Top 10 WordPress Security Mistakes



Incorrect file/dir permissions -777


• Should be 755 for dirs, 644 for files except in SPECIAL cases

ls -l /var/www/wordpress


cd /var/www/wordpress
# Make permission bits of all directory to 755
find . -type d -exec chmod 755 {} \;

# Make permission bits of all files to 644
find . -type f -exec chmod 644 {} \;


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Running sites as root


• For example, don't run apache as root because if apache gets compromised, whoever will have full control on the machine
• OWNER IS THE ONLY ONE WHO CAN WRITE

cd /var/www/wordpress
# Change ownership recursively
chown +R dave:www-data .


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Shared PHP/user between sites


• Most hosting companies use shared hosting
• if you have one site or 23 sites, they're all running under ONE user and ONE PHP process
• One infected site means that everything is at risk, since that site can write to other sites (and thereby cross-infect them)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Web user has a shell


• Instead of /bin/false -- good,

grep www /etc/passwd
# Output - last column
## /sbin/nologin (GOOD)
## /bin/bash (BAD)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SSH with passwd login, root login enabled


• No root login from Internet
• No password based logins. Period

sudo nano /etc/ssh/sshd_config

# PubkeyAuthentication yes
# PermitEmptyPasswords no
# PasswordAuthentication no
# PermitRootLogin no


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Weak FTP/ hosting/ DNS passwords


• Hosting companies that expose FTP -- scary

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

People don't update their CMS installations & plugins


• People run huge amounts of plugins
• Apply to Joomla, Magento, and other Content Management Systems (CMS)
• Badly engineered plugins/themes/etc

ls wp-content/plugins/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerable 'custom' code


• Uploaders with no authentication, etc. malvertising

Index