Wordpress security issues
Download as PPTX, PDF
0 likes220 views
This document outlines 15 ways to improve WordPress security, including: 1. Choosing a hosting provider with strong security features rather than just price 2. Enabling automatic background updates for security releases in WordPress versions 3.7 and higher 3. Regularly updating plugins, deleting unused plugins, avoiding duplicate plugins, and checking compatibility before core updates
![# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule> # BEGIN WordPress](https://image.slidesharecdn.com/wof0rmcaq5oz8hig3lvp-signature-3215fa8439a310e6ca38bd6767b42ce0e76a0a1f300d28779e46f9897aa6ec11-poli-151026212513-lva1-app6892/85/Wordpress-security-issues-16-320.jpg)
Wordpress security issues
- 1. Top 15 Wordpress Security Issues By CodePappa.com
- 2. Choosing Hosting provider Should consider the security features provided by hosting company before we chose, i.e. Price should not be the only reason while choosing a hosting provider.
- 3. Automatic Background Updates for Security Releases Its good practise that when ever a security update available for WordPress, just make sure to update. Starting with version 3.7, WordPress introduced automated background updates for all minor releases, such as 3.7.1 and 3.7.2. The WordPress Security Team can identify, fix, and push out automated security enhancements for WordPress without the site owner needing to do anything on their end. Also make sure not to download wp core updates from 3rd party website.
- 4. Plugins 1.Always update plugin. 2.Delete unused plugins. 3.Dont use multiple plugins for same use. 4.Check compatibility of plugin before updating WordPress core.
- 5. Security Theme We should be cautious while purchasing premium themes or purchasing from not genuine source, Sometimes saving few bucks by purchasing a cheap theme may cost you more than what you saved by purchase.
- 6. Regular checks We should check our WordPress installation regularly. Also we need to back up database and WordPress files daily. So that in case of mishap we can able to up online as soon as possible with out too much headache. There are lots of free plugin for the same purpose.
- 7. Vulnerability on computer Make sure operating system and softwares updated to latest. Virus, malware , spyware , key logger etc are capable of stealing your important data from your computer without any visible problem.
- 8. Passwords Use strong passwords and dont used default user name admin. Also enable two factor authentication, Lot of plugins currently providing two factor authentication in WordPress plugins. Enabling two factor authentication will help you from Brute force attacks
- 9. How to choose a good password? 1.Dont use your username. 2.Dont use any meaningful words or sentence. 3.Dont use small passwords. 4.Include special characters and alphanumeric with upper and lowercase.
- 10. FTP and SFTP FTP(file transfer protocol) and SFTP(secure file transfer protocol) are two protocols used for file transfer. If your hosting company provides SFTP use it rather than FTP.
- 11. File permissions You should care about the file permissions also. Use command line interface or ftp program to change file permissions as follows. / (root directory) : Except .htaccess (if need WordPress to write url rewriting rules for you )file all files should only writable by you. /wp-admin/ : Writing to this folder should only allowed to your account.
- 12. /wp-includes/ : Only you allowed to write. /wp-content/ : You and webserver allowed to write. /wp-content/themes/ : If using built in theme editor you and webserver allowded to write otherwise only you. /wp-content/themes/ : Only you allowed to write.
- 13. MySql Security If you are managing mysql, Dont allow remote TCP connection to mysql. Edit mysql configuration file(my.cnf) and add following line skip-networking Location of Mysql Configuration File mysql --help | grep Default -A 1
- 14. Minimum privilege for mysql User WordPress only required CREATE,UPDATE,INSERT AND DELETE permissions, So mysql user only required that permissions only, But when you are updating WordPress or installing a plugin you may need to give permissions (DROP, ALTER and GRANT) temporarily. Without giving those permission dont try to update WordPress/plugins that may result in WordPress errors. So make a backup before updates.
- 15. Securing wp-includes Files under this folder is not intended to accessed by a user. So we can modify .htaccess file in such a way that access to those files are not allowed. Please note that this code place only outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file, Other wise WordPress will overwrite our changes to .htaccess file. Also this will not work well in multisite setup.
- 16. # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
- 17. Securing wp-config.php Disable accessing wp-config.php by adding following rule to .htaccess file. <files wp-config.php> order allow,deny deny from all </files>
- 18. Dont allow file edits from Wp Dashboard Disable it by adding following code in wp-config.php define('DISALLOW_FILE_EDIT', true);
- 19. Last not the least 1.Dont use default admin username 2.Dont use wp table prefix
- 20. Conclusion These are the few things we can do from our side. Thanks for reading. Like and subscribe now to get videos from CodePappa.com