WORDPRESS SECURITY:

LESSONS LEARNED FROM CLEANING UP HACKED SITES

#YYCWPMUG

#YYCWPMUG - ANNOUNCEMENTS

• Our Building’s New Security Policy

• Summer Sessions TBD

WORDCAMP 2016Fort Calgary • May 28-29Speakers and sessions being announced on https://2016.calgary.wordcamp.org/

THIS TALK IS NOT FOR DEVELOPERS.

Chris WiegmanSecuring Your Code –

WordPress Security for Developers

May 7, 2015 at LoopConf

Las Vegas, NV

https://youtu.be/nuWR_HiBHYc

SECURITY IS HARD.

plugins

TRAININGIS HARD.

posts

pages

SQL

meta

Source: https://www.invincea.com/2016/02/dridex-crew-bets-on-ransomware/

Source: http://theargusreport.com/explosive-surge-in-malvertising-and-ransomware-in-2015/

LOGIN SECURITY

BEST PRACTICES IN LOGIN SECURITY

Never use “admin” as a username, and enforce strong passwords for your users.

Never publish pages or posts using accounts with Administrator-level permission.

Limit login attempts and change /wp-admin/ to something else.

Disable the Dashboard editor in wp-config.php

define('DISALLOW_FILE_EDIT', true);

Wordfence

BPS Security

iThemes Security

UPDATE FILE PERMISSIONS

.htaccess

index.php

wp-config.php

wp-blog-header.php

/wp-admin/

/wp-content/

/wp-content/plugins

/wp-content/themes

/wp-content/uploads

/wp-content/upgrade

404 604

400 600

400 600

400 600

705

705

705

705

705

755

Shared hosting providers

won’t allow you to change

Owner permissions.

CUSTOMIZE PHP + .HTACCESS

WHAT IS .HTACCESS?

“ .htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file,

containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that

directory, and all subdirectories thereof. ”

FILES ARE HIDDEN BY DEFAULT

WHAT ELSE CAN YOU DO WITH .HTACCESS?

Define Error Pages – 400, 401, 403, 404, 500

Define caching-specific rules

Restrict users based on IP address

Force browser to use a different index file

Add 301 redirect rules

More info: Tuts+ Article

USING SHARED HOSTING?

Add & customize this code to .htaccess

suPHP_ConfigPath /home/username/

Then upload your customized php.ini file to this directory & set file permissions to 600.

CHECK YOUR SETTINGS IN PHP.INI

PHP Safe Mode: OffPHP Allow URL fopen: OffPHP Allow URL Include: OffPHP Display Errors: OffPHP Display Startup Errors: OffPHP Expose PHP: OffPHP Register Globals: OffPHP MySQL Allow Persistent Connections: OffPHP Output Buffering: OffPHP Max Script Execution Time: 60 SecondsPHP Magic Quotes GPC: OffPHP XML Support: YesPHP IPTC Support: YesPHP Exif Support: No

Other Fun Stuff

memory_limit = 128M

upload_max_filesize = 50M

DENY ACCESS TO SETTINGS FILES

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html

|bb-config\.php)">

Order Allow,Deny

Deny from all

#Allow from 192.168.0.1

</FilesMatch>

SECURE YOUR DATABASE

Revoke permissions to DROP, ALTER and GRANT on

production sites, (unless required by your plugins).

FOLLOW BREAKING SECURITY NEWS

PLAY VIDEO

QUESTIONS?