How to HackProof Your WordPress Site<br />WordPress Security<br />South FloridaWordPress MeetUp<br />
South FloridaWordPress MeetUp<br /><ul><li>I’m @JohnCarcutt
SEO Manager at MediaWhiz    www.MediaWhiz.com</li></ul>Co-Host of SEO101w             www.WebmasterRadio.fm/SEO-101/      ...
Tonight<br />Link Injections<br />Basic WordPress Security<br />Security Based Plug-ins<br />South FloridaWordPress MeetUp...
“Hackproof”<br />This is impossible.<br />Seriously… it’s IMPOSSIBLE!<br />Hackers are Lazy.<br />Make yourself a hard tar...
Link Injection<br />Hacker bots look for known exploits (SQL Injection, folder perms, etc). <br />This allows them to inse...
Link Injection<br />Hosting account contains two separate sites<br />South FloridaWordPress MeetUp<br />WordPress<br />Wor...
Link Injection<br />Hacker puts a file on WPMU install<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU...
Link Injection<br />WPMU file hacks WordPress install<br />Installs spam links into files<br />South FloridaWordPress Meet...
Link Injection<br />WPMU Shows No Spam, Appears Clean<br />Cleaning WP Results in Recurring Injections<br />South FloridaW...
Link Injection<br />South FloridaWordPress MeetUp<br />
Link Injection<br />What does this do to your site?<br />Part of a “Link Farm”<br />Loss of Trust and Authority<br />Reduc...
Basic WP Security<br />South FloridaWordPress MeetUp<br />Are you using the default “Admin” account?<br />
Basic WP Security<br />South FloridaWordPress MeetUp<br />
Basic WP Security<br />DON’T USE “ADMIN”<br />Create a Unique User Account<br />Assign it the Administrator Role<br />Log ...
Basic WP Security<br />Use of “Permissions”<br />Permissions tell the server who is allowed to access a file and what they...
Basic WP Security<br />Use of “Permissions”<br />Good Rule of Thumb:<br /> Files should be set to 644<br /> Folders should...
Basic WP Security<br />Move the wp-config.php file<br />WordPress 2.6 added the ability to move the wp-config.php file one...
Basic WP Security<br />Move the wp-config.php file<br />This makes it nearly impossible for anyone to access your wp-confi...
Basic WP Security<br />Move the wp-content Directory<br />WordPress 2.6 added the ability to move the wp-content Directory...
Basic WP Security<br />South FloridaWordPress MeetUp<br />Move the wp-content Directory<br />1. Move your wp-content direc...
Basic WP Security<br />RemoveWordPress Version fromthe Header<br />South FloridaWordPress MeetUp<br />Viewing source on mo...
Basic WP Security<br />RemoveWordPress Version fromthe Header<br />South FloridaWordPress MeetUp<br />The wp_head function...
Basic WP Security<br />Use Secure Passwords<br />Use strong passwords to protect your website from dictionary attacks Not ...
Basic WP Security<br />South FloridaWordPress MeetUp<br />Are you using the same password in multiple places?<br />
Basic WP Security<br />South FloridaWordPress MeetUp<br />
Basic WP Security<br />Change  WordPress Table Prefix<br />Edit wp-config.php before installing WordPress<br />Change the ...
Basic WP Security<br />Other Advanced Security Techniques<br />Force SSL Login for Administrators<br />Lockdown Admin via ...
Basic WP Security<br />Recommended Security Plugins<br />WP Security Scan<br />South FloridaWordPress MeetUp<br />http://w...
Basic WP Security<br />Recommended Security Plugins<br />WP Exploit Scanner<br />South FloridaWordPress MeetUp<br />http:/...
Basic WP Security<br />Recommended Security Plugins<br />WP Exploit Scanner<br />South FloridaWordPress MeetUp<br />http:/...
Basic WP Security<br />Recommended Security Plugins<br />WordPress File Monitor<br />South FloridaWordPress MeetUp<br />ht...
Basic WP Security<br />Recommended Security Plugins<br />Login Lockdown<br />South FloridaWordPress MeetUp<br />http://wor...
Basic WP Security<br />WordPress Security Resources<br />South FloridaWordPress MeetUp<br /><ul><li>Security Related Codex...
http://codex.wordpress.org/Hardening_WordPress
Upcoming SlideShare
Loading in...5
×

WordPress Security Presentation from South Florida WordPress Meetup

4,566

Published on

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

Published in: Technology, Business
5 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
4,566
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
126
Comments
5
Likes
5
Embeds 0
No embeds

