Wordpress SecurityTim Elliott

http://codex.wordpress.org/Hardening_WordPress

Wordpress Vulnerabilities

• It’s Open Source

• Link Injection

• TimThumb

• Social Engineering

The Easy Stuff

• Stay updated!

• Don’t use ‘admin’ user

• Don’t display usernames in post meta

• Change database table prefix from ‘wp_’

• Use strong passwords

The Easy Stuff

• Verify file permissions (files=644 / dir.=755)

• Use secret keys in wp-config.php

• Remove Wordpress version number from theme header

• Run backups often (like everyday)

• Secure wp-includes & wp-config.php

.htaccess# Protect wpconfig.php<files wp-config.php>order allow,denydeny from all</files>

# Protect .htaccess<Files .htaccess> Order Allow,Deny Deny from all </Files>

# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /directory_goes_here/RewriteRule ^index\.php$ - [L]RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /directory_goes_here/index.php [L]</IfModule># END WordPress

# Block the include-only filesRewriteRule ^wp-admin/includes/ - [F,L]RewriteRule !^wp-includes/ - [S=3]RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Disable directory browsingOptions All -Indexes

Helpful Plugins

• WP Security Scan

• BulletProof Security

• TimThumb Vulnerability Scanner

• WordPress File Monitor

• Login Lock

• ManageWP Worker

http://sitecheck.sucuri.net/scanner/http://www.google.com/webmasters/tools/

The Harder Stuff• Lock down wp-admin to specific IP’s

• Add to .htaccess in wp-admin root:

• Force SSL on login (requires certificate)

• Add to wp-config.php: define('FORCE_SSL_ADMIN', true);

• Move wp-content directory

• http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content

# Lockdown wp-adminAuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName “Access Control”AuthType Basicorder deny,allowdeny from allAllow from YOUR_IP_HERE

@timelliotttim@timelliott.us

612.804.0090

?