Top 10 WordPress Security Mistakes
3,648
by Super User, 8 years ago
A quick video about basic Linux security. We'll be covering basic web hosting security: the most common misconfigurations and security holes (from a System Administrator's perspective) in WordPress sites.
These security tips apply to Joomla, Magento, and other content management systems as well. I'll show you how to fix the most glaring issues, which prevent a huge percentage of the security compromises I see every day.
# Core Application
incorrect file/dir permissions
-777 -- should be 775 for dirs, 644 for files except in SPECIAL cases
http://stackoverflow.com/questions/3740152/how-to-set-chmod-for-a-folder-and-all-of-its-subfolders-and-files-in-linux-ubunt
http://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver
running sites as root
-dave:www-data instead -- group (web server) has read, OWNER IS THE ONLY ONE WHO CAN WRITE
shared PHP/user between sites
-most hosting companies use shared hosting
-if you have one site or 23 sites, they're all running under ONE user and ONE PHP process.
-one infected site means that everything is at risk, since that site can write to other sites (and thereby cross-infect them)
web user has a shell (instead of /bin/false)
-grep www /etc/passwd -- /sbin/nologin good, /bin/bash == BAAAD
ssh with passwd login, root login enabled
-no root login from iNet.
-no password based logins. Period.
weak FTP/hosting/DNS passwords
-hosting companies that expose FTP -- scary
# Administration
people don't update their CMS installations and plugins
people run huge amounts of plugins
# 3rd-party
badly engineered plugins/themes/etc.
vulnerable 'custom' code -- uploaders with no authentication, etc.
malvertising
#########################
Full Linux Sysadmin Basics Playlist: https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
Check out my project-based Linux System Administration course (free sample videos): https://www.udemy.com/hands-on-linux-self-hosted-wordpress-for-linux-beginners/?couponCode=tl35
Patreon: https://www.patreon.com/tutorialinux
Official Site: https://tutorialinux.com/
Twitter: https://twitter.com/tutorialinux
Facebook: https://www.facebook.com/tutorialinux
These security tips apply to Joomla, Magento, and other content management systems as well. I'll show you how to fix the most glaring issues, which prevent a huge percentage of the security compromises I see every day.
# Core Application
incorrect file/dir permissions
-777 -- should be 775 for dirs, 644 for files except in SPECIAL cases
http://stackoverflow.com/questions/3740152/how-to-set-chmod-for-a-folder-and-all-of-its-subfolders-and-files-in-linux-ubunt
http://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver
running sites as root
-dave:www-data instead -- group (web server) has read, OWNER IS THE ONLY ONE WHO CAN WRITE
shared PHP/user between sites
-most hosting companies use shared hosting
-if you have one site or 23 sites, they're all running under ONE user and ONE PHP process.
-one infected site means that everything is at risk, since that site can write to other sites (and thereby cross-infect them)
web user has a shell (instead of /bin/false)
-grep www /etc/passwd -- /sbin/nologin good, /bin/bash == BAAAD
ssh with passwd login, root login enabled
-no root login from iNet.
-no password based logins. Period.
weak FTP/hosting/DNS passwords
-hosting companies that expose FTP -- scary
# Administration
people don't update their CMS installations and plugins
people run huge amounts of plugins
# 3rd-party
badly engineered plugins/themes/etc.
vulnerable 'custom' code -- uploaders with no authentication, etc.
malvertising
#########################
Full Linux Sysadmin Basics Playlist: https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
Check out my project-based Linux System Administration course (free sample videos): https://www.udemy.com/hands-on-linux-self-hosted-wordpress-for-linux-beginners/?couponCode=tl35
Patreon: https://www.patreon.com/tutorialinux
Official Site: https://tutorialinux.com/
Twitter: https://twitter.com/tutorialinux
Facebook: https://www.facebook.com/tutorialinux
-
Super User uploaded a new media, Top 10 WordPress Security Mistakes
8 years ago
