SlideShare ist ein Scribd-Unternehmen logo
1 von 37
Bastian Grimm, Managing Partner - Grimm Digital
Hardening WordPress
at WP Luvfest: “Maximising WordPress for Search”
http://gdig.de/sascon13
Manchester, June 2013
About me
2
@basgr
SEO Trainings, Seminars & Strategy Consulting
WordPress Security, Consulting & Development
Berlin-based Full-Service Performance Marketing Agency
http://gdig.de/sascon13
#1 Setup WordPress properly
Use unique keys and salts to add
random elements for encryption!
https://api.wordpress.org/secret-key/1.1/salt/
Use a cryptic prefix to prevent
automated scripts and SQL injections.
$table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
#2 Protect your wp-config.php
<files wp-config.php>
order deny,allow
deny from all
</files>
This needs to go into your WP roots’
.htaccess file to prevent external access
Did you know this? Even better…
move wp-config.php outside of
„www“. Also do chmod 400/440
#3 Remove the default „admin“
Setup new user as admin; logout.
Login w/ new admin; delete old one.
Make sure to use a STRONG
password, pleeaaasssseeee!
http://www.random.org/passwords/
Credits: http://bit.ly/T8wMwO
Make absolutely sure you only
use plug-ins from trusted authors!
#4 Lock-out multiple failed logins
http://wordpress.org/extend/plugins/limit-login-attempts/
Limit Login Attempts
#5 Protect your Login (and wp-admin)
Don’t just put an .htaccess
to your /wp-admin/ for
basic passwd. protection.
It’s pure “hazzle”…
Recommended: Try the “Lockdown WP
Admin” plug-in to protect PHP files in wp-
admin as well as the login itself.
http://wordpress.org/extend/plugins/lockdown-wp-admin/
Or: Lockdown using a Secret URL?
http://wordpress.org/plugins/stealth-login-page/
Stealth Login Page
#6 Even better: Two-factor Verification
Info: http://gdig.de/1t - Download: http://gdig.de/1u
#6 Even better: Two-factor Verification
http://wordpress.org/plugins/google-authenticator/
Google Authenticator
#6 Even better: Two-factor Verification
Provide your login credentials
and get auth-code from your
mobile phones‘ G-Auth-App.
#7 SSL Logins & Administration
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
Set FORCE_SSL_LOGIN to “true” to
force all logins to happen over SSL.
(still allows non-SSL admin sessions)
Use FORCE_SSL_ADMIN to force all
logins and all admin sessions to
happen over SSL (can be slow…)
#8 Never EVER do this!
These sites are
more than worse…
A quick peak into some theme files…
16
LOL! „family friendly“
links – my a*s…
A quick peak into some theme files…
17
functions.php: This theme
won‘t be working without
those links…
#9 Always use TAC to do a pre-check!
http://builtbackwards.com/projects/tac/
Theme Authenticity
Checker (TAC)
It gets worse: base64 encoded footer
19
Are you really sure you want
to see that footer.php file?
Right… NICE FOOTER!
20
PLEASE… stay away
from “free” WordPress
themes – they’re not
free, really!
#10 Remove Version & Login Message
add_filter('login_errors',create_function('$a', "return null;"));
function my_remove_version() { return ''; }
add_filter('the_generator', 'my_remove_version');
Remove error message from your login-
page. You don’t want to give away if either
user and / or password was (in-) correct.
You need to do it this way since removing
“wp_generator” will NOT get rid of the
version number in your RSS feed(s).
#11 Block malicious URL requests
http://wordpress.org/plugins/block-bad-queries/
BBQ: Block Bad Queries
Or one for all: Harden your Settings
Secure WordPress
http://wordpress.org/extend/plugins/secure-wordpress/
Most important: Remove version
number from ALL components &
block malicious URL requests.
#12 Update your blogs regularly!
 WP Updates Notifier to get emails
on out-dated components (core,
themes & plug-ins) for all blogs:
– http://wordpress.org/extend/plugins
/wp-updates-notifier/
 ManageWP can do one-click mass
updates (core, themes, plug-ins
again) for all your blogs:
– http://managewp.com/features
#13 Keep your installation clean
26
Remove all inactive
plug-ins as well as themes!
#14 Scan your Theme daily
http://wordpress.org/extend/plugins/antivirus/
WP AntiVirus
Or try this one to scan for Exploits
http://wordpress.org/plugins/exploit-scanner/
Exploit Scanner
Caution: Use a good portion of
common sense when reviewing!
#15 Move the “wp-content” folder
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content');
define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content');
WP_CONTENT_DIR points to “new”
the full local path (no trailing slash)
WP_CONTENT_URL points to “new”
full URI (no trailing slash either)
#16 Fix File & Folder Permissions
http://wordpress.org/extend/plugins/wp-security-scan/
WP-Security Scan
Very important: chmod your
wp-config.php to be read-only!
#17 Disable File Editing
define('DISALLOW_FILE_EDIT', true);
Set DISALLOW_FILE_EDIT to “true” to
disable editing files from dashboard.
By default, admins are allowed to edit PHP files. Setting
the above is equivalent to removing the
'edit_themes', 'edit_plugins' and 'edit_files' capabilities
of all users.
#18 Delete Files & Disable Listings
Delete those files manually; also get rid of
“readme.html” in your WP root.
This needs to go into your WP roots’
.htaccess file disable all directory listings.
Options -Indexes
http://httpd.apache.org/docs/2.4/mod/core.html#options
If you’d change “last
modified” to “.php.bak” this
would then… ok, enough!
#19 Backup Database & Files
BackWPup
http://wordpress.org/extend/plugins/backwpup/
13.10.2011 35
OMCap 2011 - Online Marketing Konferenz Berlin
And that’s it! …
#20 Some more WordPress Knowledge
http://gdig.de/slides
Bastian Grimm, Managing Partner - Grimm Digital
Thanks! Questions?
mail@grimm-digital.com
twitter.com/basgr
linkedin.com/in/bastiangrimm
facebook.com/grimm.digital
http://gdig.de/sascon13

