1. Jak si (ne)nechat hacknoutWordpress strnkyMichal KubekHow to have unhackableWordPress siteWebexpo > Praha > 14-09-2014

2. BEZPENOST VE WORDPRESS 3. CO Z TOHO MAJ?- Rozesln nevydan poty- DDoS toky- Podvodn pesmrovn- Pozmovn obsahu strnek- Vkldn skrytch zptnch odkaz a iframes- Vkldn reklamy- Znevrohodnn webu- Pstup k osobnm dajm a heslm uivatel- Pstup k platebnm brnm- Odcizen slueb- Vloen kodlivho kdu do PC uivatele- Ukldn neleglnho materilu na bezpenm stroji- Osobn dvody- Jen tak/LOL 4. JDRO 5. ABLONY 6. PLUGINY 7. USD: UPDATE, SOURCE, DELETE 8. USD: UPDATE, SOURCE, DELETELFI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php 9. UPLOAD KODLIVHO KDU 10. UPLOAD KODLIVHO KDU#zkaz spoutn nechtnch soubor z /uploads/Order Allow,DenyDeny from all Order Deny,AllowAllow from all 11. POVOLEN EDITACE SOUBOR Z ADMINU 12. PINGBACK & TRACKBACK, XMLRPC, DDoS TOKY 13. RedirectMatch 403 /(.*)/xmlrpc.php$Order Deny,AllowDeny from allRewriteEngine OnRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* - [F] 14. TOKY HRUBOU SILOU 15. TOKY HRUBOU SILOU: PEJMENOVAT NICK I LOGINSource: http://blog.sucuri.net 16. TOKY HRUBOU SILOU: OMEZEN PROBLMOVCH IPOrder allow,denyAllow from all# zakaze 110.89.*.*Deny from 110.89.0.0/16# zakaze 208.43.251.*Deny from 208.43.251.0/24 17. TOKY HRUBOU SILOU: OMEZEN ZEM (ISO CODES)GeoIPEnable ON#VietanmSetEnvIF GEOIP_COUNTRY_CODE VN BlockThese#russiaSetEnvIF GEOIP_COUNTRY_CODE RU BlockThese#romaniaSetEnvIF GEOIP_COUNTRY_CODE RO BlockThese#turkeySetEnvIF GEOIP_COUNTRY_CODE TR BlockThese#ChinaSetEnvIF GEOIP_COUNTRY_CODE CN BlockThese#NigeriaSetEnvIF GEOIP_COUNTRY_CODE NG BlockThese#IranSetEnvIF GEOIP_COUNTRY_CODE IR BlockTheseDeny from env=BlockThese 18. TOKY HRUBOU SILOU: PEJMENOVAT WP-LOGIN 19. TOKY HRUBOU SILOU: ZABEZPEIT WP-LOGIN#Ochrana wp-login pomoc .htpasswdAuthUserFile ~/.htpasswdAuthName Private accessAuthType Basicrequire user mysecretuser 20. TOKY HRUBOU SILOU: KONTROLA REFFERERURewriteEngine OnRewriteCond %{REQUEST_METHOD} POSTRewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login).php*RewriteCond %{HTTP_REFERER} !.*vasedomena.cz.* [OR]RewriteCond %{HTTP_USER_AGENT} ^$RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L] 21. TOKY HRUBOU SILOU: SILNJ HESLO 22. TOKY HRUBOU SILOU: OMEZEN POTU PIHLEN 23. ONLINE NA http://michalkubicek.cz/tahak-pro-wp-config-php/WP-CONFIG TAHKzpis Co umdefine('FORCE_SSL_LOGIN', true); Vynucen https protokolu na pihlaovac strnku (SSL)define('FORCE_SSL_ADMIN', true); Vynucen https protokolu na administracidefine('DISALLOW_FILE_EDIT', true); Vypnut editace PHP v administracidefine('WP_AUTO_UPDATE_CORE', true); Zapnut automatick aktualizace jdraadd_filter( 'auto_update_plugin', '__return_true'); Zapnut automatick aktualizace pluginadd_filter( 'auto_update_theme', '__return_true'); Zapnut automatick