivated plugins • Is the

    plugin maintained? • Who’s the maintainer? • How popular is it? Pick the right plugin / theme
  9. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  10. GOOD PRACTICES // Don’t use the dashboard to edit code.

    Really. define('DISALLOW_FILE_EDIT', true); Don’t edit code via wp-admin
  11. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  12. GOOD PRACTICES // Force deactivate pingbacks function jeherve_deactivate_pings( $methods )

    { unset( $methods['pingback.ping'] ); return $methods; } add_filter( 'xmlrpc_methods', 'jeherve_deactivate_pings' ); Disable ping backs
  13. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  14. GOOD PRACTICES // No one should be able to change

    the admin email address function jeherve_option_admin_email( $value ) { return '[email protected]’; } add_filter( 'option_admin_email', 'jeherve_option_admin_email' ); Lock down some options
  15. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  16. GOOD PRACTICES // save as .htaccess and upload to the

    wp-admin/ folder # Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all # Allow access to wp-admin/admin-ajax.php <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lock down dashboard access
  17. GOOD PRACTICES • Lock down registrations • List of admins

    • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use
  18. GOOD PRACTICES // In a plugin add_filter( ‘xmlrpc_enabled', ‘__return_false' );

    // In .htaccess <Files xmlrpc.php> order deny,allow deny from all </Files> Disable XML-RPC
  19. P@$$WORDS • Use a password manager • 1Password • Keepass

    A strong, unique password IF YOU CAN REMEMBER IT, IT’S NOT STRONG ENOUGH
  20. P@$$WORDS • SFTP instead of FTP • SSH Key pair

    instead of password • cPanel, PHPMyadmin • Domain registrar Make it hard everywhere
  21. P@$$WORDS • Use 2FA everywhere • In your WordPress dashboard

    • Authy • Google Authenticator • Clef • Jetpack Use 2 factor authentication
  22. FIREWALLS • WAF (Web Application Firewall) • Sucuri, CloudFlare, Incapsula,

    SiteLock • fail2ban, ModSecurity • Jetpack Protect • Your host, again Detect hackers before they get to your site
  23. PLUGINS • iThemes Security • All In One WP Security

    • WordFence • Sucuri Security • Bulletproof Security Many good security plugins in the repo
  24. MONITORING • Educate your clients: updating is important • Change

    passwords often • Monitor activity on the site • Use a backup service • Use a security scanning service Because you’re never done