Weitere ähnliche Inhalte

Was ist angesagt?

Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nlJoomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nlPhilip Locke
 
SEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog:  Wordpress SEO with Joost de ValkSEO Social Blog:  Wordpress SEO with Joost de Valk
SEO Social Blog: Wordpress SEO with Joost de ValkSEO Social Blog
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionOtto Kekäläinen
 
Don't sh** in the Pool
Don't sh** in the PoolDon't sh** in the Pool
Don't sh** in the PoolChris Jean
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-securityDigamber Pradhan
 
Introduction to WordPress Class 4
Introduction to WordPress Class 4Introduction to WordPress Class 4
Introduction to WordPress Class 4Adrian Mikeliunas
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid ThemDaniel Kanchev
 
Introduction to WordPress Class 2
Introduction to WordPress Class 2Introduction to WordPress Class 2
Introduction to WordPress Class 2Adrian Mikeliunas
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Earn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free trafficEarn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free trafficAdam Jacob
 
Joomla! Plugin Development
Joomla! Plugin DevelopmentJoomla! Plugin Development
Joomla! Plugin DevelopmentYireo
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 

Was ist angesagt? (20)

Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nlJoomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl
 
SEO Social Blog: Wordpress SEO with Joost de Valk
SEO Social Blog:  Wordpress SEO with Joost de ValkSEO Social Blog:  Wordpress SEO with Joost de Valk
SEO Social Blog: Wordpress SEO with Joost de Valk
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 edition
 
Don't sh** in the Pool
Don't sh** in the PoolDon't sh** in the Pool
Don't sh** in the Pool
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
WhiteHat SEO for Blog Owner
WhiteHat SEO for Blog OwnerWhiteHat SEO for Blog Owner
WhiteHat SEO for Blog Owner
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
 
Introduction to WordPress Class 4
Introduction to WordPress Class 4Introduction to WordPress Class 4
Introduction to WordPress Class 4
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
Introduction to WordPress Class 2
Introduction to WordPress Class 2Introduction to WordPress Class 2
Introduction to WordPress Class 2
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Website security
Website securityWebsite security
Website security
 
Earn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free trafficEarn $3000+ with autoblogs using free traffic
Earn $3000+ with autoblogs using free traffic
 
Joomla! Plugin Development
Joomla! Plugin DevelopmentJoomla! Plugin Development
Joomla! Plugin Development
 
So i have a website now what?
So i have a website now what?So i have a website now what?
So i have a website now what?
 
