Wordpress security best practices - WordCamp Waukesha 2017
-
Upload
vdrover -
Category
Technology
-
view
273 -
download
0
Transcript of Wordpress security best practices - WordCamp Waukesha 2017
@V
icDrover
RevSlider < 3.0.95 = vulnerable
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
@V
icDrover
WordPress host for Ransomware
http://www.tomsguide.com/us/wordpress-ransomware-epidemic,news-22219.html
@V
icDrover
Initial response
→ Who, What, When→ Emergency contact info→ Service provider info
◆ DNS, Server/Host, Data Center, Backups→ 1-time use passwords
@V
icDrover
Security policy
→ Email usage→ Resource access→ Password strength→ Password duration
→ Account sharing→ Team composition→ Disaster planning→ Ongoing Education
@V
icDrover
Other local issues
→ SSH on non-default port, encryption keys→ Disable FTP (vs. secure FTP)→ Strong database password + table prefix→ Enable logging (usually off by default) → Disable magic_quotes
@V
icDrover
Well-known WordPress best-practices
→ Unique administrator account → Disable file editing, PHP Execution→ Limit Login Attempts→ Remove unused themes + plugins→ Block editing of config file
@V
icDrover
Secure failed login message
function wrong_login() { return 'Wrong username or password.';}add_filter('login_errors', 'wrong_login');
functions.php
http://geckogullywebsites.com/wordpress-security-tips-check-for-display-of-unnecessary-information-on-failed-login-attempts/