best practices in wordpress security - wordcamp yyc 2015
TRANSCRIPT
RE CARLSON@rehcarlson #WCYYC
@AbtekWeb
BEST PRACTICES IN
SELF-HOSTED WORDPRESS SECURITY & SPEED
THIS TALK IS NOT FOR DEVELOPERS.
Chris WiegmanSecuring Your Code –
WordPress Security for Developers
May 7, 2015 at LoopConf
Las Vegas, NV
https://youtu.be/nuWR_HiBHYc
SECURITY IS HARD.
“IT SHOULD JUST WORK.”
“YOU SHOULD JUST PAY ME.”
plugins
TRAININGIS HARD.
posts
pages
SQL
meta
LOGIN SECURITY
BEST PRACTICES IN LOGIN SECURITY
Never use “admin” as a username, and enforce strong passwords for your users.
Never publish pages or posts using accounts with Administrator-level permission.
Limit login attempts and change /wp-admin/ to something else.
Disable the Dashboard editor in wp-config.php
define('DISALLOW_FILE_EDIT', true);
WordFence
BPS Security
iThemes Security
UPDATE FILE PERMISSIONS
.htaccess
index.php
wp-config.php
wp-blog-header.php
/wp-admin/
/wp-content/
/wp-content/plugins
/wp-content/themes
/wp-content/uploads
/wp-content/upgrade
404 604
400 600
400 600
400 600
705
705
705
705
705
755
Shared hosting providers
won’t allow you to change
Owner permissions.
CUSTOMIZE PHP + .HTACCESS
WHAT IS .HTACCESS?
“ .htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file,
containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that
directory, and all subdirectories thereof. ”
FILES ARE HIDDEN BY DEFAULT
WHAT ELSE CAN YOU DO WITH .HTACCESS?
Define Error Pages – 400, 401, 403, 404, 500
Define caching-specific rules
Restrict users based on IP address
Force browser to use a different index file
Add 301 redirect rules
More info: Tuts+ Article
USING SHARED HOSTING?
Add & customize this code to .htaccess
suPHP_ConfigPath /home/username/
Then upload your customized php.ini file to this directory & set file permissions to 600.
CHECK YOUR SETTINGS IN PHP.INI
PHP Safe Mode: OffPHP Allow URL fopen: OffPHP Allow URL Include: OffPHP Display Errors: OffPHP Display Startup Errors: OffPHP Expose PHP: OffPHP Register Globals: OffPHP MySQL Allow Persistent Connections: OffPHP Output Buffering: OffPHP Max Script Execution Time: 60 SecondsPHP Magic Quotes GPC: OffPHP XML Support: YesPHP IPTC Support: YesPHP Exif Support: No
Other Fun Stuff
memory_limit = 128M
upload_max_filesize = 50M
max_execution_time = 30
DENY ACCESS TO SETTINGS FILES
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html
|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 192.168.0.1
</FilesMatch>
SECURE YOUR DATABASE
Revoke permissions to DROP, ALTER and GRANT on
production sites, (unless required by your plugins).
FOLLOW BREAKING SECURITY NEWS
THANKS FOR DOWNLOADING!SAVE $100 OFF SECURITY AUDIT SERVICE
CALL 1-844-33-ABTEK FOR DETAILS