WordPress Hardening
WordPress HardeningWordPress Hardening
WordPress Hardening
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 

Ähnlich wie Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsBastian Grimm
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press BlogChetan Gole
 
Advanced WordPress Optimization - iGaming Supershow 2012
Advanced WordPress Optimization - iGaming Supershow 2012Advanced WordPress Optimization - iGaming Supershow 2012
Advanced WordPress Optimization - iGaming Supershow 2012Bastian Grimm
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 

Ähnlich wie Hardening WordPress - SAScon Manchester 2013 (WordPress Security) (20)

WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Advanced WordPress Optimization - iGaming Supershow 2012
Advanced WordPress Optimization - iGaming Supershow 2012Advanced WordPress Optimization - iGaming Supershow 2012
Advanced WordPress Optimization - iGaming Supershow 2012
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 

Mehr von Bastian Grimm

Migration Best Practices - Peak Ace on Air
Migration Best Practices - Peak Ace on AirMigration Best Practices - Peak Ace on Air
Migration Best Practices - Peak Ace on AirBastian Grimm
 
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secretsSEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secretsBastian Grimm
 
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AGTechnical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AGBastian Grimm
 
Advanced data-driven technical SEO - SMX London 2019
Advanced data-driven technical SEO - SMX London 2019Advanced data-driven technical SEO - SMX London 2019
Advanced data-driven technical SEO - SMX London 2019Bastian Grimm
 
Migration Best Practices - SMX West 2019
Migration Best Practices - SMX West 2019Migration Best Practices - SMX West 2019
Migration Best Practices - SMX West 2019Bastian Grimm
 
Migration Best Practices - Search Y 2019, Paris
Migration Best Practices - Search Y 2019, ParisMigration Best Practices - Search Y 2019, Paris
Migration Best Practices - Search Y 2019, ParisBastian Grimm
 
Migration Best Practices - SEOkomm 2018
Migration Best Practices - SEOkomm 2018Migration Best Practices - SEOkomm 2018
Migration Best Practices - SEOkomm 2018Bastian Grimm
 
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018Bastian Grimm
 
The need for Speed: Advanced #webperf - SEOday 2018
The need for Speed: Advanced #webperf - SEOday 2018The need for Speed: Advanced #webperf - SEOday 2018
The need for Speed: Advanced #webperf - SEOday 2018Bastian Grimm
 
OK Google, Whats next? - OMT Wiesbaden 2018
OK Google, Whats next? - OMT Wiesbaden 2018OK Google, Whats next? - OMT Wiesbaden 2018
OK Google, Whats next? - OMT Wiesbaden 2018Bastian Grimm
 
Super speed around the globe - SearchLeeds 2018
Super speed around the globe - SearchLeeds 2018Super speed around the globe - SearchLeeds 2018
Super speed around the globe - SearchLeeds 2018Bastian Grimm
 
Migration Best Practices - SMX London 2018
Migration Best Practices - SMX London 2018Migration Best Practices - SMX London 2018
Migration Best Practices - SMX London 2018Bastian Grimm
 
Welcome to a new reality - DeepCrawl Webinar 2018
Welcome to a new reality - DeepCrawl Webinar 2018Welcome to a new reality - DeepCrawl Webinar 2018
Welcome to a new reality - DeepCrawl Webinar 2018Bastian Grimm
 
Web Performance Madness - brightonSEO 2018
Web Performance Madness - brightonSEO 2018Web Performance Madness - brightonSEO 2018
Web Performance Madness - brightonSEO 2018Bastian Grimm
 
Digitale Assistenzsysteme - SMX München 2018
Digitale Assistenzsysteme - SMX München 2018Digitale Assistenzsysteme - SMX München 2018
Digitale Assistenzsysteme - SMX München 2018Bastian Grimm
 
AMP - SMX München 2018
AMP - SMX München 2018AMP - SMX München 2018
AMP - SMX München 2018Bastian Grimm
 
How fast is fast enough - SMX West 2018
How fast is fast enough - SMX West 2018How fast is fast enough - SMX West 2018
How fast is fast enough - SMX West 2018Bastian Grimm
 
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
Whats Next in SEO & CRO - 3XE Conference 2018 DublinWhats Next in SEO & CRO - 3XE Conference 2018 Dublin
Whats Next in SEO & CRO - 3XE Conference 2018 DublinBastian Grimm
 
