WordPress Security Essentials WordCamp Denver 2012


Published on

Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:

1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.

2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.

3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.

4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.

5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.

6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.

7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.

If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!

Published in: Technology
1 Comment
  • Makasih bu Mul atas contohnya..semoga ALLAH membalas semua kebaikan ibu. Amien
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security Essentials WordCamp Denver 2012

  1. WORDPRESSSECURITY ESSENTIALSPresented at WordCamp Denver 2012By Angela Bowman aka Ask WP Girl
  2. ABOUT ME„  Hi! My name is Angela Bowman @askwpgirl„  WordPress Instructor at Boulder Digital Arts„  Started working with WordPress in 2007 – Eating fufu is fun! self taught, very painful„  Used to hold the myth of “After I build a site, my job is done.”„  Common sense approach to security that isn’t overwhelming or super technical
  3. WHY DO WE NEED TO HAVE THIS TALK?„ PHP and MySQL are inherently vulnerable – this is the stuff WordPress is made of.„ What is MySQL? The database where all your content and settings are stored.„ What is PHP? The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window.„ Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
  4. WHY ARE YOU VULNERABLE?„ Because your site is on the Internet„ Because it’s easy to exploit known vulnerabilities„ Because we are human NOT Vulcan„ We live by our beliefs rather than logic (or don’t know what we don’t know)„ We are going to talk about common mythology (beliefs) and counteract those with logic and a rational approach to security
  5. THE MYTHS WE LIVE BYInspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/ by Anders Vinther of The WordPress Security Checklist.
  6. MYTH #1 WORDPRESS IS NOT SECURE„ WordPress is not secure, so you should stay away from it!„ WordPress is totally secure, so you don’t have to worry about it.REALITY „ Both things are true! „ Old versions of WordPress are NOT secure „ Current WordPress version is secure
  7. MYTH #2 MY SITE ISN’T LAUNCHEDYET, SO IT CAN’T BE HACKED„ Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed„ If you have a website on public web host, you have an Internet presence even if the pages of your site aren’t indexed by Google„ You need to protect ALL installations of WordPress on your hosting account even if you don’t use them
  8. MYTH #3 I ONLY USE PLUGINS &THEMES FROM WORDPRESS.ORG,SO I’M SAFE„ Plugins and themes are the #1 way hackers gain access to your site„ While WordPress CURRENT CORE is secure, plugins and themes are not. WordPress.org is safer but not sure bet.„ Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
  9. MYTH #4 UPDATING MY THEMESAND PLUGINS WHENEVER I LOG INIS GOOD ENOUGH„ Exploits are published IMMEDIATELY to the web.„ If you are running an outdated version of WordPress, theme, or plugin, you are immediately vulnerable to attack.„ Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!„ If you don’t update your site’s code ASAP, you will be SOL.
  10. MYTH #5 MY SITE IS SMALL, SO IT’S NOT WORTH HACKING „ From Devin’s WP Theming blog regarding TimThumb Hack: “… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the “And, word to the wise, smaller sites yet – like my your girlfriend’s food blog girlfriend’s food blog. should always be a top priority.”http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
  11. MYTH # 6 IF I DE-ACTIVATE A THEMEOR PLUGIN, THERE IS NO RISK„ De-activated themes and plugins are just as risky if they have vulnerable code.„ Because even files of deactivated plugins and themes can be access via the Internet
  12. MYTH # 7 IF MY SITE IS COMPROMISED, I’LL FIND OUT RIGHT AWAY! „ Only if you use a site monitoring service or plugin (maybe) „ Your site can be compromised months before you find out „ Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted „ Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URLhttp://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
