WordPress Security Presentation by Jason Conroy (from Finding Simple - http://findingsimple.com) for the March 2013 WordPress Canberra Meetup (http://wpcanberra.com.au)

1. WordPress Security
12 WordPress Security Fundamentals

2. Why Security?
• SEO / Google rankings
• Downtime - Decreased Revenue
• Website / Business / Personal Credibility
• Increased Costs with cleaning up the mess ( Potentially Law
Suits )
• Lose everything - no site :-(

3. “How do I completely secure my site?”

5. It’s all about “risk”

6. “The probability that a particular security threat will exploit a
particular vulnerability” ISC 2

7. Threat = A potential danger

11. Vulnerability = A Weakness

13. Weak Spots (Examples)
• WordPress (Core, Themes & Plugins)
‣ Bugs/Vulnerabilities in the code itself
• Hosting (Web & Database Server/s)
‣ Poor File Permissions
• You
‣ Weak Password Choice

14. There are some simple things you can do to reduce the risk

15. 1. Update WordPress
• Simple

16. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

17. • If a vulnerability is discovered in WordPress and a new
version is released to address the issue, the information
required to exploit the vulnerability is almost certainly in the
public domain.
• This makes old versions more open to attack, and is one of
the primary reasons you should always keep WordPress up
to date.

18. • REMOVE unused themes and plugins (or at least keep them
up to date as well). Even when not activated, a vulnerable
plugin or theme can be used to attack a site.

19. 2. Rename “admin” account
• Make it hard for an attacker. If they already know your
username that’s half the battle
• As of 3.0 WordPress asks upfront during installation for an
admin account name - don't use "admin" and I recommend
not using anything related to the domain.

20. • If you do happen to have an “admin” account there are a
few options:
‣ Admin Renamer Extender - http://wordpress.org/
extend/plugins/admin-renamer-extended/
‣ Create another administrator user and then login as
new administrator user and delete "admin" user.
‣ Get your hands dirty with MySQL or use phpmyadmin
to edit the database directly

21. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

22. 3. Change your table_prefix
• My what? Its a database thing...
• Many published WordPress-specific SQL-injection attacks
make the assumption that the table_prefix is wp_, the
default.
• Changing this can block at least some SQL injection attacks.
• Good news - WordPress now asks upfront during installation
for you to specify a table prefix - so don’t use “wp”.

23. • If you haven’t changed your prefix:
‣ Change Table Prefix (http://wordpress.org/extend/
plugins/change-table-prefix/)
‣ Get your hands dirty with MySQL or use phpmyadmin
to edit the database directly (remember to update your
wp-config.php file as well)

24. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

25. 4. Setup Security Keys
• Often referred to as Salts - they add random elements to
your password when encrypting information in cookies
( that are used during the WordPress login process )
• They live in your sites wp-config.php and can be changed at
any time
• https://api.wordpress.org/secret-key/1.1/salt/

27. • WordPress now generates the salts for you if none are
provided - but it’s better to be safe than sorry.

28. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

29. 5. Use Strong Passwords
• Weak passwords leave your site vulnerable to:
‣ Brute Force Attacks
‣ Dictionary Attacks
• Please use a strong password
• Don’t reuse passwords
• WordPress has a built in strength meter (don’t ignore it)

30. Password1

31. jvYM89xwyzH?ah

32. • Try a password safe/generator like:
‣ 1Password (https://agilebits.com/onepassword)
‣ KeePass (http://keepass.info/)

33. 6. Limit login attempts
• Restrict number of failed attempts using a plugin like:
‣ Login Lockdown - http://wordpress.org/extend/
plugins/login-lockdown/
‣ Simple Login Lockdown - http://wordpress.org/
extend/plugins/simple-login-lockdown/

34. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

35. 7. Use SFTP or FTPS
• FTP transmits all data in the clear - including passwords
• If you need to regularly connect or upload files to your site
use SFTP or FTPS (especially if you are using public wifi)

36. 8. Check File Permissions
• Tricky to get right (especially in shared hosting where it is
more important to get it right)
• A good rule of thumb is to set file and folder permissions at
644 for files and 755 for folders

38. • http://codex.wordpress.org/Changing_File_Permissions

39. 9. Move wp-config.php
• wp-config.php is the main configuration file for your site
• WordPress automatically checks the parent directory if a wp-
config.php file is not found in your root directory
• Recommended that it is moved up one level (to the parent
directory) to make sure only your account and the server
can read the file

40. • If WordPress is located here:
‣ /public_html/mysite/wp-config.php
• You can move wp-config.php to here:
‣ /public_html/wp-config.php

41. • This makes it much more difficult for anyone to access your
wp-config.php file as it now resides outside of your sites root
directory

42. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

43. 10. Run Backups
• Hosts may provide backups
• However often...
‣ they don’t back up the right things
‣ they don’t back up regularly enough
‣ they don’t know WordPress
‣ they may charge you to restore your site

44. VaultPress - http://vaultpress.com/

45. Backup Buddy - http://ithemes.com/purchase/backupbuddy/

46. • Or just plain old...
‣ WP-DB-Backup - http://wordpress.org/extend/
plugins/wp-db-backup/
‣ WordPress Export (note the export doesn’t contain your
uploaded or options)

47. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress

48. 11. Choose hosting wisely
• In my experience you get what you pay for
• Look for hosts that have
‣ Good backup regime
‣ WordPress Expertise (tougher than you think)
‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)

49. 12. Be Security Minded
• Keep your own machine clean
• Don’t share or reuse passwords
• If you use public computers be sure to log out of WP
• If you use public networks
‣ avoid using ftp (that's the insecure one)
‣ avoid logging into WP if your not using HTTPS

50. There’s a plugin for that
• There are also range of “all in one” solutions that will cover
most of the above as well as things like:
‣ Remove the WordPress version/generator tag
‣ Remove update notifications
‣ Remove login error messages
‣ Change location of login urls

51. • http://wordpress.org/extend/plugins/better-wp-security/
• http://wordpress.org/extend/plugins/secure-wordpress/
• http://wordpress.org/extend/plugins/bulletproof-security/
• http://wordpress.org/extend/plugins/wp-security-scan/

52. Extra Resources
• http://codex.wordpress.org/Hardening_WordPress
• http://build.codepoet.com/2012/07/10/locking-down-
wordpress/ (E-book)
• http://codex.wordpress.org/Changing_File_Permissions
• http://sucuri.net/ (Malware Scanner)

53. Summary
1. Update WordPress 7. Use SFTP or FTPS
2. Rename “admin” user 8. Check File Permissions
3. Change the table_prefix 9. Move wp-config.php
4. Setup Security Keys 10. Run Backups
5. Use Strong Passwords 11. Choose Hosting Wisely
6. Limit Login Attempts 12. Be Security Minded

54. Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress THANK YOU Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress THANK YOU Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress THANK YOU Update WordPress
Update WordPress Update WordPress Update WordPress Update
WordPress Update WordPress Update WordPress Update WordPress
Update WordPress Update WordPress Update WordPress