No notes for slide

WordPress Security Presentation from South Florida WordPress Meetup

  1. 1.
  2. 2. How to HackProof Your WordPress Site<br />WordPress Security<br />South FloridaWordPress MeetUp<br />
  3. 3. South FloridaWordPress MeetUp<br /><ul><li>I’m @JohnCarcutt
  4. 4. SEO Manager at MediaWhiz www.MediaWhiz.com</li></ul>Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/ Mondays 5PM EST or listen on APPLE iTunes anytime<br /><ul><li>Long Time WordPress Evangelist</li></ul>Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC<br />
  5. 5. Tonight<br />Link Injections<br />Basic WordPress Security<br />Security Based Plug-ins<br />South FloridaWordPress MeetUp<br />
  6. 6. “Hackproof”<br />This is impossible.<br />Seriously… it’s IMPOSSIBLE!<br />Hackers are Lazy.<br />Make yourself a hard target.<br />They will move on to someone else.<br />South FloridaWordPress MeetUp<br />
  7. 7. Link Injection<br />Hacker bots look for known exploits (SQL Injection, folder perms, etc). <br />This allows them to insert spam files/links<br />Your WordPress Themes, plugins, and core files are the target<br />South FloridaWordPress MeetUp<br />
  8. 8. Link Injection<br />Hosting account contains two separate sites<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU<br />
  9. 9. Link Injection<br />Hacker puts a file on WPMU install<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU<br />
  10. 10. Link Injection<br />WPMU file hacks WordPress install<br />Installs spam links into files<br />South FloridaWordPress MeetUp<br />WordPress<br />WordPress MU<br />
  11. 11. Link Injection<br />WPMU Shows No Spam, Appears Clean<br />Cleaning WP Results in Recurring Injections<br />South FloridaWordPress MeetUp<br />WordPress MU<br />WordPress<br />
  12. 12. Link Injection<br />South FloridaWordPress MeetUp<br />
  13. 13. Link Injection<br />What does this do to your site?<br />Part of a “Link Farm”<br />Loss of Trust and Authority<br />Reduced Page Rank<br />Lost Rankings<br />Showing up for non-relevant terms (Viagra)<br />South FloridaWordPress MeetUp<br />
  14. 14. Basic WP Security<br />South FloridaWordPress MeetUp<br />Are you using the default “Admin” account?<br />
  15. 15. Basic WP Security<br />South FloridaWordPress MeetUp<br />
  16. 16. Basic WP Security<br />DON’T USE “ADMIN”<br />Create a Unique User Account<br />Assign it the Administrator Role<br />Log Out, Log Back in with new Administrator Account<br />Delete Original “Admin” Account<br />South FloridaWordPress MeetUp<br />
  17. 17. Basic WP Security<br />Use of “Permissions”<br />Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.<br />Owner, Group, Public<br />Read, Write, Execute<br />South FloridaWordPress MeetUp<br />
  18. 18. Basic WP Security<br />Use of “Permissions”<br />Good Rule of Thumb:<br /> Files should be set to 644<br /> Folders should be set to 755<br />Permission levels vary depending on server configuration<br />South FloridaWordPress MeetUp<br />
  19. 19. Basic WP Security<br />Move the wp-config.php file<br />WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root<br />WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory<br />South FloridaWordPress MeetUp<br />
  20. 20. Basic WP Security<br />Move the wp-config.php file<br />This makes it nearly impossible for anyone to access your wp-config.php <br />South FloridaWordPress MeetUp<br />If WordPress is located here:<br />public_html/wordpress/wp-config.php<br />You can move your wp-config.php file to here <br />public_html/wp-config.php<br />
  21. 21. Basic WP Security<br />Move the wp-content Directory<br />WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice<br />If hackers can’t find your wp-content folder, they can’t hack it.<br />South FloridaWordPress MeetUp<br />
  22. 22. Basic WP Security<br />South FloridaWordPress MeetUp<br />Move the wp-content Directory<br />1. Move your wp-content directory<br />2. Make two additions to wp-config.php<br />define( &apos;WP_CONTENT_DIR&apos;, $_SERVER[&apos;DOCUMENT_ROOT&apos;] . &apos;/blog/wp-content&apos; );<br />define( &apos;WP_CONTENT_URL&apos;, &apos;http://domain.com/blog/wp-content&apos;);<br />If you have compatibility issues with plugins there are two optional settings<br />define( &apos;WP_PLUGIN_DIR&apos;, $_SERVER[&apos;DOCUMENT_ROOT&apos;] . &apos;/blog/wp-content/plugins&apos; );<br />define( &apos;WP_PLUGIN_URL&apos;, &apos;http://domain.com/blog/wp-content/plugins&apos;);<br />
