Scribd
Upload
62 views41 pages

WordPress Security

Uploaded by

Bikash Moktan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
62 views41 pages

WordPress Security

Uploaded by

Bikash Moktan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 41

WordPress

Security
Micah Wood
wpscholar.com
@wpscholar
● Protects your information
Why security ● Protects your clients
is important ●

Protects your reputation
Protects your rankings
5 Common Attacks
Brute Force Attackers attempt an enormous
number of password combinations
Attacks until the correct one is found.
Attackers use any user input
section of your site, such as a
contact form, to attempt to run
queries or statements to manipulate
SQL Injection your database.
To work, this requires that data
input into these fields is not
properly sanitized.
Attackers inject malicious
Cross Site executable scripts into the code of a

Scripting trusted website that allows them to


steal data or a user’s active session.
Distributed Denial of Service
attacks occur when a web server is
DDoS Attacks bombarded with such a large
number of requests that it
eventually crashes.
Attackers create malicious software
and install it on your website.
Malware Commonly used to redirect users,
inject spam content, blacklist a site
from search, or hide backdoors.
● 51% of all hacks are due to
outdated WordPress sites
How Sites ○ 92.81% from an insecure plugin

are Hacked ○

6.61% from an insecure theme
0.58% from an insecure version of
WordPress core

● 41% of attacks are caused by a


vulnerability on the web host
● 8% due to weak passwords
Most hacking attempts are
automated.
Mitigation Strategies
Backups are critical
If a site is hacked, a clean backup of the site means
you can restore the site quickly and won’t lose data.
Mitigating
Brute Force
Attacks
Limit login attempts
Plugins like Limit Login Attempts Reloaded will
reduce the number of attempts and significantly
increase the time it takes to guess a password.
Move the WP login
Plugins like Change wp-admin login can obscure
the WP login.
Use a password manager
Tools like LastPass and 1Password make it easy to
use long and complicated passwords.
Disable XML-RPC
Nobody really uses XML-RPC anymore and it
makes it easier for someone to run a brute force
attack.
Enable 2FA for admins
Use strong passwords, but don’t assume they are
strong enough. Two-factor authentication will
prevent logins even if a password is guessed.
Mitigating
DDoS
Attacks
Use a WAF
A Web Application Firewall can help detect bad
actors and stop them before they can do damage.

Plugins like WordFence and Sucuri and/or


services like CloudFlare are great options.
Mitigating
Other Attacks
Keep up with updates
Updating WordPress, plugins, and themes can
mitigate a significant number of potential attacks.
Use reputable plugins
Do your research and make sure the plugins you
use are regularly maintained and downloaded
from a reputable source.
Remove inactive plugins
& themes
Even if a plugin is inactive, it can still be a
security risk. Specifically, premium plugins that
are inactive won’t be able to check for updates.
Keep licenses updated
Premium themes & plugins that don’t have a valid
license won’t be able to check for updates.
Use a WordPress Host
Do your research and find a WordPress-specific
web host with good security practices.
Keep PHP up-to-date
PHP is the main programming language that
WordPress uses. If it is out of date, it could put
your site(s) at risk. Plus, updating usually
provides a performance boost.
Use SSL
Advanced
Mitigation
Strategies
File Permissions
Ensure that WordPress has the proper file
permissions. Loose permissions can give
outsiders access to change files!
Disable PHP Execution
WordPress doesn’t need to run PHP files stored in
your uploads directory.
Disable File Editing
Setting the `DISALLOW_FILE_EDIT` constant in
WordPress will turn off the ability to edit theme
and plugin files from the WordPress admin.
Protect usernames
Don’t use “admin” as your username. Make sure
your site shows display names, not usernames.
Protect the WordPress users REST endpoint to
further obscure usernames.
MySQL table prefix
By default, WordPress uses `wp_` as the table
prefix. This makes table names predictable and
SQL injections attacks more successful. Using a
unique table prefix can help mitigate this.
Move the wp-config.php
file
Moving this file up a directory means it is not
accessible on the web like other files.
Remove WP version
By default, WordPress outputs hidden markup
advertising what version of WP you are running.
Removing this makes it difficult for hackers to
know what version of WP is running.
Sanitize, Validate, &
Escape
Sanitize and/or validate input and escape output
in any code you write. Make sure the plugins and
themes you use do the same.
Follow standards
Themes can be checked using the Theme Check
plugin. Leverage the WordPress coding standards.
Audit Trails
Use a plugin like Stream, Simple History, or
WP Activity Log allow you to see who is
accessing the site and what they are doing.
Resources
● WordFence ● LastPass
● Sucuri ● 1Password
● iThemes Security Pro ● Recommended WP Hosts
● Limit Login Attempts Reloaded ● WordPress Coding Standards
● UpdraftPlus Backups ● Why No Padlock?
● 2-Factor Auth by miniOrange ● CloudFlare
● Two Factor Authentication
● Change wp-admin login
● Theme Check
● Stream
● Simple History
● WP Activity Log
● Login No Captcha reCAPTCHA

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy