Hardening WordPress Security
Download as PPTX, PDF•2 likes•1,932 views
This document discusses hardening WordPress security. It begins by defining security and explaining why increased security is needed due to WordPress' popularity. It then covers various dangers like vulnerabilities, attacks, and human errors. Solutions presented include regular backups, using strong unique passwords, keeping software updated, removing version references, securing logins through .htaccess rules and two-factor authentication, hiding the login page, and changing the WordPress file structure for added protection. The document also provides .htaccess configuration tips and recommends monitoring and security tools.
![Use strong passwords
Insecure examples
admin
mysite123
mysitename
myname4321
password
Secure examples
-yCpHuHJ68fRtB805i
"kaN4Y]99Z)[/ylaJN
&3388wu1530Cx;73kR
zN1/K>9'51]9~495°
1'N434g&h51I78x3?M](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-13-320.jpg)
![Hide your login
# BEGIN Hidden login
RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L]
RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
# END Hidden login](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-26-320.jpg)
![Change WordPress Structure
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
# Redirect
RewriteRule ^wp-admin$ wp-admin/ [R,L]
RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ - [L]
RewriteRule ^(.*.php)$ /$1 [L]
RewriteRule . /index.php [L]
</IfModule>
# END WordPress](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-36-320.jpg)
![Change WordPress Structure
// ** index.php
define( 'WP_USE_THEMES', true );
require( __DIR__ . '/application/wp-blog-header.php‘ );
// ** wp-config.php
define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' );
define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' );
define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' );
define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-37-320.jpg)
![Prevent WordPress users listing
http://www.yourbeautifulsite.org/?author=1
http://www.yourbeautifulsite.org/?author=2
http://www.yourbeautifulsite.org/?author=3
http://www.yourbeautifulsite.org/?author=4
[…]
# .htaccess
RewriteCond %{QUERY_STRING} (^|&)author=
RewriteRule . http://%{SERVER_NAME}/? [L]](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-43-320.jpg)
![Rewrite assets permalinks
# .htaccess
RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L]
RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L]
RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-45-320.jpg)
![Blackhole
(http://perishablepress.com/blackhole-bad-bots/)
# END Blackholde
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule
^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg
ister|timthumb|function|system|test|t|jsp|asp|aspx)$
error/403.html [L]
</ifModule>
# END Blackhole](https://image.slidesharecdn.com/hardeningwordpresssecurity-151117074908-lva1-app6892/85/Hardening-WordPress-Security-52-320.jpg)
Hardening WordPress Security
- 1. Hardening WordPress Security WordPress Day 2015 - Pordenone, Italy
- 4. SECURITYBecause sometimes a Rottweiler is not enough
- 5. Why we need more security?
- 6. WordPress Popularity, Market Share and Responsibility
- 7. 0 10 20 30 40 50 60 70 No CMS WordPress Joomla Drupal Usage of content management systems for websites Market Share Usage http://w3techs.com/technologies/overview/content_management/all
- 8. What are the dangers?
- 9. - Social Engineering - Human Mistakes - Brute Force Attacks - WordPress Vulnerabilities - Web Server Vulnerabilities - Network Vulnerabilities - FTP - File Permissions - And other beautiful things…
- 11. Solutions
- 12. Backup! Modern Task Runner for PHP
- 13. Use strong passwords Insecure examples admin mysite123 mysitename myname4321 password Secure examples -yCpHuHJ68fRtB805i "kaN4Y]99Z)[/ylaJN &3388wu1530Cx;73kR zN1/K>9'51]9~495° 1'N434g&h51I78x3?M
- 14. Stay updated! Update WordPress Core Update Themes Update Plugins
- 16. Deny access / delete readme.html
- 17. Deny access / delete readme.html # .htaccess <files readme.html> Order allow,deny Deny from all </files>
- 18. Remove WordPress Version // ** functions.php function wp_remove_version() { return ''; } add_filter('the_generator', 'wp_remove_version');
- 20. Secure your login - .htaccess Authentication - Limit attempts - Restrict to certain IPs - Hide - Capcha - Two Factor Authentication - HTTPS
- 21. .htaccess Authentication (example with http://www.htaccesstools.com/)
- 22. .htaccess Authentication (example with http://www.htaccesstools.com/)
- 23. Limit attempts
- 24. Restrict to certain IPs # .htaccess order deny,allow deny from all allow from 1.2.3.4
- 25. Restrict to certain IPs
- 26. Hide your login # BEGIN Hidden login RewriteRule ^secured-area$ application/wp-login.php?redirect_to=http://%{SERVER_NAME}/wp-admin/ [L] RewriteRule ^recover-password$ application/wp-login.php?action=lostpassword RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/secured-area RewriteCond %{QUERY_STRING} !^action=logout RewriteCond %{QUERY_STRING} !^action=lostpassword RewriteCond %{REQUEST_METHOD} !POST RewriteRule ^wp-login.php http://%{SERVER_NAME}/secured-area? [R,L] RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule . http://%{SERVER_NAME}/? [L] # END Hidden login
- 27. Hide your login
- 28. Captcha on login
- 30. Is there anything more?
