WordPress Hardening Rules 101

Transcript

1. 8th WordPress Crete Meetup WORDPRESS HARDENING 101 Gerasimos Mourelatos //

   FixMyWP

2. Who am I? Gerasimos Mourelatos WordPress Consultant / Security Aficionado

   Co-founder @ FixMyWP.com Co-founder @ HostMyWP.com

3. ΘΕΩΡΙΕΣ ΓΙΑ ΤΗΝ ΑΣΦΑΛΕΙΑ • SECURE BY DEFAULT • SECURE

   BY DESIGN • SECURITY THROUGH OBSCURITY • SECURITY THROUGH MINORITY • SECURITY THROUGH OBSOLESCENCE • PRESUMED SECURITY

4. source: https://www.cvedetails.com/vendor/2337/Wordpress WORDPRESS CORE VULNERABILITIES OVER TIME

5. source: https://www.cvedetails.com/vendor/3496/Joomla.ht JOOMLA CORE VULNERABILITIES OVER TIME

6. • KEEP YOUR WORDPRESS INSTALLATION UPDATED • MAINTAIN ONLY THE

   NEEDED(ACTIVE) THEMES AND PLUGINS • USE ONLY MODERN THEMES AND PLUGINS WORDPRESS ELEMENTS

7. • BACKUP YOUR SITE. OFFLINE, AUTOMATED AND INCREMENTAL (IF POSSIBLE)

   • NEVER EVER USE NULLED THEMES OR PLUGINS WORDPRESS ELEMENTS

8. • ADD SSL TO YOUR SITE OR DASHBOARD • DISABLE

   XML-RPC WHEN POSSIBLE • RENAME WP LOGIN URL LOGIN HARDENING

9. • LIMIT LOGIN ATTEMPTS • USE TWO FACTOR AUTHENTICATION •

   USE .HTACCESS TO LIMIT LOGIN ONLY FOR SPECIFIC IP(s) LOGIN HARDENING image source: theme4press.com

10. • ALLOW 1 OR 2 ADMINS MAX FOLLOW THE LEAST

    PRIVILEGE PRINCIPAL • USE DIFFICULT TO GUESS PASSWORDS • RANDOMIZE ADMIN USERNAMES USERS HARDENING image source: http://www.leisurejobs.com/staticpages/18285/the-ultimate-li

11. FILE ACCESSS HARDENING • DISABLE PLUGIN AND THEME EDITOR (WP-CONFIG.PHP)

    • DISALLOW ACCESS TO WP-CONFIG.PHP (.HTACCESS) • DISABLE .PHP FILE EXECUTION UNDER WP- CONTENT/UPLOADS (.HTACCESS) <files wp- config.php> order allow,deny deny from all </files> define('DISALLOW_FILE_EDIT', true); <Files *.php> deny from all </Files>

12. FILE ACCESS HARDENING • CREATE NEW SECRET KEYS (WP-CONFIG.PHP) •

    ADD BLANK INDEX.PHP (WP-INCLUDES, WP- CONTENT/THEMES-PLUGINS- UPLOADS) • REMOVE ALL DEMO AND STAGING SITES

13. EXTRA FILE ACCESS HARDENING • DIRS: 0755 FILES: 0644 •

    WP-CONFIG.PHP: 0400 .HTACCESS: 0400 • MONITOR FILE CHANGES

14. • DO NOT SHARE PASSWORDS THROUGH PLAIN TEXT CHANNELS: EMAIL/MESSENGERS.

    USE SECURE THIRD PARTY SERVICES • USE A SECURE PASSWORD MANAGER • AVOID USING YOUR WP DASHBOARD WHEN SHARING A PUBLIC WIFI CONNECTION DUE DILIGENCE

15. MYSQL DATABASE HARDENING • DO NOT ALLOW REMOTE CONNECTIONS •

    DO NOT SHARE THE SAME DATABASE USER WITH A NUMBER OF DATABASES • DO NOT SHARE THE SAME DATABASE FOR ALL YOUR WORDPRESS SITES

16. • https://wordpress.org/plugins/dropbox-backup/ • https://wordpress.org/plugins/remove-xmlrpc-pingback- ping/ • https://wordpress.org/plugins/rename-wp-login/ • https://wordpress.org/plugins/limit-login-attempts/ •

    https://wordpress.org/plugins/google-authenticator/ • https://wordpress.org/plugins/username-changer/ • https://wordpress.org/plugins/file-changes-monitor • http://paste.fixmywp.com/ • http://www.pcmag.com/article2/0,2817,2407168,00.asp/ USEFUL RESOURCES
17. None