WordPress Security Presentation from South Florida WordPress Meetup

  • 4,327 views
Uploaded on

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Very good. Now I need to implement it!
    www.jeschke.com
    Are you sure you want to
    Your message goes here
  • güvenlik.
    Are you sure you want to
    Your message goes here
  • Damn! you got this on the front page of slideshare like 5 minutes after you submitted it.

    Damn you know what you're doing with this social media stuff! When are we going to see a presentation of THAT!
    Are you sure you want to
    Your message goes here
  • Nice Job John. very informative...
    Are you sure you want to
    Your message goes here
  • Watch the entire Presentation here:

    http://wordpressflorida.com/blog/dec-9th-2009-wordpress-security-hack-proof-your-wp-site/
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
4,327
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
123
Comments
5
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1.
  • 2. How to HackProof Your WordPress Site
    WordPress Security
    South FloridaWordPress MeetUp
  • 3. South FloridaWordPress MeetUp
    • I’m @JohnCarcutt
    • 4. SEO Manager at MediaWhiz www.MediaWhiz.com
    Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/ Mondays 5PM EST or listen on APPLE iTunes anytime
    • Long Time WordPress Evangelist
    Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC
  • 5. Tonight
    Link Injections
    Basic WordPress Security
    Security Based Plug-ins
    South FloridaWordPress MeetUp
  • 6. “Hackproof”
    This is impossible.
    Seriously… it’s IMPOSSIBLE!
    Hackers are Lazy.
    Make yourself a hard target.
    They will move on to someone else.
    South FloridaWordPress MeetUp
  • 7. Link Injection
    Hacker bots look for known exploits (SQL Injection, folder perms, etc).
    This allows them to insert spam files/links
    Your WordPress Themes, plugins, and core files are the target
    South FloridaWordPress MeetUp
  • 8. Link Injection
    Hosting account contains two separate sites
    South FloridaWordPress MeetUp
    WordPress
    WordPress MU
  • 9. Link Injection
    Hacker puts a file on WPMU install
    South FloridaWordPress MeetUp
    WordPress
    WordPress MU
  • 10. Link Injection
    WPMU file hacks WordPress install
    Installs spam links into files
    South FloridaWordPress MeetUp
    WordPress
    WordPress MU
  • 11. Link Injection
    WPMU Shows No Spam, Appears Clean
    Cleaning WP Results in Recurring Injections
    South FloridaWordPress MeetUp
    WordPress MU
    WordPress
  • 12. Link Injection
    South FloridaWordPress MeetUp
  • 13. Link Injection
    What does this do to your site?
    Part of a “Link Farm”
    Loss of Trust and Authority
    Reduced Page Rank
    Lost Rankings
    Showing up for non-relevant terms (Viagra)
    South FloridaWordPress MeetUp
  • 14. Basic WP Security
    South FloridaWordPress MeetUp
    Are you using the default “Admin” account?
  • 15. Basic WP Security
    South FloridaWordPress MeetUp
  • 16. Basic WP Security
    DON’T USE “ADMIN”
    Create a Unique User Account
    Assign it the Administrator Role
    Log Out, Log Back in with new Administrator Account
    Delete Original “Admin” Account
    South FloridaWordPress MeetUp
  • 17. Basic WP Security
    Use of “Permissions”
    Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.
    Owner, Group, Public
    Read, Write, Execute
    South FloridaWordPress MeetUp
  • 18. Basic WP Security
    Use of “Permissions”
    Good Rule of Thumb:
    Files should be set to 644
    Folders should be set to 755
    Permission levels vary depending on server configuration
    South FloridaWordPress MeetUp
  • 19. Basic WP Security
    Move the wp-config.php file
    WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root
    WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
    South FloridaWordPress MeetUp
  • 20. Basic WP Security
    Move the wp-config.php file
    This makes it nearly impossible for anyone to access your wp-config.php
    South FloridaWordPress MeetUp
    If WordPress is located here:
    public_html/wordpress/wp-config.php
    You can move your wp-config.php file to here
    public_html/wp-config.php
  • 21. Basic WP Security
    Move the wp-content Directory
    WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice
    If hackers can’t find your wp-content folder, they can’t hack it.
    South FloridaWordPress MeetUp
  • 22. Basic WP Security
    South FloridaWordPress MeetUp
    Move the wp-content Directory
    1. Move your wp-content directory
    2. Make two additions to wp-config.php
    define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
    define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