  13. MYTH # 8 I CAN USE A SECURITYPLUGIN AND THAT WILL COVER ME„ Some security plugins can provide a layer of protection: Firewall 2, WordPress File Monitor, and Limit Login Attempts (as well as others)„ Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files„ Security plugins won’t help if the web hosting server is compromised
  14. MYTH # 9 MY PASSWORDS ARE GOOD ENOUGH „ A “sniffed” password 8 characters or less can be decoded instantaneously „ “Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.”http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
  15. MYTH #10 IF MY SITE IS HACKED, MYWEB HOST CAN RESTORE IT FOR ME„ If you discover the hack quickly enough, your web host may have a backup of the site made before the hack„ Most hosts store one day backup and one weekly backup„ Your host may not be able to help you discover why you were hacked in the first place.You’ll end up restoring hackable files.
  17. SOME OPTIONS„  Set up an altar to the WordPress Gods and do daily puja and offerings„  Throw up your hands and cry„  Drink another beer and try to forget„  Delegate (hire a service to maintain your site) Regina Smola„  DIY using the following steps WPSecurityLock.com
  18. 1 – SECURE YOUR OWN COMPUTER„ Why bother securing WordPress if you give the keys away?„ Run anti-virus software regularly„ Don’t login via insecure or public WIFI networks„ Use a Virtual Private Network when traveling„ Secure your home WIFI network„ Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
  19. 2 – UPDATE TO CURRENT VERSIONS„ Run a full backup using BackupBuddy OR wp-db-backup plugin plus manual FTP backup of all files OR site snapshot (including database) at web host„ If your site hasn’t been updated in a LOOOOONG time: „  Check plugins for compatibility „  Check server PHP and MySQL versions „  If you’re using WP version less than 3.2, you might be on MySQL 4. You will need to export this database and import it into a new MySQL 5 database. http://www.realestatebloglab.com/restore-your-wordpress-database-from-mysql-4-to-mysql-5/
  20. 2 – UPDATE CONTINUED„ Update plugins first, delete unused, and de-activate all the plugins (optional)„ Update WordPress, then re-activate plugins one at a time testing site between each activation.„ If site crashes after activating a plugin, rename plugins folder to plugins-old, access dashboard, then delete bad plugin via ftp, and rename folder back to plugins and continue. http://codex.wordpress.org/Updating_WordPress http://codex.wordpress.org/Upgrading_WordPress_Extended
  21. 2 – UPDATE CONTINUED„  Check site at sucuri.net„  Read the changelog for your theme to see if security updates made„  Consider new theme if outdated theme that isn’t being maintained. Delete unused themes except TwentyEleven.„  Backup theme before updating„  Update your wp-config.php encryption cookie salts: http://tentblogger.com/salt-keys/
  22. 3 – RESET PWDS AND ADMIN NAME„ If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin„ Use password generator to reset passwords for WordPress, FTP, hosting, and email: „  Online Generator: http://www.pctools.com/guides/password/ „  RPG Dashboard Widget for Mac Os: http://www.apple.com/downloads/dashboard/networking_security/ rpgwidgetedition_davidkreindler.html„ Track Passwords: http://agilebits.com/products/1Password
  23. 4 – SET UP BACKUP SCHEDULE„ Use backup plugin or service: „  Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php „  WP DB Backup http://wordpress.org/extend/plugins/wp-db-backup/ „  WP Online Backup http://wordpress.org/extend/plugins/wponlinebackup/ „  Back WP Up http://wordpress.org/extend/plugins/backwpup/ „  VautPress.com – Backup, one-click restore, and site monitoring„ Backup as often as you don’t want to loose data: „  Database – daily or weekly „  Full Site – weekly or monthly„ Store backups on remote server (eg Amazon S3 account)
  24. 5 – INSTALL SECURITY PLUGINS „ Firewall 2 – http://wordpress.org/extend/plugins/wordpress-firewall-2/ AND WordPress Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/ OR Bulletproof Security – http://wordpress.org/extend/plugins/bulletproof-security/ „ Limit Login Attempts -– http://wordpress.org/extend/plugins/limit-login-attempts/ „ WordPress File Monitor – http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/Use caution installing plugins.They don’t all play well with others.
