Top 10 WordPress Security Mistakes

Описание: A quick video about basic Linux security. We'll be covering basic web hosting security: the most common misconfigurations and security holes (from a System Administrator's perspective) in WordPress sites.

These security tips apply to Joomla, Magento, and other content management systems as well. I'll show you how to fix the most glaring issues, which prevent a huge percentage of the security compromises I see every day.

Core Application
incorrect file/dir permissions
-777 -- should be 775 for dirs, 644 for files except in SPECIAL cases

http://stackoverflow.com/questions/37...

http://serverfault.com/questions/3571...


running sites as root
-dave:www-data instead -- group (web server) has read, OWNER IS THE ONLY ONE WHO CAN WRITE


shared PHP/user between sites
-most hosting companies use shared hosting
-if you have one site or 23 sites, they're all running under ONE user and ONE PHP process.
-one infected site means that everything is at risk, since that site can write to other sites (and thereby cross-infect them)



web user has a shell (instead of /bin/false)
-grep www /etc/passwd -- /sbin/nologin good, /bin/bash == BAAAD


ssh with passwd login, root login enabled
-no root login from iNet.
-no password based logins. Period.

weak FTP/hosting/DNS passwords
-hosting companies that expose FTP -- scary


Administration
people don't update their CMS installations and plugins
people run huge amounts of plugins

3rd-party
badly engineered plugins/themes/etc.
vulnerable 'custom' code -- uploaders with no authentication, etc.
malvertising

#########################
Full Linux Sysadmin Basics Playlist:    • The Linux Basics Course: Beginner to Sysad...  

Check out my project-based Linux System Administration course (free sample videos): https://www.udemy.com/hands-on-linux-...

Patreon:   / tutorialinux  
Official Site: https://tutorialinux.com/
Twitter:   / tutorialinux  
Facebook:   / tutorialinux