This document provides tips on how to secure a WordPress website. It discusses both direct and indirect approaches to WordPress security. The direct approach recommends deleting the admin account, using strong and unique passwords, keeping software updated, restricting file permissions, and using security plugins. The indirect approach explains common attack types like defacement and SQL injection. It also suggests moving files like wp-config.php and using a database prefix to obscure the site's structure from attackers. The document emphasizes the importance of ongoing maintenance and vigilance in protecting a WordPress site.

1. WORDPRESS SECURITY
How to secure your WordPress website

2. RUPOK CHOWDHURY PROTIK
Co-Founder, Head of WebDev, CoderCats
@rupok
fb.com/rupokify
rupokify@gmail.com
www.rupok.net

3. WAYS
Direct Approach
Indirect Approach

4. DIRECT APPROACH

5. BEST WAY
100% Guaranteed

6. DELETE IT !

7. REQUEST?
A really really cute face may help!

8. Don’t hack my site, please!

9. INDIRECT APPROACH

10. A BASIC UNDERSTANDING

11. FOUR “W”, ONE “H”
Who .Why .When .Where . How

12. WHO
Anonymous .Your Friend .A Random Guy

13. WHY
Fun . Revenge . Profit . Political

14. WHEN
Least Expected .You are not Ready .The door is open

15. (EVERY)WHERE
Shared Hosting .VPS . Dedicated Server .Your Laptop

16. HOW

17. DEFACEMENT
Website defacement is an attack on a website that changes the
visual appearance of the site or a webpage*
*Wikipedia

18. SPAM LINKS
base64_decode(‘aHR0cDovL3d3dy5jb2RlcmNhdHMubmV0L2VhdHNpdGUucGhw’);
!
http://www.codercats.net/eatsite.php

19. PHP SHELL
PHP Shell is a shell wrapped in a PHP script. It’s a tool you can use to execute
arbitrary shell-commands or browse the filesystem on your remote web server*
*http://phpshell.sourceforge.net/

20. OTHERS
Backdoors . SQL Injections . Malicious Redirects . Form Abuse .
Compromised Web Servers

21. WHAT CAN WE DO?

22. AVOID NULLED
THEMES & PLUGINS
Why are they giving you for free?

23. DELETE “ADMIN”ACCOUNT
UPDATE wp_users SET user_login=‘batman’WHERE user_login=‘admin’;
!
Hackers need only two piece of information - “username” & “password”
Don’t give them half.
Try to avoid showing your username in posts

24. USE SECRET KEYS
https://api.wordpress.org/secret-key/1.1/salt/

25. UPDATE EVERYTHING
Keep “EVERYTHING” updated. Literally EVERYTHING.

26. MODIFY FILE PERMISSION
Files 644
Folders 755
.htaccess 444
wp-config.php 444

27. MOVE UP WP-CONFIG.PHP
WordPress automatically checks the parent directory if wp-
config.php file is not found in your root directory
!
public_html/wordpress/wp-config.php
public_html/wp-config.php

28. PROTECT WP-CONFIG.PHP
Write the following code in your .htaccess file
!
<files wp-config.php>
order allow, deny
deny from all
</files>

29. LOCAL SECURITY
KeyLogger, Malwares
!
Don’t use FTP
Try to use sFTP or SSH

30. CONTROL LOGIN ATTEMPTS
Don’t let them try for eternity
https://wordpress.org/plugins/login-lockdown/

31. SECURITY PLUGINS
BulletProof Security, Secure WordPress, Exploit Scanner,
Malware Scanner (sucuri.net)

32. USE STRONG PASSWORD
Eight Characters .Two Uppercase Letters .Two Symbols
Avoid your Name, BirthYear, Birthday,Age, Phone Number etc.

33. Creating A Password
!
- cabbage
- Sorry, the password must be more than 8 characters.
!
- boiled cabbage
- Sorry, the password must contain 1 numerical character,
!
- 1 boiled cabbage
- Sorry, the password cannot have blank spaces.
!
- 50fuckingboiledcabbages
- Sorry, the password must contain at least one upper case character.
!
- 50FUCKINGboiledcabbages
- Sorry, the password cannot use more than one upper case character consecutively.
!
- 50FuckingBoiledCabbagesShovedUpYourAss,Ifyoudon'tGiveMeAccesslmmediately
- Sorry, the password cannot contain punctuation.
!
- NowlAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourAsslfYouDontGiveMeAccessImmediately
- Sorry, that password is already in use!

34. DATABASETABLE PREFIX
Change from “wp_” to “wp_anything_” or wpanything_”
anything may contain a-z, 0-9

35. SSL CERTIFICATE
Try to use SSL Certificate
!
define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);

36. MOVE WP-CONTENT FOLDER
Before wp-settings.php is called in wp-config.php
!
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/content/wp-content' );
define( 'WP_CONTENT_URL',‘http://www.codercats.net/blog/content/wp-content' );

37. PROTECT WP-ADMIN
Password Protect wp-admin folder using .htaccess + .htpasswd
!
http://www.wpbeginner.com/wp-tutorials/how-to-password-
protect-your-wordpress-admin-wp-admin-directory/

38. DISABLE DASHBOARD EDIT
define(‘DISALLOW_FILE_EDIT’, true);

39. CHANGE LOGIN URL
RewriteRule ^login$ http://www.rupok.net/wp-login.php [NC, L]
!
Now I can login at www.rupok.net/login

40. INSANE PLANS

41. GOOGLE AUTHENTICATOR
The Google Authenticator plugin for WordPress gives you two-
factor authentication using the Google Authenticator app for
Android/iPhone/Blackberry.
!
http://wordpress.org/plugins/google-authenticator/

42. VOICE BIOMETRICS
VoxedIn is a Smartphone app and web toolkit that lets your
users log in to your site using voice biometrics
!
http://wordpress.org/plugins/voxedin/

43. SPECIALTHANKS
Jesse Pollak . Brad Williams . Lime Canvas

44. QUESTIONS ?