This document provides tips on how to secure a WordPress website. It discusses both direct and indirect approaches to WordPress security. The direct approach recommends deleting the admin account, using strong and unique passwords, keeping software updated, restricting file permissions, and using security plugins. The indirect approach explains common attack types like defacement and SQL injection. It also suggests moving files like wp-config.php and using a database prefix to obscure the site's structure from attackers. The document emphasizes the importance of ongoing maintenance and vigilance in protecting a WordPress site.
19. PHP SHELL
PHP Shell is a shell wrapped in a PHP script. It’s a tool you can use to execute
arbitrary shell-commands or browse the filesystem on your remote web server*
*http://phpshell.sourceforge.net/
20. OTHERS
Backdoors . SQL Injections . Malicious Redirects . Form Abuse .
Compromised Web Servers
23. DELETE “ADMIN”ACCOUNT
UPDATE wp_users SET user_login=‘batman’WHERE user_login=‘admin’;
!
Hackers need only two piece of information - “username” & “password”
Don’t give them half.
Try to avoid showing your username in posts
27. MOVE UP WP-CONFIG.PHP
WordPress automatically checks the parent directory if wp-
config.php file is not found in your root directory
!
public_html/wordpress/wp-config.php
public_html/wp-config.php
28. PROTECT WP-CONFIG.PHP
Write the following code in your .htaccess file
!
<files wp-config.php>
order allow, deny
deny from all
</files>
32. USE STRONG PASSWORD
Eight Characters .Two Uppercase Letters .Two Symbols
Avoid your Name, BirthYear, Birthday,Age, Phone Number etc.
33. Creating A Password
!
- cabbage
- Sorry, the password must be more than 8 characters.
!
- boiled cabbage
- Sorry, the password must contain 1 numerical character,
!
- 1 boiled cabbage
- Sorry, the password cannot have blank spaces.
!
- 50fuckingboiledcabbages
- Sorry, the password must contain at least one upper case character.
!
- 50FUCKINGboiledcabbages
- Sorry, the password cannot use more than one upper case character consecutively.
!
- 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately
- Sorry, the password cannot contain punctuation.
!
- NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately
- Sorry, that password is already in use!
35. SSL CERTIFICATE
Try to use SSL Certificate
!
define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);
36. MOVE WP-CONTENT FOLDER
Before wp-settings.php is called in wp-config.php
!
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' );
define( 'WP_CONTENT_URL',‘http://www.codercats.net/blog/content/wp-content' );
41. GOOGLE AUTHENTICATOR
The Google Authenticator plugin for WordPress gives you two-
factor authentication using the Google Authenticator app for
Android/iPhone/Blackberry.
!
http://wordpress.org/plugins/google-authenticator/
42. VOICE BIOMETRICS
VoxedIn is a Smartphone app and web toolkit that lets your
users log in to your site using voice biometrics
!
http://wordpress.org/plugins/voxedin/