Slide 1

Slide 1 text

Useful Tips to Shield Your WordPress Site By Rodrigo Donini @donini

Slide 2

Slide 2 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential HELLO! I’m Donini You can find me on Twitter, GitHub and LinkedIn as @donini My Site / Blog: www.donini.me

Slide 3

Slide 3 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Hire the top 3% of the best freelancers in the world. WHAT IS? >>> http://bit.ly/donini-toptal <<< @donini

Slide 4

Slide 4 text

@donini

Slide 5

Slide 5 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Proper configuration ● Proper development / Good practices ● Update environment Security in WordPress https://codex.wordpress.org/Hardening_WordPress @donini

Slide 6

Slide 6 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential WPScan ● Detect the WordPress version ● Enumerate vulnerabilities ● Enumerate users and break week passwords ● Enumerate installed plugins and themes ● Others http://wpscan.org https://wpvulndb.com @donini

Slide 7

Slide 7 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Remove or change the users with Admin word and with ID 1. Users and Passwords @donini

Slide 8

Slide 8 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Block the access to the users list Users and Passwords http://www.meu-site.com.br/?author=1 http://www.meu-site.com.br/authors/admin RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://www.meu-site.com.br.com/ [L,R=301] Url pattern: Add rules to your .htaceess file is one of the ways: @donini

Slide 9

Slide 9 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Change your passwords with frequency, especially if you use public places. Use Strong Passwords https://en.support.wordpress.com/selecting-a-strong-password/ @donini

Slide 10

Slide 10 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Increase the security with this hashes Secret Keys https://api.wordpress.org/secret-key/1.1/salt/ @donini

Slide 11

Slide 11 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Use more layers of security with SMS, QRCode and PIN Two Step Authentication https://codex.wordpress.org/Two_Step_Authentication @donini

Slide 12

Slide 12 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● The used constants: ● WP_DEBUG ● WP_DEBUG_LOG ● WP_DEBUG_DISPLAY Debug and your implications https://codex.wordpress.org/Debugging_in_WordPress @donini

Slide 13

Slide 13 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Location and Protection of the Debug.log File ● Location of the file: wp-content/debug.log ● Permission: chmod 600 Order allow,deny Deny from all @donini

Slide 14

Slide 14 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Exposure of the Version ● Meta tag generator in the HTML y XHTML markup: ● Tag generator in feed ATOM, RSS 2 (posts and comments) and RDF ● In comments on HTML code ● In comments of the export file ● In URL parameters ● In core files: ● /readme.html ● /wp-admin/install.php ● /wp-admin/upgrade.php ● /wp-links-opml.php` @donini

Slide 15

Slide 15 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Block the Exposure of the Version ● File that are not necessary: ● /readme.html ● /license.txt ● /wp-config-sample.php ● Temporary files: ● /wp-admin/install.php ● /wp-admin/upgrade.php public function remove_versio() { global $wp_version; $wp_version = 'version_hidden'; } add_action(‘init’,’remove_version’); Order allow,deny Deny from all ● Remove the version: @donini

Slide 16

Slide 16 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● The FDP exposes the application path on the server disk. Full Path Disclosure @donini

Slide 17

Slide 17 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Block the access of the files in the directory wp-includes Prevent Full Path Disclosure RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] ● Test if your function exists @donini

Slide 18

Slide 18 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Proper permissions ● Prefix of tables How to protect your Data Base $table_prefix = ‘wpd_my_site_’; https://codex.wordpress.org/Database_Description @donini

Slide 19

Slide 19 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Before you pick a plugin or theme, verify at WPScan Vulnerability Database if it’s clean ● Avoid SQL Injection in your themes and plugins: SQL Injection $sql = $wpdb->prepare( ‘[MY-QUERY-SQL]’, $variable ); $sql = $wpdb->prepare( ‘MY-QUERY-SQL-CON-STRING-%s-INT-%d- FLOAT- %f’, $integer, $string, $float); http://codex.wordpress.org/Class_Reference/wpdb @donini

Slide 20

Slide 20 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Protect the URLs including AJAX calls ● Protect forms Nonces https://codex.wordpress.org/WordPress_Nonces @donini

Slide 21

Slide 21 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Define to use SSL SSL in WordPress define( 'FORCE_SSL_LOGIN', true ); // Force the uses only on login define( 'FORCE_SSL_ADMIN', true ); // Force the uses in all administrative, including login RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 1 2 3 @donini

Slide 22

Slide 22 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Apache configuration file: Directory Protection Options -Indexes ● ● . .htaccess file: # Deshabilitar la lista de directorios Options -Indexes ● index.html and index.php files:

Slide 23

Slide 23 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Where normally we put: Protect the File wp-config.php /public_html/wp-config.php ● Where is suggest to put: /wp-config.php https://codex.wordpress.org/Editing_wp-config.php @donini

Slide 24

Slide 24 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential Disallow_File_Edit Versus Disallow_file_Mods ● DISALLOW_FILE_EDIT: disable files changes in the themes and plugins ● DISALLOW_FILE_MODS: disable files changes and automatic updates. @donini

Slide 25

Slide 25 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Almost 60% of the WordPress installations are outdated in the world. ● Like we talk before, maintain the environment updated minimize the vulnerability fails and the attempts of hacking. ● When we talk about update, we talk about update the WordPress core, themes, plugins and the operation system and all the related applications, like Apache/ Nginx, PHP, MySQL, etc. Outdated systems can leave doors open and turn more easy the intents of hacking. WordPress Updating https://codex.wordpress.org/Updating_WordPress @donini

Slide 26

Slide 26 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential ● Wordfence - www.wordfence.com ● Sitelock - www.sitelock.com ● iThemes Security - ithemes.com/security Others Security Plugins @donini

Slide 27

Slide 27 text

Hire the top 3% of freelance talent www.toptal.com Toptal Confidential @donini https://github.com/donini/don-security https://wordpress.org/plugins/don-security/

Slide 28

Slide 28 text

THANKS! You can find me on Twitter, GitHub and LinkedIn as @donini My Site / Blog: www.donini.me ASK SOMETHING?