Is your Wordpress safe enough?

Preview:

DESCRIPTION

system, to be online so fast. But you cannot be sure your portal is safe enough. That’s why there are a lot of steps what you should have done, to have much more safe portal. Is your Wordpress safe enough? Let's see!

Citation preview

IS YOUR WORDPRESS SAFE ENOUGH?

Said MuratWarsaw/Poland

www.saidmurat.net & info@saidmurat.net

What is Wordpress?

WordPress is a free and open source blogging tool and a content management system (CMS) based on PHP and MySQL. It has many features including a plug-in architecture and a template system.

 

It was first released on May 27, 2003, by founders Matt Mullenweg and Mike Little.

 

As of April 2013, version 3.5 had been downloaded over 18 million times.

Matt Mullenweg

What about the numbers?

WordPress is currently the most popular blogging system in use on the Web, powering over 60 million websites worldwide.

Popular brands are using Wordpress!

Ebay Blog

Popular brands are using Wordpress!

Yahoo Blog

Popular brands are using Wordpress!

CNN Blog

How to attack?

Brute ForceIn cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data.

A brute-force attack is an attempt to log into an account by systematically trying thousands of passwords

How to attack?

Brute Force

How to attack?

Any different way to attack?

How to provide protection from attacks?

Wordpress is a ‘ready’ system, to be online so fast. But you cannot be sure your portal is safe enough. That’s why there are a lot of steps what you should have done, to have much more safe portal.

Let’s go on, step by step!

How to provide protection from attacks?

A)MySQL Database; - Do not type as name of the database

‘mysite_database’. Because then it’s easier to reach your database.

- As Password, do not type ‘abc12345’.

- As Username, do not type ‘Admin’.

How to provide protection from attacks?

B) Remove ‘Install.php’ file;After you have done the installation, just remove the ‘Install.php’ file.

How to provide protection from attacks?

C) Admin Username; You HAVE TO be careful to name your admin’s username. - Do not type ‘admin’ , ‘administrator’ or ‘manager’. - Your password also should have complex letters like ‘5o12cMs’.

How to provide protection from attacks?

D) Hide version of your Wordpress; You know version of your Wordpress. But others don’t have to know it, right? Then, go to ‘function.php’ and type this line there: remove_action('wp_head', 'wp_generator');

How to provide protection from attacks?

E) Permissions of your files; Some of Wordpress’s files are ‘originally’ writable. But no need! Because some spams may try to reach your files unexpectly. That’s why, let’s go to FTP and change some ‘permissions of your files’.

(root directory) : 0755

wp-includes/ : 0755

wp-admin/ : 0755

wp-admin/js/ : 0755

wp-content/ : 0755

wp-content/themes/ : 0755

wp-content/plugins/ : 0755

wp-admin/index.php : 0644

.htaccess : 0644

wp-config.php : 0644

How to provide protection from attacks?

F) Where is your .htaccess file?To have a safe Wordpress system, you really need to have a ‘.htaccess’ file. Htaccess file has ‘redirection’ codes, as default. But you can improve codes and have a safe Wordpress system. If you do not have this file, just create it!

# Hide signature of your Server!

ServerSignature Off

  

# Limit of the file you upload will be max 10MB.

LimitRequestBody 10240000

 

# Your files will not be ‘reachable’ by others.

 <files .htaccess>order allow,deny

deny from all</files>

How to provide protection from attacks?

WP-Security Scan(Plugin)This is one the very useful plugins that should definitely be used regularly by every WordPress blogger. This plugin can move through every security loophole in a few seconds. A list of possible vulnerabilities is then prepared, such as file passwords or permissions, and also offers further suggestions on corrective actions to deal with them.

What about SPAMS?

You might get spams via comments to your posts. Spams try to be published on your pages, to make advertisement of their pages. But sometimes, they may have some links, to redirect your members to their pages automatically.

PluginsAkismet The best anti-spam plugin for WordPress. Bundled with WordPress, Akismet requires a registration key, but is easy to setup and provides excellent “set-it-and-forget-it” spam protection for WordPress.Limit Login AttemptsThe best anti login attack plugin. With Brute Force method, hackers may try to attack your login page. Thanks to this plugin, after trying 3rd times, Wordpress asks users to wait some time, to try again username and password. Otherwise, with using wordlists, they may find login details.

WP Activity MonitorYou may have a lot of admins, moderators or editors on your Wordpress. But it’s hard to control everyone. Moreover, how can you be sure if there is no hacker who you do not know? You can control all details about your Wordpress.

Tips

Back up your MySQL database regularly;You should always back up your site files and database. You should get into the practice of regular MySQL database backups by exporting your MySQL data as a .sql file to be stored in a safe location.

Do not install every plugin you find;Users of Wordpress usually get hack because of plugins. That’s why you should download and install plugins which are recommended by Wordpress.

References

Wordpress.Org

Wikipedia.Org

Cyber-Warior.Org

LinuxToday.Org

Recommended