  25. 6 – CREATE A MAINTENANCE PLAN„ Plan to login to all your sites at least once a month and update WordPress, plugins and themes„ Consider using Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/„ Follow @wpsecuritylock and @sucuri_security to stay current on latest security threats„ Update passwords and wp-config.php salts regularly
  26. 7 – BEST PRACTICES„ Don’t allow users to register (Settings > General)„ Always hold comments for moderation and use spam filtering (aka Akismet)„ Don’t use your username as your Display Name„ SFTP for file transfers and secure SMTP for email (ask web host)„ Rename the database table prefix when you first install WordPress or later using plugin - http://www.seoegghead.com/software/wordpress-table-rename.seo
  27. 7 – BEST PRACTICES CONTINUED„ Host site with good web host who keeps software updated and doesn’t thwart your automatic backups„ Use plugins with caution - recently updated, going concern.„ Use themes with caution - Have a “relationship” with your theme developer so you know when he/she makes security updates„ Submit sites to Google Webmaster Tools. In preferences, turn ON email notifications: http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
  28. 8 – HARNESS POWER OF .HTACCESS„ .htaccess is an invisible configuration file for Apache web servers„ .htaccess can protect specific files and folders„ Use caution! You can totally jack up your site with edits made to .htaccess http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips- to-boost-your-wordpress-sites-security-1676
  29. 8 - .HTACCESS TRICKSIn root .htaccess, add: Limit access to WordPress Dashboard: In the wp-admin folder, add an .htaccess file# Prevent directory browsing with the following where the number belowOptions All –Indexes is your IP address. (Test to make sure doesn’t interfere with any other plugins or# protect wpconfig.php Ajax functionality.)<Files wp-config.php>order allow,deny order deny,allowdeny from all allow from 99.999.999.999</Files> deny from all Tip:You can also move the wp-config.php file up one level (just above the public_html folder). Be sure your backup plugin still runs okay after doing this.
  30. RESOURCES„ WordPress.org „  Hacked: http://wordpress.org/tags/hacked „  Malware: http://wordpress.org/tags/malware „  http://codex.wordpress.org/Hardening_WordPres „  http://codex.wordpress.org/WordPress_Backups „  http://codex.wordpress.org/FAQ_My_site_was_hacked„ wpsecuritylock.com - resources and services for securing sites„ sucuri.net - Free site scanning, reasonable rates for monitoring and fixing your sites„ Wpsecuritychecklist.com – off-site monitoring
  31. EXPLOIT INFORMATION„ Badwarebusters.org„ wpsecure.net - Updated lists of vulnerable WordPress plugins„ spotthevuln.com - Helping developers understand security - examples of bad coding„ Security/Exploit Databases: „  http://securityreason.com/exploit_alert/ „  http://secunia.com/advisories/search/?search=wordpress „  http://exploit-db.com
  32. OTHER PRESENTATIONS„  Awesome slideshow and great video on how to hack a site in 2.5 minutes: http://perezbox.com/2012/06/wordcamp-orange-county-2012-wordpress-security- presentation/„  Great presentation on using proper WordPress API usage for plugin and theme development (very technical): http://weblogtoolscollection.com/archives/2011/03/01/mark-jaquith-on-wordpress- themeandplugin-security/„  WordPress Security Webinar: http://blog.sucuri.net/2012/04/lockdown-wordpresssecurity-webinar-with-dre- armeda.html„  How to Stop the Hacker: http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-thehacker-and-ensure-your-site-is- locked.html
  33. ONLINE TOOLS„  http://www.botsvsbrowsers.com/SimulateUserAgnet.asp„  http://www.tareeinternet.com/scripts/base.html„  http://www.tareeinternet.com/scripts/decrypt.php
  34. CONTACT„  Angela Bowman askwpgirl.com moongoosedesigns.com„  303.931.8191 angela@askwpgirl.com twitter.com/askwpgirl facebook.com/askwpgirl.com