wordpress security - ওয়ার্ডপ্রেসের সিকিউরিটি
TRANSCRIPT
. 3
. 4
।
% % ! । ।
।
,
,
,
?
,
, ,
www.facebook.com/mfshahi
. 5
WP Security Scan
Backup Now
http://www.websitedefender.com/news/free-wordpress-security-scan-plugin/
BackUpWordPress - http://wordpress.org/extend/plugins/backupwordpress/
Backup to Dropbox - http://wordpress.org/extend/plugins/wp-db-backup/
BP-DB-Backup - http://wordpress.org/extend/plugins/wp-db-backup/
Goole Drive for WordPress - http://wordpress.org/extend/plugins/wp-google-drive/
. 6
,
. 7
SQL
, ,
. 8
. 10
, !!
??
mediafire, google drive, copy, sky drive, box, dropbox
।
।
. 11
,
। wp-content
phpmyadmin
।
. 12
। ( )
।
. 13
wp-config.php
।
, ,
, ,
wp-content
wp_options
।
. 14
*
“Please update now”
. 16
admin
admin
admin
- http://wordpress.org/extend/plugins/admin-username-changer/
Myn4m3
Contributor ( )
. 17
wp_
!
. 18
WP
Security Scan
http://wordpress.org/extend/plugins/wp-security-scan/
. 19
Wp-Config .htaccess
wp-config.php
wp-config .htaccess
wp-config .htaccess .htaccess
.htaccess
# PROTECT WP-CONFIG
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
# PROTECT .htaccess
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
.htaccess , Wp-Config
.htaccess
. 20
https://api.wordpress.org/secret-key/1.1/salt/
, wp-config.php
Wp-config.php
. 21
http://yoursite.com/wp-content/uploads
,
.htaccess
# disable directory browsing
Options All –Indexes
. 22
Index
Manager No Indexing
. 23
?functions.php
// remove version number from head & feeds
function disable_version() { return ''; } add_filter('the_generator','disable_version'); remove_action('wp_head', 'wp_generator');
. 24
?
,
,
?
.htaccess
# HOTLINK PROTECTION - by BDTechZone LLC
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?bdtechzone\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
</IfModule>
bdtechzone ,
amarspot.com
amarspot .htaccess ,
. 25
HotLink Protection
.htaccess
. 26
?
.htaccess
# BLOCK NO-REFERRER SPAM - by BDTechZone <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_REFERER} !.*bdtechzone.com.* [NC] RewriteCond %{REQUEST_URI} /wp\-comments\-post\.php [NC] RewriteRule .* - [F,NC,L] </IfModule>
. 27
bdtechzone.com ,
।
botsvsbrowsers.com
http://www.yourdomain.com/wp-comments-post.php
http://www.botsvsbrowsers.com/SimulateUserAgent.asp
।
. 28
? .htaccess
# BLOCK BAD BOTS
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ̂ $ keep_out
SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder) keep_out
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</Limit>
</IfModule>
. 29
.htaccess
।
. 30
,
. .htaccess
# 5G FIREWALL
# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} echo.*kae [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} \=\\%27$ [NC,OR]
RewriteCond %{QUERY_STRING} \=\\\'$ [NC,OR]
RewriteCond %{QUERY_STRING} \.\./ [NC,OR]
RewriteCond %{QUERY_STRING} \: [NC,OR]
RewriteCond %{QUERY_STRING} \[ [NC,OR]
RewriteCond %{QUERY_STRING} \] [NC]
RewriteRule .* - [F]
</IfModule>
# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
. 31
SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</Limit>
</IfModule>
# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(cgi|https?|ima|ucp)/
RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
. 32
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
</IfModule>
# 5G:[BAD IPS]
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 184.56.246.23
Deny from 195.10.218.132
Deny from 208.91.57.65
Deny from 209.190.3.218
Deny from 64.15.156.15
Deny from 86.175.86.170
Deny from 91.121.
Deny from 41.206.13.3
Deny from 207.177.225.66
Deny from 137.82.182.121
Deny from 79.125.81.232
Deny from 24.66.27.191
Deny from 216.40.231.210
Deny from 151.42.146.98
Deny from 77.191.130.244
Deny from 115.79.13.174
Deny from 84.189.184.170
</Limit>
. 34
। .htaccess
.htaccess
# BLOCK PROXY VISITS
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]
</IfModule>
. 35
header.php
<?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) die("Proxy access
not allowed"); ?>
header.php
inCloak
Proxy access not allowed ।
https://incloak.com
. 36
SQL injection
SQL injection.
SQL injection
SQL injection
.htaccess
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
.htaccess
, SQL injection , ।
. 38
wordpress.org
http://wordpress.org/extend/themes/
http://wordpress.org/extend/plugins/
http://wordpress.org/extend/plugins/tac/
. 39
?p=123
post name
. 40
।
ThreeWP Activity Monitor
।
http://wordpress.org/extend/plugins/threewp-activity-monitor/
Dashboard Activity Monitor ।
।
. 41
।
functions.php
?> । add_filter('login_errors',create_function('$a', "return null;"));
functions.php
।
. 43
wp-config.php ,
। define('DISALLOW_FILE_EDIT', true);
. 44
,
,
, ।
1. AntiVirus 2. Sucuri Security
3. Limit Login Attempts
4. WP-DB-Backup
5. ThreeWP Activity Monitor
6. AskApache Password Protect
7. Wordfence Security 8. Better WP Security
9. WP Security Scan
10. Bad Behavior
11. Block Bad Queries
12. Exploit Scanner
13. BulletProof Security
14. WordPress Firewall 2
15. WordPress File Monitor Plus
. 45
, . ।
www.bdtechzone.com/wp-security
,
www.bdtechzone.com/wp-tutorial
www.bdtechzone.com/tutorial/1143
www.bdtechzone.com/tutorial/782
,