1 FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY
2 WHO HAD (TO FIX) A HACKED WORDPRESS?
4 WHAT REALLY MATTERS: TOP 3! IF YOU HAVE 5 MINS TO SPARE, JUST DO THESE
5 92% (of ~500 sites)
6 #1 Update your blogs regularly!
7 Change update behavior # Disables ALL core updates: define('wp_auto_update_core', false); Be sure to REALLY know what you re doing there! # Enables all core updates, including minor and majors: define('wp_auto_update_core', true); # Default: Enables core updates for minor releases: define('wp_auto_update_core', 'minor'); Want something more fine-grained? Check AUTO_UPDATE_$TYPE filter (e.g. auto_update_plugin, auto_update_theme, etc.) which is used for specific updates.
10 #2 Get rid of stuff you don t use! Remove all inactive plug-ins as well as themes!
11 #3 Backup Database & Files, often!
12 SECURITY STARTS AT SETUP MAKE THINGS RIGHT FROM THE BEGINNING!
13 #4 Setup WordPress properly Use unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = wp_vzqcxsjv7ul_ ; https://api.wordpress.org/secret-key/1.1/salt/
14 #5 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots.htaccess file to prevent external access Even better move wpconfig.php outside of www. Also do chmod 400/440
15 #6 Remove the default admin Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee!
16 FileZilla stores passwords unencrypted in a well known file. There is malware out there that looks for these straight away! Don t use the Normal logon type. There are the Ask for password and the Interactive types that won t save your passwords on disk. Even better: Don t use FileZilla and regular FTP logins, at all! NEVER EVER STORE PASSWORDS! AT LEAST: SWITCH TO SFTP & USE A PROPER CLIENT!
18 #7 Protect your Login (and wp-admin) Recommended: Try the Lockdown WP Admin plug-in to protect PHP files in wpadmin as well as the login itself. Don t just put an.htaccess for basic passwd. protection. It s a lot of pain
20 #9 Even better: Two-factor Verification Info: - Download:
21 #9 Even better: Two-factor Verification Google Authenticator
22 #9 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones G-Auth-App.
26 #10 Block malicious URL requests domain.com/?q=%2e%2e or domain.com/path/base64_ will return HTTP 403 (Forbidden).
27 ADDITIONAL TWEAKS THINGS YOU COULD DO IN YOUR CONFIG AS WELL
28 #11 SSL Logins & Administration define('force_ssl_login', true); Set FORCE_SSL_LOGIN to true to force all logins to happen over SSL. (still allows non-ssl admin sessions) define('force_ssl_admin', true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow )
29 #12 Move the wp-content folder define('wp_content_dir', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); WP_CONTENT_DIR points to new the full local path (no trailing slash) define('wp_content_url', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_URL points to new full URI (no trailing slash either)
30 #13 Disable File Editing define('disallow_file_edit', true); Set DISALLOW_FILE_EDIT to true to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
31 #14 Fix File & Folder Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only!
34 @basgr SEO Trainings, Seminars & Strategy Consulting Berlin-based Full-Service Performance Marketing Agency WordPress Security, Consulting & Development bg.vu/fos14
4. Client-Level Administration Introduction to Client Usage The Client Home Page Overview Managing Your Client Account o Editing Your Client Record View Account Status Report Domain Administration Page
Journyx Technical Document System Administration and Disaster Recovery Guide For Journyx Timesheet version 8.7m5 Document Version: 3.0.9 (January 2012) for version 8.7m5 For product versions prior to 8.7m5
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
Installation Guide for contineo Sebastian Stein Michael Scholz 2007-02-07, contineo version 2.5 Contents 1 Overview 2 2 Installation 2 2.1 Server and Database....................... 2 2.2 Deployment............................
CPR BROKER Installation and setup Copyright 2013 Last Updated: 9 July 2013 TABLE OF CONTENTS Introduction...4 Requirements...5 System requirements...5 Data requirements...5 Preparing the system...6 Installing
TeraStation 1000 User Manual www.buffaloamericas.com 35020519-03 2014.12 Contents Chapter 1 Getting Started...6 Diagrams...6 Turning the TeraStation On and Off...8 Changing the Administrator Password...8
This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.
Identity Management in Quercus Student Interaction. Simplified CampusIT_QUERCUS Document information Document version 1.0 Document title Identity Management in Quercus Copyright All rights reserved. No
Magic Members Support Guide Page 1 Contents I. Introduction... 8 II. Installation... 8 1. Permalinks... 8 2. Activation... 10 III. MAGIC MEMBERS MANUAL... 15 1. Magic Members Dashboard... 15 1.1 Plugin
Proto Balance SSL TLS Off-Loading, Load Balancing http://www.protonet.co.za/ User Manual - SSL Copyright c 2003-2010 Shine The Way 238 CC. All rights reserved. March 13, 2010 Contents 1. Introduction........................................................................
Google Analytics Health Check Summary Google Analytics (GA) is a free tool for recording information about visitors and actions on your website or mobile application. Once the Google Analytics tracking
QualysGuard WAS Getting Started Guide Version 4.1 April 24, 2015 Copyright 2011-2015 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
1 of 10 1/31/2014 4:08 PM copyright 2014 How to backup Microsoft SQL Server with Nordic Backup Pro Before creating a SQL backup set within Nordic Backup Pro it is first necessary to verify that the settings
FileMaker Server 13 FileMaker Server Help 2010-2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started
Quick Start Guide Copyright Wasp Barcode Technologies 2014 No part of this publication may be reproduced or transmitted in any form or by any means without the written permission of Wasp Barcode Technologies.
Log Correlation Engine Best Practices August 14, 2012 (Revision 3) Copyright 2012. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable