 Hello. Good evening all. I'm Lalith here. I'm working in an IT company called Renosage Technologies. I have experience in, I work in PHP and open source technologies including WordPress, Magento, YI, and Coordinator. And also some exposure in Python and Java. Today I'm here to talk about WordPress security. So basically I will cover three things. Firstly, why we are talking about security, some statistics that will help why security is important, why you need to secure your WordPress system. Second is some security tips, how you can include, how you can improve the security of your WordPress and next some recommended plugins that can help you in that process. Before we talk about that, how many of you have experience in WordPress? Nice. I think everybody knows about this. So millions of websites are running on WordPress and many of we think that WordPress is not secure and sometimes when we start a new project we try to avoid WordPress but actually it provides so flexibility and fast development so we could not. So WordPress is not, we cannot say WordPress is not secure. It's a way, how we are using it, how we are developing our code. That's also important. Here are some statistics. Let's see that firstly, that is from wpscan.org that does it and also they have providing a database, open source database. So they listed that more than 4,000 vulnerabilities are recognized. More than 54% are from WordPress plugins that are being mostly used. 31% are from WordPress core itself and 14% are from WordPress themes. Some popular themes, what is using, many websites are using and most of these, these are total till recognized but most of those are resorted in new versions or the update. If we talk the types of vulnerability, so the most, you can see the most is XSS cross site scripting and the SQL injection. That is 39% vulnerabilities are cross site scripting and you know about cross site scripting, it enables hackers to reveal the information of another user by executing like means some form is submitting, they submit the malicious code and that if you are not validating the input directly showing on browsers, so at some user if that code executes that can still cookies can send that to another server. So that is the most common vulnerability and you can see 84% of over the internet. The main vulnerability causes this, the type of this. Here you can see the top 10 plugins that is most vulnerable. You can see some common names like next-gen gallery you mostly use and some are commercial in this and one is WordPress you know about maybe it's a security plugin itself and it is also vulnerable. So that's the thing we need to see. Here are some top 10 most popular WordPress themes. Many are hosted in, you can buy from ThemeForest and they are having number of vulnerabilities but I think only three vulnerabilities are most in those all themes. Some famous are in focus, you can see. I picked this data from WPScan or G. So in summary there are thread you need to see and you have to resolve that, so how we can do that. So here are some tips that can help you how you can secure your WordPress setup and how you can save your customer's important data. The main concept, the first thing is update, update, update. You have to update if you are updating your WordPress if you are updating your plugins which you are using you are updating your themes if there is new version available. It's best because as soon new vulnerability recognized the community behind the WordPress release the new versions with the fixes the plugins makers release a new update with those fixes. So as much possible update, that is the best thing. Second, if you are starting a new project and starting to create a new theme always create the child theme of the latest theme. I think two, three themes are available when you set up a new WordPress. So I generally use 2011 I think to copy to make a child theme and then start our theme implementation. Second, if you are doing some customization in installed plugins, if you installed some plugin always use hooks, do not directly write the code that makes it hard to update. So in update you have to take care of those so always use hooks when doing some customization in your plugins. And no excuse, we have to update. Next is secret keys. Secret keys in WP config you can write these different kind of keys and these keys actually do some encryption on the data saving on the client browser including cookies. So it makes hard to steal those cookies and decrypt those because only these keys can encrypt or decrypt the cookies saved on the browser side. So if you are changing these keys browser usually automatically log out and WordPress itself provide a generator for these keys. You can just open this URL api.wordpress.org Secret key 1.1 and you can see directly the same code like this after code. So these constant are defined there you just copy paste those and replace in your WP config that's it. And you must need to do that. I think WordPress 3.0 later on they are actually doing this for you. Before WordPress 3.0 in 2.0 we have to do that manually. Next we should not use admin as a username because millions of installation is there everybody is using admin. So if your site is malicious if your site can be threatened by SQL injection anybody knows admin. So we can write where username is admin. So that can break your security. So change the name admin. You can change directly in the database or you can create another user with a different name give the admin credential to that user and delete this admin account that by default comes. You can do that also but never use admin. Second change the admin path. So because admin is for you site owner not for public. So you should change the path of admin. Generally it comes with your domain.com slash WP-admin. So if everybody knows the path they can do post username and password can do the brute force attack also by getting some username and password. So instead of that change that and give it a name only you know. So like you can give the name secret dash folder. So here is the way how you can do that. You just need to add some configuration in WP config. You just write WP-admin URL admin dir and secret folder and you just pass the admin cookie path. You can give it as that as only slash for the root and any other path in your wordpress setup and there in the functions.php you have to write this method add filter. It basically rewrite the admin URL and will open the secret folder. Secret folder you can give any name actually. It is your name. With this you also need to do change in st access file. So if someone is writing in the URL secret folder it should serve this this request should serve by the WP-admin internally. And we can also add one more method there in the functions.php to redirect if someone is trying to directly access WP-admin redirect to 404 or some other page. You can do that also. So the new URL will be secret folder and you also need to focus on file permissions. All the files in the wordpress setup should be 644. 644 means you can see read write, 644 means for the owner read write and for the group and others 4 and folder permissions should be 644 means owner read write execute. And if you are uploading something you are allowing to upload you need to give 775 to the folder, upload folder. Maybe sometimes 7777 is also needed. I generally do 7777 for the uploading folders. So you need to check no other files should have access greater than 644 and 7544 folders. WP-content directly you need to WP-config you can move to the parent directly or some other places. By default if it do not find wordpress you do not find config file in the root of wordpress it find it in the parent directly. So even this is the public folder there is a wordpress folder I was having but if you you can put WP-config to the upper folder also means outside public folder. Still it will be accessible by wordpress core. And this is you can also force to use SSL firstly you have to use SSL there you have to purchase that and if you are using SSL then you can force fully in the wordpress setting and see the login the front end login should only be on SSL and the back end you can just define this in config file this constant and it will be admin pages login will all be accessible by SSL only. HTTPS URL need to be there this is another thing which you can do if you are having only one admin and he is having a static IP or from any one organization only they want to use so this writing this in HTXS will able to access admin from 67 this particular IP you can add multiple IPs here this is very extensive I think only for the case basis if we need that and change wordpress table prefix when you are installing it ask you to enter the prefix of wordpress database that time you should change it by divide is wp underscore if you forgot that time later also you can do in the settings but you you have to sure that you didn't added any other tables you need to take care of that and last thing many points when we talk about security it's not fix listed somewhere many points we need to think like huge only trusted themes and plugins that you can see the writing comments on the wordpress plugins when you are downloading that plugin and when you are downloading or purchasing a theme from theme forest see the comments see some remarks on that and when you are assessing it on any computer that computer should be free from viruses antivirus should be there otherwise some malicious code can be generated use some strong password regularly change your admin password and limit the number of admin accounts do not use admin but so these were some top some points when you can focus or improve your wordpress security that definitely for our customer sake we have to do and here some plugins I just mentioned only two plugins there are many plugins which you can go and download they do different jobs they scan your wordpress setup give you the list of vulnerabilities like if there is some file permission issue database password issue or some some malicious code malware code they find in any file they can tell you and then you can take need detection on that first plugin is login lock down plugin it's it's a plugin free plugin you can download and it helps to reduce the brute force attack so if within the same IP range within the same IP one user is trying to post username and password so within the time frame if the there is a setting like max login retries so if there is number of certain number of failed attempts it just block that IP and do not allow in the login so this is helpful and is from secure wordpress plugin it is from akunatex company and it basically scan your wordpress setup and tell you the things which you can improve including passwords if there be password file permission if file permission not correct database security related also version hiding this is also important version hiding you should not because by default all the themes and plugins expose the wordpress version and wordpress versions relate to the non vulnerabilities so your wordpress should not disclose the wordpress version so this is the one way of hiding from attackers they can try the the non vulnerabilities on our system so it helps you to take the needed action basically there are many other plugins like bullet bulletproof plugins also there sukuri company also there is a plugin they do the backup also they do the regular backup also send you notifications on email can store the wordpress database or file structure to dropbox or some other data they can store the data as per your needs so you can try with those plugins also because when your site is corrupted or corrupted you need to go to the database backup and the file structure backup so this is all about just a brief talk on the thing you have to focus you should focus and think about wordpress security and more your customers wordpress more secure that's it thank you any question yeah you were talking about file engines so do you have a recommendation which should be writable from outside writable is just when you are allowing from user's point of view yeah I know no oh yeah I wrote yes sure yeah I wrote all the files in the wordpress setups should be 644 and all the folders should be 755 except when you are having upload folder when you are allowing not paired or images which folder is that in the content folder generally you have or on the root of wordpress you have when you are developing a plugin like you have a gallery plugin and you are allowing users to upload the gallery for those those folders user content user content user content user content user content user content user content user content user content user content user content user content user content user content user content user content user content user content user content user content Yeah, you might I think you might want to add to it for at least for Apache web servers Most most of your PHP code files and folders should be owned by roots Yes, and then those folders where wordpress is actually writing to like let's say a files folder that would be sent to an owner as a Apache yeah, but it is a user so all the files should be Apache. Sorry. Yeah There's a purchase user also in server So I think if you set the upload folder permission to Apache user only then it will work No, I'm saying like the document root for your for your For the website should be all root Yes, so that if Apache gets compromised then in you know the Hacker can't go through an Apache process to You know the face. Let's say the PHP files because the PHP files are owned by roots So you are recommending to use only root not Apache. So most of your PHP files will not be Written by the patchy server, right? It's only for repurposes. Yes. So you said you said the So you said your let's say your index of PHP file, whatever PHP files all to be owner Okay, and then and then somewhere in your wordpress Folder you'll have a folder where people can upload images things of that that particular folder would be owned by patchy Because then a patchy can break to it. Yes, okay Good it your point got it and the very important points. We can set that it's just in case someone Somehow hacks Apache process then Apache process which is run by the patchy user You can't you can't work for Sorry, yeah, I mean Well, I mean presumably the post provider would Thank you