SlideShare une entreprise Scribd logo

WordPress Server Security

Peter Baylies
Peter Baylies

This document provides best practices for securing a WordPress server. It recommends making regular backups, changing defaults, using strong passwords, updating software, and limiting access. Specific tips include moving wp-config.php out of the webroot, using security plugins, tightening file permissions, disabling unneeded software, and regularly scanning for vulnerabilities. While security is an ongoing process, following these guidelines helps protect a WordPress site.

Internet
1  sur  18
Télécharger pour lire hors ligne
WordPress Server Security Best Practices Peter Baylies aka @pbaylies on Twitter Semper Fi Web Design
Security • isn't simple • isn't perfect • isn't ever finished • ...no pressure!
Basic Tips and Gotchas • Backups, backups, backups. • Change the defaults • Use strong passwords (and password salts!) • Use SFTP and HTTPS • Update all the things • Trust no one.
Do I Need To Do All This? • Probably? - depends on your situation. • Find a great managed hosting company? • http://wpdevshed.com/managed-wordpress-hosting/ • Have a good sysadmin - or be one.
Good Advice • Limiting Access - reduce possible entry points • Containment - minimize potential damage • Preparation and Knowledge - backups! • Trusted Sources - download from reputable sites • http://codex.wordpress.org/Hardening_WordPress
Understanding the Environment • “LAMP” Environment – OS -­‐ Linux – Webserver -­‐ Apache – Database -­‐ MySQL – Scripting -­‐ PHP • and… WordPress!
WordPress Security • Move wp-config.php out of the webroot • Friends don't let friends use any eval plugins. • iThemes Security - https://ithemes.com/tutorials/ getting-started-ithemes-security-part-1/ • Wordfence - https://wordpress.org/plugins/wordfence/ • BruteProtect (soon to be JetPack) - https:// wordpress.org/plugins/bruteprotect/
OS Level Security • File permissions • User groups • mount / chroot / jail • Firewalls - csf / lfd • Virtual Machines • ...and much more. http://en.wikipedia.org/wiki/Unix_security
Web Server Security • Turn off indexing • Disable unnecessary modules • Use Deny / Allow directives, .htaccess • Hardening - mod_security, mod_evasive • Consider using a service like CloudFlare • http://www.tecmint.com/apache-security-tips/
Database security • User permissions • Disable remote access • Change the defaults • mysql_secure_installation • http://dev.mysql.com/doc/refman/5.0/en/mysql-secure- installation.html
PHP Security • suPHP - http://www.suphp.org/Home.html • Suhosin - back from the dead - https://github.com/ stefanesser/suhosin • php.ini - disable_functions - http://php.net/manual/en/ ini.core.php#ini.disable-functions • php.ini - set open_basedir - http://php.net/manual/en/ ini.core.php#ini.open-basedir
More Tools and Testing • Sucuri Sitecheck - http://sitecheck.sucuri.net/ • Beyond Security - https://www.scanmyserver.com/ • Hacker Target - http://hackertarget.com/wordpress-security- scan/ • WPScan - https://github.com/wpscanteam/wpscan
So You Think You Got • Don't Panic! • Contact your host • Remember those backups I mentioned? • Change passwords, check logs • Tools - rkhunter, ClamAV, Linux Malware Detect • http://codex.wordpress.org/ FAQ_My_site_was_hacked
Questions? • Thank you! • Slides available here -

Recommandé

Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress developmentSteve Mortiboy
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 

Recommandé

Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress developmentSteve Mortiboy
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Alan Lok
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityThe Toolbox, Inc.
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate WorkshopThe Toolbox, Inc.
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
HyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLHyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLEvan Volgas
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Piecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzlePiecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzleBusiness Vitality LLC
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupChris Burgess
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressRami Sayar
 
Multisite core concepts final
Multisite core concepts finalMultisite core concepts final
Multisite core concepts finalUmesh Chaudhary
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sitesJason Yingling
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 

Contenu connexe

Tendances

WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Alan Lok
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityThe Toolbox, Inc.
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate WorkshopThe Toolbox, Inc.
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
HyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLHyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLEvan Volgas
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Piecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzlePiecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzleBusiness Vitality LLC
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupChris Burgess
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressRami Sayar
 
Multisite core concepts final
Multisite core concepts finalMultisite core concepts final
Multisite core concepts finalUmesh Chaudhary
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sitesJason Yingling
 

Tendances (20)

WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & Security
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate Workshop
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress
 
HyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLHyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQL
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Piecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzlePiecing Together the WordPress Puzzle
Piecing Together the WordPress Puzzle
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User Meetup
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPress
 
Multisite core concepts final
Multisite core concepts finalMultisite core concepts final
Multisite core concepts final
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
 
Speeding Up WordPress sites
Speeding Up WordPress sitesSpeeding Up WordPress sites
Speeding Up WordPress sites
 

Similaire à WordPress Server Security

Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and securityWP Pittsburgh Meetup Group
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaOSSCube
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014Michael Carnell
 

Similaire à WordPress Server Security (20)

Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Ithemes presentation
Ithemes presentationIthemes presentation
Ithemes presentation
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and security
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress Installation
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
Flashack
FlashackFlashack
Flashack
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014
 

