Upload File

securing your wordpress blog · securing your wordpress blog wordpress knoxville, dec. 13...

  • Home
  • Documents
  • Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share
9
Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11

Upload: others

Post on 29-Sep-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Securing your WordPress BlogWordPress Knoxville, Dec. 13

Wednesday, December 28, 11

Page 2: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Security Basics

Don’t use “nimda” as a password.

Don’t share passwords across accounts.

Prefer SFTP over FTP, SSH over telnet.

Wednesday, December 28, 11

Page 3: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Discovering Hackery

Wednesday, December 28, 11

Page 4: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Discovering Hackery

Wednesday, December 28, 11

Page 5: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Discovering Hackery

Try a scan, e.g. http://sitecheck.sucuri.net/scanner/

Check for uses of eval()

Check for uses of base64_decode()

Check for iframes

Check for php or non-image files in the uploads directory

Ask your hosting provider if other sites are hacked.

Wednesday, December 28, 11

http://sitecheck.sucuri.net/scanner/
http://sitecheck.sucuri.net/scanner/
Page 6: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Fixing HackeryScan your desktop

Back everything up

Check with your hosting company

Change mysql/ftp/ssh/user passwords

Change secret keys (http://bit.ly/2m00jW)

Check .htaccess (extras or weird rules)

Delete everything or at least replace core files

Change passwords again

Hire somebody with know-how.

Do the stuff you should already have done...

Wednesday, December 28, 11

http://bit.ly/2m00jW
http://bit.ly/2m00jW
Page 7: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Safeguarding in Advance

Never download WordPress from anywhere but wordpress.org

Update ASAP (plugins and themes too)

Rename the default admin account

Use file/permission scanners (http://bit.ly/KDPw1 and http://bit.ly/saYTz)

Move wp-config.php to the parent directory

Disable new user registration

Audit file permissions

Vary user credentials

Wednesday, December 28, 11

http://bit.ly/KDPw1
http://bit.ly/KDPw1
http://bit.ly/saYTz
http://bit.ly/saYTz
Page 8: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Safeguarding in Advance

Consider adding Basic auth to /wp-admin

Delete plugins/themes you’re not actually using

Vet plugins/themes before installing (e.g. watch for eval, base64_decode, iframes, or attempts to write to the filesystem.

Don’t use the default table prefix of wp_

Watch your logs for e.g. dictionary attacks (http://www.ossec.net/)

Consider trying VaultPress

Wednesday, December 28, 11

http://www.ossec.net
http://www.ossec.net
Page 9: Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13 Wednesday, December 28, 11. Security Basics DonÕt use ÒnimdaÓ as a password. DonÕt share

Links

http://codex.wordpress.org/Hardening_WordPress

http://ottopress.com/2011/how-to-cope-with-a-hacked-site/

http://codex.wordpress.org/Resetting_Your_Password

http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

Wednesday, December 28, 11

http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Hardening_WordPress
http://ottopress.com/2011/how-to-cope-with-a-hacked-site/
http://ottopress.com/2011/how-to-cope-with-a-hacked-site/
http://codex.wordpress.org/Resetting_Your_Password
http://codex.wordpress.org/Resetting_Your_Password

AUDITING AND SECURING SAP TRAINING WEEK - …mistiemea.ungerboeck.com/brochures/TW Auditing and Securing SAP... · AUDITING AND SECURING SAP TRAINING WEEK Auditing and Securing SAP

How deep is your safety? · the tyres youÕre driving today? 1/3 donÕt know their tread depth: 33% donÕt know their tread depth 67% are aware of their tread depth (2 mm to 8 mm)

Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2

Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012

Securing Buy-in Step 5: Securing Buy-in. Securing Buy-in Securing Buy-in Our Roadmap

Schedule : Day 1 - WordCamp Baroda 2013 · 2012. 12. 27. · Building Freelance Business wih WP : Puneet Sahalot 101 Securing wordpress blog : Paresh Mayani UX & UI of a blog with

Wordpress. Wordpress… Open Source – GNU General Public License Wordpress…

WordPress, WordPress Multisite y WordPress Multinetwork

Curso Wordpress - Tutorial Wordpress

Securing your WordPress site in 5 easy pieces

Securing Debian Manual – securing-debian-howto.pt-br.pdf

DonÕt Stress É ItÕs Time to Assess! · Social Studies Coalition of Delaware Lead Teacher Training DonÕt Stress É ItÕs Time to Assess! Sherry Kijowski Theresa Bennett February,

Cruisin’ Schedule: cations. - Beaches Restaurant and Barbeachesrestaurantandbar.com/wordpress/wp-content/uploads/2019/… · rides that donÕt meet the typical ÔShow criteriaÕ

Wordpress | Wordpress(CMS) | best CMS for beginners | popular Wordpress plugins

Adopting Singapore DonÕt You Wish Math- A Case Study You

Securing WordPress by Bill Davis

Ensuring academic integrity and assessment security with ...wordpress-ms.deakin.edu.au/dteach/wp-content/uploads/sites/103/2… · Securing every act of assessment is infeasible,

Securing Corp: Securing-Corporateorate ApplicationsandData on PersonalDevices Final

คู่มือ การสร้างเว็บไซต์ด้วย WORDPRESS · คู่มือการสร้างเว็บไซต์ด้วย wordpress

Vigilia: Securing Smart Home Edge Computingplrg.eecs.uci.edu/wordpress/wp-content/uploads/2018/10/SEC-2018-… · Vigilia: Securing Smart Home Edge Computing Symposium on Edge Computing

2019 - Securing the Future | ManTech Securing the Future

Why We DonÕt Trust Celsius Holdings Inc. (Nasdaq: CELH

Vancouver WordPress Meetup - WordPress 101

Securing Enterprise Securing Enterprise Securing Enterprise

Securing Your WordPress Website - WordCamp Sydney 2012

| Stockton Wordpress · | Stockton Wordpress

Securing your WordPress Site Presented by Russ Sanderlin

WordPress – Un site utilisant WordPress

WordPress Custom Theme Designer, WordPress Customization, WordPress SEO

Securing small Securing small business business

Saigon Wordpress Meetup - Do Less Work By Securing Your Wordpress Site From Hacker - Thomas

Speed Up Wordpress, Wordpress Horsepower

Staying Connected: Securing Your WordPress Website

Imagining the Future ACEEE 2008.pdf · Trnsport - Physical Layers ¥DonÕt pick ÒwinnersÓ ÐBut donÕt be surprised by success of IEEE 802 ¥All buildings will have multiple wired

SECURING COMMUNICATION IN IP-CONNECTED SECURING