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017Bastian Grimm
 
Digitale Assistenten - OMX 2017
Digitale Assistenten - OMX 2017Digitale Assistenten - OMX 2017
Digitale Assistenten - OMX 2017Bastian Grimm
 

Mehr von Bastian Grimm (20)

Migration Best Practices - Peak Ace on Air
Migration Best Practices - Peak Ace on AirMigration Best Practices - Peak Ace on Air
Migration Best Practices - Peak Ace on Air
 
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secretsSEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
 
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AGTechnical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
 
Advanced data-driven technical SEO - SMX London 2019
Advanced data-driven technical SEO - SMX London 2019Advanced data-driven technical SEO - SMX London 2019
Advanced data-driven technical SEO - SMX London 2019
 
Migration Best Practices - SMX West 2019
Migration Best Practices - SMX West 2019Migration Best Practices - SMX West 2019
Migration Best Practices - SMX West 2019
 
Migration Best Practices - Search Y 2019, Paris
Migration Best Practices - Search Y 2019, ParisMigration Best Practices - Search Y 2019, Paris
Migration Best Practices - Search Y 2019, Paris
 
Migration Best Practices - SEOkomm 2018
Migration Best Practices - SEOkomm 2018Migration Best Practices - SEOkomm 2018
Migration Best Practices - SEOkomm 2018
 
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
 
The need for Speed: Advanced #webperf - SEOday 2018
The need for Speed: Advanced #webperf - SEOday 2018The need for Speed: Advanced #webperf - SEOday 2018
The need for Speed: Advanced #webperf - SEOday 2018
 
OK Google, Whats next? - OMT Wiesbaden 2018
OK Google, Whats next? - OMT Wiesbaden 2018OK Google, Whats next? - OMT Wiesbaden 2018
OK Google, Whats next? - OMT Wiesbaden 2018
 
Super speed around the globe - SearchLeeds 2018
Super speed around the globe - SearchLeeds 2018Super speed around the globe - SearchLeeds 2018
Super speed around the globe - SearchLeeds 2018
 
Migration Best Practices - SMX London 2018
Migration Best Practices - SMX London 2018Migration Best Practices - SMX London 2018
Migration Best Practices - SMX London 2018
 
Welcome to a new reality - DeepCrawl Webinar 2018
Welcome to a new reality - DeepCrawl Webinar 2018Welcome to a new reality - DeepCrawl Webinar 2018
Welcome to a new reality - DeepCrawl Webinar 2018
 
Web Performance Madness - brightonSEO 2018
Web Performance Madness - brightonSEO 2018Web Performance Madness - brightonSEO 2018
Web Performance Madness - brightonSEO 2018
 
Digitale Assistenzsysteme - SMX München 2018
Digitale Assistenzsysteme - SMX München 2018Digitale Assistenzsysteme - SMX München 2018
Digitale Assistenzsysteme - SMX München 2018
 
AMP - SMX München 2018
AMP - SMX München 2018AMP - SMX München 2018
AMP - SMX München 2018
 
How fast is fast enough - SMX West 2018
How fast is fast enough - SMX West 2018How fast is fast enough - SMX West 2018
How fast is fast enough - SMX West 2018
 
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
Whats Next in SEO & CRO - 3XE Conference 2018 DublinWhats Next in SEO & CRO - 3XE Conference 2018 Dublin
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
 
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
 
Digitale Assistenten - OMX 2017
Digitale Assistenten - OMX 2017Digitale Assistenten - OMX 2017
Digitale Assistenten - OMX 2017
 

Kürzlich hochgeladen

Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 

Kürzlich hochgeladen (20)

Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)