aktualizace ablondefine('DISALLOW_FILE_MODS', true); Vypnut instalace plugin a ablon z administracedefine('WP_HTTP_BLOCK_EXTERNAL', true); Zablokovn externch poadavk (nap. pluginy)define('WP_ACCESSIBLE_HOSTS', 'povolenaurl.cz'); Povolen externho poadavku z konkrtn URLerror_reporting(0);Vypnut chybovch hlek@ini_set('display_errors', 0);define('WP_MEMORY_LIMIT', '96M'); Zven limitu PHP pamtidefine('FS_CHMOD_FILE', 0755);define('FS_CHMOD_DIR', 0644);Nastaven oprvnn pro soubory a slokydefine('WP_POST_REVISIONS', 2 ); Omezen potu reviz dokumentu 24. OPRVNN SLOEK A SOUBORroot (koenov adres) 0755wp-includes/ 0755.htaccess 0644wp-admin/index.php 0644wp-admin/js/ 0755wp-content/themes/ 0755wp-content/plugins/ 0755wp-admin/ 0755wp-content/ 0755wp-config.php 0644 25. MASKOVNBv- license.txt, readme.txt- signatura 26. order allow,denydeny from allorder allow,denydeny from allorder allow,denydeny from allServerSignature OffRewriteCond %{REQUEST_FILENAME} wp-.*$ [NC]RewriteCond %{ENV:REDIRECT_STATUS} ^$RewriteCond %{REQUEST_FILENAME} -f [NC,OR]RewriteCond %{REQUEST_FILENAME} -d [NC]RewriteRule .* - [F,L]# pejmenovn wp-login na 'administrace'RewriteCond %{REQUEST_URI} administrace/?$ [NC]RewriteRule backend/?$ /wp-login.php [NC,L]MASKOVN 27. MASKOVN/wp-content/themes/vase-sablona/function.phpremove_action('wp_head', 'feed_links', 2);remove_action('wp_head', 'feed_links_extra', 3);remove_action('wp_head', 'rsd_link');remove_action('wp_head', 'wlwmanifest_link');remove_action('wp_head', 'index_rel_link');remove_action('wp_head', 'start_post_rel_link', 10, 0);remove_action('wp_head', 'parent_post_rel_link', 10, 0);remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);remove_action('wp_head', 'wp_generator');remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0); 28. WEB APPLICATION FIREWALLCloudFlareIncapsulacloudproxy.sucurieasywaf Kona Akamaimodsecurity 29. UITEN PLUGINY A STRNKY Google Authenticator dvoufzov oven All In One WP Security Ochrana proti brute force - pejmenovn tu, zmn login strnku, captcha Zmna prefixu DB Automatick backupy (pozor na prochzen adresi) Jednoduch zmna oprvnn sloek a soubor Firewall, blacklist, whitelist Bot Honeypot Comment spam captcha Detekce zmn soubor Acunetix SecureWordPress, AcunetixWP Security scaner zranitelnost Sucuri Security - zjist neobvykl soubory, Malware Scaner Change DB Prefix Plugin https://api.wordpress.org/secret-key/1.1/salt/ - generovn tajnch slovek http://bezpecnostwebu.cz/ukazky/htaccess.txt - vytunn htaccess http://wordpress.bigdrobek.com/bezpecnost/ - fajn pehled zkladnch krok, jak zabezpeit WP http://musilda.cz http://wpsecure.net/ - EN http://blog.sucuri.net - EN 30. KAD APLIKACE JE BEZPEN.DO CHVLE, NE V N NKDO NAJDE CHYBU. 31. DKUJI ZA POZORNOST@MICHALKUBICEKwww.pronetmedia.czwww.michalkubicek.czwww.bezpecnostwebu.cz