- 31. Admin user
- 32. Admin user - Don’t use «admin» as username - Or change «admin» role
- 34. Change WordPress Structure From this..
- 35. Change WordPress Structure ..to this
- 36. Change WordPress Structure # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] # Redirect RewriteRule ^wp-admin$ wp-admin/ [R,L] RewriteRule ^(wp-(content|admin|includes|network|login).*) application/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ - [L] RewriteRule ^(.*.php)$ /$1 [L] RewriteRule . /index.php [L] </IfModule> # END WordPress
- 37. Change WordPress Structure // ** index.php define( 'WP_USE_THEMES', true ); require( __DIR__ . '/application/wp-blog-header.php‘ ); // ** wp-config.php define('WP_CONTENT_DIR', dirname(__FILE__) . '/public' ); define('WP_CONTENT_URL', 'http://'.$_SERVER['HTTP_HOST'].'/public' ); define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME'].'/application' ); define('WP_HOME', 'http://'.$_SERVER['SERVER_NAME'] );
- 38. Htaccess Tips and Tricks
- 39. Disable Directory Browsing # .htaccess Options All -Indexes
- 40. Protect your .htaccess # .htaccess <files .htaccess> Order allow,deny Deny from all </files>
- 41. Protect your configuration # .htaccess <files wp-config.php> Order allow,deny Deny from all </files>
- 42. Deny access to xmlrpc.php # .htaccess <files xmlrpc.php> Order allow,deny Deny from all </files>
- 43. Prevent WordPress users listing http://www.yourbeautifulsite.org/?author=1 http://www.yourbeautifulsite.org/?author=2 http://www.yourbeautifulsite.org/?author=3 http://www.yourbeautifulsite.org/?author=4 […] # .htaccess RewriteCond %{QUERY_STRING} (^|&)author= RewriteRule . http://%{SERVER_NAME}/? [L]
- 44. Deny php execution from upload directory # /path/to/upload-folder/.htaccess <Files ~ ".(xls|doc|rtf|pdf|zip|mp3|flv|swf|pn g|gif|jpg|ico|js|css|kmz|ttf|woff|woff 2)$"> Allow from all </Files>
- 45. Rewrite assets permalinks # .htaccess RewriteRule ^css/(.*) /public/themes/mytheme/css/$1 [QSA,L] RewriteRule ^js/(.*) /public/themes/mytheme/js/$1 [QSA,L] RewriteRule ^img/(.*) /public/themes/mytheme/images/$1 [QSA,L]
- 46. WP-config Tricks
- 47. WP-config Tricks - Set up Salt Keys (https://api.wordpress.org/secret-key/1.1/salt/) - Override File Permissions - Change WP Db Prefix
- 48. Disable Plugins install/updates // ** wp-config.php define( DISALLOW_FILE_EDIT', true ); define( DISALLOW_FILE_MODS', true );
- 49. Check installed Themes/Plugins - Remove inactive themes/plugins - Remove useless themes/plugins - Evaluate code integration
- 50. Blackhole
- 52. Blackhole (http://perishablepress.com/blackhole-bad-bots/) # END Blackholde <ifModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^(phpinfo|phpmyadmin|cgi|index1|index|signup|admin|reg ister|timthumb|function|system|test|t|jsp|asp|aspx)$ error/403.html [L] </ifModule> # END Blackhole
- 53. Tools
- 55. Help us to check our WordPress Project Vulnerabilities
- 56. Monitoring time series database for monitoring your application https://influxdb.com/
- 59. Questions?