is your wordpress safe enough?

23
IS YOUR WORDPRESS SAFE ENOUGH? Said Murat Warsaw/Poland www.saidmurat.net & [email protected]

Upload: saidmurat

Post on 30-Oct-2014

2.638 views

Category:

Technology


0 download

DESCRIPTION

system, to be online so fast. But you cannot be sure your portal is safe enough. That’s why there are a lot of steps what you should have done, to have much more safe portal. Is your Wordpress safe enough? Let's see!

TRANSCRIPT

Page 1: Is your Wordpress safe enough?

IS YOUR WORDPRESS SAFE ENOUGH?

Said MuratWarsaw/Poland

www.saidmurat.net & [email protected]

Page 2: Is your Wordpress safe enough?

What is Wordpress?

WordPress is a free and open source blogging tool and a content management system (CMS) based on PHP and MySQL. It has many features including a plug-in architecture and a template system.

 

It was first released on May 27, 2003, by founders Matt Mullenweg and Mike Little.

 

As of April 2013, version 3.5 had been downloaded over 18 million times.

Matt Mullenweg

Page 3: Is your Wordpress safe enough?

What about the numbers?

WordPress is currently the most popular blogging system in use on the Web, powering over 60 million websites worldwide.

Page 4: Is your Wordpress safe enough?

Popular brands are using Wordpress!

Ebay Blog

Page 5: Is your Wordpress safe enough?

Popular brands are using Wordpress!

Yahoo Blog

Page 6: Is your Wordpress safe enough?

Popular brands are using Wordpress!

CNN Blog

Page 7: Is your Wordpress safe enough?
Page 8: Is your Wordpress safe enough?

How to attack?

Brute ForceIn cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data.

A brute-force attack is an attempt to log into an account by systematically trying thousands of passwords

Page 9: Is your Wordpress safe enough?

How to attack?

Brute Force

Page 10: Is your Wordpress safe enough?

How to attack?

Any different way to attack?

Page 11: Is your Wordpress safe enough?
Page 12: Is your Wordpress safe enough?

How to provide protection from attacks?

Wordpress is a ‘ready’ system, to be online so fast. But you cannot be sure your portal is safe enough. That’s why there are a lot of steps what you should have done, to have much more safe portal.

Let’s go on, step by step!

Page 13: Is your Wordpress safe enough?

How to provide protection from attacks?

A)MySQL Database; - Do not type as name of the database

‘mysite_database’. Because then it’s easier to reach your database.

- As Password, do not type ‘abc12345’.

- As Username, do not type ‘Admin’.

Page 14: Is your Wordpress safe enough?

How to provide protection from attacks?

B) Remove ‘Install.php’ file;After you have done the installation, just remove the ‘Install.php’ file.

Page 15: Is your Wordpress safe enough?

How to provide protection from attacks?

C) Admin Username; You HAVE TO be careful to name your admin’s username. - Do not type ‘admin’ , ‘administrator’ or ‘manager’. - Your password also should have complex letters like ‘5o12cMs’.

Page 16: Is your Wordpress safe enough?

How to provide protection from attacks?

D) Hide version of your Wordpress; You know version of your Wordpress. But others don’t have to know it, right? Then, go to ‘function.php’ and type this line there: remove_action('wp_head', 'wp_generator');

Page 17: Is your Wordpress safe enough?

How to provide protection from attacks?

E) Permissions of your files; Some of Wordpress’s files are ‘originally’ writable. But no need! Because some spams may try to reach your files unexpectly. That’s why, let’s go to FTP and change some ‘permissions of your files’.

(root directory) : 0755

wp-includes/ : 0755

wp-admin/ : 0755

wp-admin/js/ : 0755

wp-content/ : 0755

wp-content/themes/ : 0755

wp-content/plugins/ : 0755

wp-admin/index.php : 0644

.htaccess : 0644

wp-config.php : 0644

Page 18: Is your Wordpress safe enough?

How to provide protection from attacks?

F) Where is your .htaccess file?To have a safe Wordpress system, you really need to have a ‘.htaccess’ file. Htaccess file has ‘redirection’ codes, as default. But you can improve codes and have a safe Wordpress system. If you do not have this file, just create it!

# Hide signature of your Server!

ServerSignature Off

  

# Limit of the file you upload will be max 10MB.

LimitRequestBody 10240000

 

# Your files will not be ‘reachable’ by others.

 <files .htaccess>order allow,deny

deny from all</files>

Page 19: Is your Wordpress safe enough?

How to provide protection from attacks?

WP-Security Scan(Plugin)This is one the very useful plugins that should definitely be used regularly by every WordPress blogger. This plugin can move through every security loophole in a few seconds. A list of possible vulnerabilities is then prepared, such as file passwords or permissions, and also offers further suggestions on corrective actions to deal with them.

Page 20: Is your Wordpress safe enough?

What about SPAMS?

You might get spams via comments to your posts. Spams try to be published on your pages, to make advertisement of their pages. But sometimes, they may have some links, to redirect your members to their pages automatically.

Page 21: Is your Wordpress safe enough?

PluginsAkismet The best anti-spam plugin for WordPress. Bundled with WordPress, Akismet requires a registration key, but is easy to setup and provides excellent “set-it-and-forget-it” spam protection for WordPress.Limit Login AttemptsThe best anti login attack plugin. With Brute Force method, hackers may try to attack your login page. Thanks to this plugin, after trying 3rd times, Wordpress asks users to wait some time, to try again username and password. Otherwise, with using wordlists, they may find login details.

WP Activity MonitorYou may have a lot of admins, moderators or editors on your Wordpress. But it’s hard to control everyone. Moreover, how can you be sure if there is no hacker who you do not know? You can control all details about your Wordpress.

Page 22: Is your Wordpress safe enough?

Tips

Back up your MySQL database regularly;You should always back up your site files and database. You should get into the practice of regular MySQL database backups by exporting your MySQL data as a .sql file to be stored in a safe location.

Do not install every plugin you find;Users of Wordpress usually get hack because of plugins. That’s why you should download and install plugins which are recommended by Wordpress.

Page 23: Is your Wordpress safe enough?

References

Wordpress.Org

Wikipedia.Org

Cyber-Warior.Org

LinuxToday.Org