This document discusses security best practices for WordPress websites. It begins by providing background on WordPress and its popularity. It then discusses common attacks like brute force hacking and ways to protect against them, such as using strong passwords, hiding the WordPress version, and setting restrictive file permissions. The document also recommends security plugins like Akismet for spam protection and regular backups to prevent data loss. Overall it provides a comprehensive overview of steps users can take to harden their WordPress installations against common attacks.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Is your Wordpress safe enough?
1. IS YOUR WORDPRESS
SAFE ENOUGH?
Said Murat
Warsaw/Poland
www.saidmurat.net & info@saidmurat.net
2. What is Wordpress?
WordPress is a free and open source blogging
tool and a content management system (CMS)
based on PHP and MySQL. It has many features
including a plug-in architecture and a template
system.
It was first released on May 27, 2003, by
founders Matt Mullenweg and Mike Little.
As of April 2013, version 3.5 had been
downloaded over 18 million times.
Matt Mullenweg
3. What about the numbers?
WordPress is currently the
most popular blogging system
in use on the Web, powering
over 60 million websites
worldwide.
8. How to attack?
Brute Force
In cryptography, a brute-force attack, or exhaustive
key search, is a cryptanalytic attack that can, in
theory, be used against any encrypted data.
A brute-force attack is an attempt to log into an
account by systematically trying thousands of
passwords
12. How to provide protection
from attacks?
Wordpress is a ‘ready’ system, to be online so
fast. But you cannot be sure your portal is safe
enough. That’s why there are a lot of steps
what you should have done, to have much
more safe portal.
Let’s go on, step by step!
13. How to provide protection
from attacks?
A) MySQL Database;
- Do not type as name of the database
‘mysite_database’. Because then it’s
easier to reach your database.
- As Password, do not type ‘abc12345’.
- As Username, do not type ‘Admin’.
14. How to provide protection
from attacks?
B) Remove ‘Install.php’ file;
After you have done the installation, just
remove the ‘Install.php’ file.
15. How to provide protection
from attacks?
C) Admin Username;
You HAVE TO be careful to
name your admin’s username.
- Do not type ‘admin’ ,
‘administrator’ or ‘manager’.
- Your password also should
have complex letters like
‘5o12cMs’.
16. How to provide protection
from attacks?
D) Hide version of your Wordpress;
You know version of your Wordpress.
But others don’t have to know it,
right? Then, go to ‘function.php’ and
type this line there:
remove_action('wp_head', 'wp_generator');
17. How to provide protection
from attacks?
E) Permissions of your files;
Some of Wordpress’s files are ‘originally’ writable. But no need!
Because some spams may try to reach your files unexpectly. That’s
why, let’s go to FTP and change some ‘permissions of your files’.
(root directory) : 0755
wp-includes/ : 0755
wp-admin/ : 0755
wp-admin/js/ : 0755
wp-content/ : 0755
wp-content/themes/ : 0755
wp-content/plugins/ : 0755
wp-admin/index.php : 0644
.htaccess : 0644
wp-config.php : 0644
18. How to provide protection
from attacks?
F) Where is your .htaccess file?
To have a safe Wordpress system, you really need to have a ‘.htaccess’
file. Htaccess file has ‘redirection’ codes, as default. But you can
improve codes and have a safe Wordpress system. If you do not have
this file, just create it!
# Hide signature of your Server!
ServerSignature Off
# Limit of the file you upload will be max 10MB.
LimitRequestBody 10240000
# Your files will not be ‘reachable’ by others.
<files .htaccess>order allow,deny
deny from all</files>
19. How to provide protection
from attacks?
WP-Security Scan(Plugin)
This is one the very useful plugins that should definitely be used
regularly by every WordPress blogger. This plugin can move
through every security loophole in a few seconds. A list of
possible vulnerabilities is then prepared, such as file passwords
or permissions, and also offers further suggestions on corrective
actions to deal with them.
20. What about SPAMS?
You might get spams via comments to your posts.
Spams try to be published on your pages, to make
advertisement of their pages. But sometimes, they
may have some links, to redirect your members to
their pages automatically.
21. Plugins
Akismet
The best anti-spam plugin for WordPress. Bundled with WordPress,
Akismet requires a registration key, but is easy to setup and provides
excellent “set-it-and-forget-it” spam protection for WordPress.
Limit Login Attempts
The best anti login attack plugin. With Brute Force method, hackers
may try to attack your login page. Thanks to this plugin, after trying 3rd
times, Wordpress asks users to wait some time, to try again username
and password. Otherwise, with using wordlists, they may find login
details.
WP Activity Monitor
You may have a lot of admins, moderators or editors on your
Wordpress. But it’s hard to control everyone. Moreover, how can you be
sure if there is no hacker who you do not know? You can control all
details about your Wordpress.
22. Tips
Back up your MySQL database regularly;
You should always back up your site files and database. You should get
into the practice of regular MySQL database backups by exporting your
MySQL data as a .sql file to be stored in a safe location.
Do not install every plugin you find;
Users of Wordpress usually get hack because of plugins. That’s why you
should download and install plugins which are recommended by
Wordpress.