    If you have compatibility issues with plugins there are two optional settings
    define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
    define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
  • 23. Basic WP Security
    RemoveWordPress Version fromthe Header
    South FloridaWordPress MeetUp
    Viewing source on most WP sites will reveal the version they are running
    <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
    This helps hackers find vulnerable WP blogs running older versions
    To remove find the code below in your header.php file of your theme and remove it
    <meta name="generator" content="WordPress <?phpbloginfo('version'); ?>" />
    <!-- leave this for stats please -->
  • 24. Basic WP Security
    RemoveWordPress Version fromthe Header
    South FloridaWordPress MeetUp
    The wp_head function also includes the WP version in your header
    To remove drop this line of code in your themes functions.php file
    remove_action('wp_head', 'wp_generator');
    Themes and plugins might also display versions in your header.
  • 25. Basic WP Security
    Use Secure Passwords
    Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc
    South FloridaWordPress MeetUp
    BAD PASSWORD: johnrocks
    GOOD PASSWORD: S-gnop2D[6@8
    WordPress will tell you
    when you have it right
  • 26. Basic WP Security
    South FloridaWordPress MeetUp
    Are you using the same password in multiple places?
  • 27. Basic WP Security
    South FloridaWordPress MeetUp
  • 28. Basic WP Security
    Change WordPress Table Prefix
    Edit wp-config.php before installing WordPress
    Change the prefix wp_ to something unique
    South FloridaWordPress MeetUp
    /**
    * WordPress Database Table prefix.
    *
    * You can have multiple installations in one database if you give each a unique
    * prefix. Only numbers, letters, and underscores please!
    */
    $table_prefix = ‘zztop_';
    All database tables will now have a unique prefix (iezztop_posts)
  • 29. Basic WP Security
    Other Advanced Security Techniques
    Force SSL Login for Administrators
    Lockdown Admin via .htaccess
    Use Secret Keys with Passwords
    South FloridaWordPress MeetUp
  • 30. Basic WP Security
    Recommended Security Plugins
    WP Security Scan
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/wp-security-scan/
  • 31. Basic WP Security
    Recommended Security Plugins
    WP Exploit Scanner
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/exploit-scanner/
  • 32. Basic WP Security
    Recommended Security Plugins
    WP Exploit Scanner
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/exploit-scanner/
  • 33. Basic WP Security
    Recommended Security Plugins
    WordPress File Monitor
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/wordpress-file-monitor/
  • 34. Basic WP Security
    Recommended Security Plugins
    Login Lockdown
    South FloridaWordPress MeetUp
    http://wordpress.org/extend/plugins/login-lockdown/
  • 35. Basic WP Security
    WordPress Security Resources
    South FloridaWordPress MeetUp
    • Security Related Codex Articles
    • 36. http://codex.wordpress.org/Hardening_WordPress
    • 37. http://codex.wordpress.org/Changing_File_Permissions
    • 38. http://codex.wordpress.org/Editing_wp-config.php
    • 39. http://codex.wordpress.org/htaccess_for_subdirectories
    • 40. Blog Security Articles
    • 41. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
    • 42. http://www.growmap.com/wordpress-exploits/
    • 43. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
    • 44. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
    • 45. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
    • 46. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
    • 47. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
  • Basic WP Security
    WordPress Security Resources
    South FloridaWordPress MeetUp
    • Security Related Codex Articles
    • 48. http://codex.wordpress.org/Hardening_WordPress
    • 49. http://codex.wordpress.org/Changing_File_Permissions
    • 50. http://codex.wordpress.org/Editing_wp-config.php
    • 51. http://codex.wordpress.org/htaccess_for_subdirectories
    • 52. Blog Security Articles
    • 53. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
    • 54. http://www.growmap.com/wordpress-exploits/
    • 55. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
    • 56. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
    • 57. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
    • 58. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
    • 59. http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
  • South FloridaWordPress MeetUp
    • I’m @JohnCarcutt
    Questions?
    Credit Where Credit is due …
    Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC