Hardening WordPress - Friends of Search 2014 (WordPress Security)

60 %
40 %
Information about Hardening WordPress - Friends of Search 2014 (WordPress Security)
Technology

Published on February 19, 2014

Author: bastiangrimm

Source: slideshare.net

Description

My talk at "Friends of Search 2014" in Amsterdam covering the most important security fixes & tweaks for WordPress blogs.

FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY

WHAT REALLY MATTERS: TOP 3! IF YOU HAVE 5 MINS TO SPARE, JUST DO THESE…

#1 Update your blogs regularly! http://wordpress.org/extend/plugins/wp-updates-notifier/

Change update behavior… Be sure to REALLY know what you’re doing there…! # Disables ALL core updates: define('WP_AUTO_UPDATE_CORE', false); # Enables all core updates, including minor and majors: define('WP_AUTO_UPDATE_CORE', true); # Default: Enables core updates for minor releases: define('WP_AUTO_UPDATE_CORE', 'minor'); Want something more fine-grained? Check AUTO_UPDATE_$TYPE filter (e.g. auto_update_plugin, auto_update_theme, etc.) which is used for specific updates. http://github.com/georgestephanis/update-control/

WWW.INFINITEWP.COM

WWW.MANAGEWP.COM

#2 Get rid of stuff you don’t use! Remove all inactive plug-ins as well as themes!

#3 Backup Database & Files, often! http://wordpress.org/extend/plugins/backwpup/

SECURITY STARTS AT SETUP MAKE THINGS RIGHT FROM THE BEGINNING…!

#4 Setup WordPress properly Use unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘; https://api.wordpress.org/secret-key/1.1/salt/

#5 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Even better… move wpconfig.php outside of „www“. Also do chmod 400/440

#6 Remove the default „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/

#7 Protect your Login (and wp-admin) Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wpadmin as well as the login itself. Don’t just put an .htaccess for basic passwd. protection. It’s a lot of pain… http://wordpress.org/extend/plugins/lockdown-wp-admin/

#8 Lock-out multiple failed logins Limit Login Attempts http://wordpress.org/extend/plugins/limit-login-attempts/

#9 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u

#9 Even better: Two-factor Verification Google Authenticator http://wordpress.org/plugins/google-authenticator/

#9 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.

WWW.DUOSECURITY.COM

WWW.DUOSECURITY.COM

WWW.GETCLEF.COM

#10 Block malicious URL requests domain.com/?q=%2e%2e or domain.com/path/base64_ will return HTTP 403 (Forbidden). http://wordpress.org/plugins/block-bad-queries/

ADDITIONAL TWEAKS THINGS YOU COULD DO IN YOUR CONFIG AS WELL…

#11 SSL Logins & Administration define('FORCE_SSL_LOGIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) define('FORCE_SSL_ADMIN', true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)

#12 Move the “wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_URL points to “new” full URI (no trailing slash either)

#13 Disable File Editing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.

#14 Fix File & Folder Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only! http://wordpress.org/extend/plugins/wp-security-scan/

WORDPRESS.ORG/PLUGINS/WORDFENCE/

WORDPRESS.ORG/PLUGINS/BETTER-WP-SECURITY/

@basgr SEO Trainings, Seminars & Strategy Consulting Berlin-based Full-Service Performance Marketing Agency WordPress Security, Consulting & Development www.bg.vu/fos14

Add a comment

Related presentations

Related pages

Hardening WordPress « WordPress Codex

Security in WordPress is ... part of the goal of hardening WordPress is containing the ... use your favorite search engine and look for Web ...
Read more

WordPress › Support » Sucuri Security - Auditing ...

Search WordPress.org for: Showcase; ... Malware Scanner and Security Hardening. The Sucuri WordPress Security plugin is a security toolset for security ...
Read more

Just Say No to Hackers: How to Harden Your WordPress Security

... so what are your plans to harden WordPress security? ... WordCamp EU 2014: ... You can read more about it if you search for Hardening WordPress.
Read more

WordPress › iThemes Security (formerly Better WP ...

iThemes Security (formerly Better WP Security), #1 WordPress Security Plugin. iThemes Security (formerly Better WP Security) gives you over 30+ ways to ...
Read more

November | 2014 | IS&T Security FYI

7 posts published by MIT during November 2014. ... What is Security SIG? Topic: OS Hardening Best ... Create a free website or blog at WordPress ...
Read more

The Definitive Guide to WordPress Security - Moz

KeriMorgret edited 2014-03 -19T08:22:56-07 ... Great article and definitely some more stuff for me to add to my Wordpress Security Hardening ... Search ...
Read more

WordPress - Wikipedia, the free encyclopedia

... a friend of Mullenweg, ... many high profile search engine optimization ... Individual installations of WordPress can be protected with security plugins.
Read more