Plus de Peter Baylies

Membership Plugins in WordPress
Membership Plugins in WordPressMembership Plugins in WordPress
Membership Plugins in WordPressPeter Baylies
 
Debugging and Profiling in WordPress: What is My Site Doing?
Debugging and Profiling in WordPress: What is My Site Doing?Debugging and Profiling in WordPress: What is My Site Doing?
Debugging and Profiling in WordPress: What is My Site Doing?Peter Baylies
 
Speed Up That Site! - a guide to caching plugins
Speed Up That Site! - a guide to caching pluginsSpeed Up That Site! - a guide to caching plugins
Speed Up That Site! - a guide to caching pluginsPeter Baylies
 
Doing cool stuff with WordPress
Doing cool stuff with WordPressDoing cool stuff with WordPress
Doing cool stuff with WordPressPeter Baylies
 
Mastering the shortcode api
Mastering the shortcode apiMastering the shortcode api
Mastering the shortcode apiPeter Baylies
 

Plus de Peter Baylies (8)

Membership Plugins in WordPress
Membership Plugins in WordPressMembership Plugins in WordPress
Membership Plugins in WordPress
 
Debugging and Profiling in WordPress: What is My Site Doing?
Debugging and Profiling in WordPress: What is My Site Doing?Debugging and Profiling in WordPress: What is My Site Doing?
Debugging and Profiling in WordPress: What is My Site Doing?
 
Speed Up That Site! - a guide to caching plugins
Speed Up That Site! - a guide to caching pluginsSpeed Up That Site! - a guide to caching plugins
Speed Up That Site! - a guide to caching plugins
 
Doing cool stuff with WordPress
Doing cool stuff with WordPressDoing cool stuff with WordPress
Doing cool stuff with WordPress
 
Mastering the shortcode api
Mastering the shortcode apiMastering the shortcode api
Mastering the shortcode api
 
Add tag shortcode
Add tag shortcodeAdd tag shortcode
Add tag shortcode
 
Add loop shortcode
Add loop shortcodeAdd loop shortcode
Add loop shortcode
 
Add title shortcode
Add title shortcodeAdd title shortcode
Add title shortcode
 

Dernier

75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 

Dernier (20)

75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 

WordPress Server Security

  • 1. WordPress Server Security Best Practices Peter Baylies aka @pbaylies on Twitter Semper Fi Web Design
  • 2. Security • isn't simple • isn't perfect • isn't ever finished • ...no pressure!
  • 3. Basic Tips and Gotchas • Backups, backups, backups. • Change the defaults • Use strong passwords (and password salts!) • Use SFTP and HTTPS • Update all the things • Trust no one.
  • 4.
  • 5. Do I Need To Do All This? • Probably? - depends on your situation. • Find a great managed hosting company? • http://wpdevshed.com/managed-wordpress-hosting/ • Have a good sysadmin - or be one.
  • 6.
  • 7. Good Advice • Limiting Access - reduce possible entry points • Containment - minimize potential damage • Preparation and Knowledge - backups! • Trusted Sources - download from reputable sites • http://codex.wordpress.org/Hardening_WordPress
  • 8.
  • 9. Understanding the Environment • “LAMP” Environment – OS -­‐ Linux – Webserver -­‐ Apache – Database -­‐ MySQL – Scripting -­‐ PHP • and… WordPress!
  • 10. WordPress Security • Move wp-config.php out of the webroot • Friends don't let friends use any eval plugins. • iThemes Security - https://ithemes.com/tutorials/ getting-started-ithemes-security-part-1/ • Wordfence - https://wordpress.org/plugins/wordfence/ • BruteProtect (soon to be JetPack) - https:// wordpress.org/plugins/bruteprotect/
  • 11. OS Level Security • File permissions • User groups • mount / chroot / jail • Firewalls - csf / lfd • Virtual Machines • ...and much more. http://en.wikipedia.org/wiki/Unix_security
  • 12. Web Server Security • Turn off indexing • Disable unnecessary modules • Use Deny / Allow directives, .htaccess • Hardening - mod_security, mod_evasive • Consider using a service like CloudFlare • http://www.tecmint.com/apache-security-tips/
  • 13. Database security • User permissions • Disable remote access • Change the defaults • mysql_secure_installation • http://dev.mysql.com/doc/refman/5.0/en/mysql-secure- installation.html
  • 14. PHP Security • suPHP - http://www.suphp.org/Home.html • Suhosin - back from the dead - https://github.com/ stefanesser/suhosin • php.ini - disable_functions - http://php.net/manual/en/ ini.core.php#ini.disable-functions • php.ini - set open_basedir - http://php.net/manual/en/ ini.core.php#ini.open-basedir
  • 15. More Tools and Testing • Sucuri Sitecheck - http://sitecheck.sucuri.net/ • Beyond Security - https://www.scanmyserver.com/ • Hacker Target - http://hackertarget.com/wordpress-security- scan/ • WPScan - https://github.com/wpscanteam/wpscan
  • 16.
  • 17. So You Think You Got • Don't Panic! • Contact your host • Remember those backups I mentioned? • Change passwords, check logs • Tools - rkhunter, ClamAV, Linux Malware Detect • http://codex.wordpress.org/ FAQ_My_site_was_hacked
  • 18. Questions? • Thank you! • Slides available here -