  • 1. Bastian Grimm, Managing Partner - Grimm Digital Hardening WordPress at WP Luvfest: “Maximising WordPress for Search” http://gdig.de/sascon13 Manchester, June 2013
  • 2. About me 2 @basgr SEO Trainings, Seminars & Strategy Consulting WordPress Security, Consulting & Development Berlin-based Full-Service Performance Marketing Agency
  • 4. #1 Setup WordPress properly Use unique keys and salts to add random elements for encryption! https://api.wordpress.org/secret-key/1.1/salt/ Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
  • 5. #2 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Did you know this? Even better… move wp-config.php outside of „www“. Also do chmod 400/440
  • 6. #3 Remove the default „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
  • 7. Credits: http://bit.ly/T8wMwO Make absolutely sure you only use plug-ins from trusted authors!
  • 8. #4 Lock-out multiple failed logins http://wordpress.org/extend/plugins/limit-login-attempts/ Limit Login Attempts
  • 9. #5 Protect your Login (and wp-admin) Don’t just put an .htaccess to your /wp-admin/ for basic passwd. protection. It’s pure “hazzle”… Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wp- admin as well as the login itself. http://wordpress.org/extend/plugins/lockdown-wp-admin/
  • 10. Or: Lockdown using a Secret URL? http://wordpress.org/plugins/stealth-login-page/ Stealth Login Page
  • 11. #6 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
  • 12. #6 Even better: Two-factor Verification http://wordpress.org/plugins/google-authenticator/ Google Authenticator
  • 13. #6 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.
  • 14. #7 SSL Logins & Administration define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
  • 15. #8 Never EVER do this! These sites are more than worse…
  • 16. A quick peak into some theme files… 16 LOL! „family friendly“ links – my a*s…
  • 17. A quick peak into some theme files… 17 functions.php: This theme won‘t be working without those links…
  • 18. #9 Always use TAC to do a pre-check! http://builtbackwards.com/projects/tac/ Theme Authenticity Checker (TAC)
  • 19. It gets worse: base64 encoded footer 19 Are you really sure you want to see that footer.php file?
  • 21. PLEASE… stay away from “free” WordPress themes – they’re not free, really!
  • 22. #10 Remove Version & Login Message add_filter('login_errors',create_function('$a', "return null;")); function my_remove_version() { return ''; } add_filter('the_generator', 'my_remove_version'); Remove error message from your login- page. You don’t want to give away if either user and / or password was (in-) correct. You need to do it this way since removing “wp_generator” will NOT get rid of the version number in your RSS feed(s).
  • 23. #11 Block malicious URL requests http://wordpress.org/plugins/block-bad-queries/ BBQ: Block Bad Queries
  • 24. Or one for all: Harden your Settings Secure WordPress http://wordpress.org/extend/plugins/secure-wordpress/ Most important: Remove version number from ALL components & block malicious URL requests.
  • 25. #12 Update your blogs regularly!  WP Updates Notifier to get emails on out-dated components (core, themes & plug-ins) for all blogs: – http://wordpress.org/extend/plugins /wp-updates-notifier/  ManageWP can do one-click mass updates (core, themes, plug-ins again) for all your blogs: – http://managewp.com/features
  • 26. #13 Keep your installation clean 26 Remove all inactive plug-ins as well as themes!
  • 27. #14 Scan your Theme daily http://wordpress.org/extend/plugins/antivirus/ WP AntiVirus
  • 28. Or try this one to scan for Exploits http://wordpress.org/plugins/exploit-scanner/ Exploit Scanner Caution: Use a good portion of common sense when reviewing!
  • 29. #15 Move the “wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) WP_CONTENT_URL points to “new” full URI (no trailing slash either)
  • 30. #16 Fix File & Folder Permissions http://wordpress.org/extend/plugins/wp-security-scan/ WP-Security Scan Very important: chmod your wp-config.php to be read-only!
  • 31. #17 Disable File Editing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
  • 32. #18 Delete Files & Disable Listings Delete those files manually; also get rid of “readme.html” in your WP root. This needs to go into your WP roots’ .htaccess file disable all directory listings. Options -Indexes http://httpd.apache.org/docs/2.4/mod/core.html#options
  • 33. If you’d change “last modified” to “.php.bak” this would then… ok, enough!
  • 34. #19 Backup Database & Files BackWPup http://wordpress.org/extend/plugins/backwpup/
  • 35. 13.10.2011 35 OMCap 2011 - Online Marketing Konferenz Berlin And that’s it! …
  • 36. #20 Some more WordPress Knowledge http://gdig.de/slides
  • 37. Bastian Grimm, Managing Partner - Grimm Digital Thanks! Questions? mail@grimm-digital.com twitter.com/basgr linkedin.com/in/bastiangrimm facebook.com/grimm.digital http://gdig.de/sascon13