  23. 23. Basic WP Security<br />RemoveWordPress Version fromthe Header<br />South FloridaWordPress MeetUp<br />Viewing source on most WP sites will reveal the version they are running<br />&lt;meta name=&quot;generator&quot; content=&quot;WordPress 2.8&quot; /&gt; &lt;!-- leave this for stats --&gt;<br />This helps hackers find vulnerable WP blogs running older versions<br />To remove find the code below in your header.php file of your theme and remove it<br />&lt;meta name=&quot;generator&quot; content=&quot;WordPress &lt;?phpbloginfo(&apos;version&apos;); ?&gt;&quot; /&gt;<br />&lt;!-- leave this for stats please --&gt;<br />
  24. 24. Basic WP Security<br />RemoveWordPress Version fromthe Header<br />South FloridaWordPress MeetUp<br />The wp_head function also includes the WP version in your header<br />To remove drop this line of code in your themes functions.php file<br />remove_action(&apos;wp_head&apos;, &apos;wp_generator&apos;);<br />Themes and plugins might also display versions in your header. <br />
  25. 25. Basic WP Security<br />Use Secure Passwords<br />Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc<br />South FloridaWordPress MeetUp<br />BAD PASSWORD: johnrocks<br />GOOD PASSWORD: S-gnop2D[6@8<br />WordPress will tell you<br />when you have it right<br />
  26. 26. Basic WP Security<br />South FloridaWordPress MeetUp<br />Are you using the same password in multiple places?<br />
  27. 27. Basic WP Security<br />South FloridaWordPress MeetUp<br />
  28. 28. Basic WP Security<br />Change WordPress Table Prefix<br />Edit wp-config.php before installing WordPress<br />Change the prefix wp_ to something unique<br />South FloridaWordPress MeetUp<br />/**<br /> * WordPress Database Table prefix.<br /> *<br /> * You can have multiple installations in one database if you give each a unique<br /> * prefix. Only numbers, letters, and underscores please!<br /> */<br />$table_prefix = ‘zztop_&apos;;<br />All database tables will now have a unique prefix (iezztop_posts)<br />
  29. 29. Basic WP Security<br />Other Advanced Security Techniques<br />Force SSL Login for Administrators<br />Lockdown Admin via .htaccess<br />Use Secret Keys with Passwords<br />South FloridaWordPress MeetUp<br />
  30. 30. Basic WP Security<br />Recommended Security Plugins<br />WP Security Scan<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/wp-security-scan/<br />
  31. 31. Basic WP Security<br />Recommended Security Plugins<br />WP Exploit Scanner<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/exploit-scanner/<br />
  32. 32. Basic WP Security<br />Recommended Security Plugins<br />WP Exploit Scanner<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/exploit-scanner/<br />
  33. 33. Basic WP Security<br />Recommended Security Plugins<br />WordPress File Monitor<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/wordpress-file-monitor/<br />
  34. 34. Basic WP Security<br />Recommended Security Plugins<br />Login Lockdown<br />South FloridaWordPress MeetUp<br />http://wordpress.org/extend/plugins/login-lockdown/<br />
  35. 35. Basic WP Security<br />WordPress Security Resources<br />South FloridaWordPress MeetUp<br /><ul><li>Security Related Codex Articles
  36. 36. http://codex.wordpress.org/Hardening_WordPress
  37. 37. http://codex.wordpress.org/Changing_File_Permissions
  38. 38. http://codex.wordpress.org/Editing_wp-config.php
  39. 39. http://codex.wordpress.org/htaccess_for_subdirectories
  40. 40. Blog Security Articles
  41. 41. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
  42. 42. http://www.growmap.com/wordpress-exploits/
  43. 43. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
  44. 44. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
  45. 45. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
  46. 46. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
  47. 47. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/</li></li></ul><li>Basic WP Security<br />WordPress Security Resources<br />South FloridaWordPress MeetUp<br /><ul><li>Security Related Codex Articles
  48. 48. http://codex.wordpress.org/Hardening_WordPress
  49. 49. http://codex.wordpress.org/Changing_File_Permissions
  50. 50. http://codex.wordpress.org/Editing_wp-config.php
  51. 51. http://codex.wordpress.org/htaccess_for_subdirectories
  52. 52. Blog Security Articles
  53. 53. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
  54. 54. http://www.growmap.com/wordpress-exploits/
  55. 55. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
  56. 56. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
  57. 57. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
  58. 58. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
  59. 59. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/</li></li></ul><li>South FloridaWordPress MeetUp<br /><ul><li>I’m @JohnCarcutt</li></ul>Questions?<br />Credit Where Credit is due …<br /> Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×