Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Upcoming SlideShare
Loading in...5

Neo word press meetup ehermits - how to keep your blog from being hacked 2012






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Neo word press meetup   ehermits - how to keep your blog from being hacked 2012 Neo word press meetup ehermits - how to keep your blog from being hacked 2012 Presentation Transcript

  • Brian LaymanNorth East Ohio WordPress Meetup #NEOWP
  •  Who I am. What I do. What I see. What software do your blogs run on? Who here has had a blog hacked, defaced, stolen or taken down? Is your site safe? (No one would ever want to hack my blog about _____.) The title is a lie…
  • • Twitter • PayPal’s Blog• Gawker •• PhotoMatt •• Problogger • Twilight Lexicon  Go Daddy • DreamHost  Blue Host • Bizland  Network Solutions
  •  Content or uploads destroyed Hidden hyperlinks added to your site Redirect to another site Content edited Hijacked website Defacement Bank fraud
  •  CSRF/XSRF – Cross Site Request Forgery XSS – Cross Site Scripting SQL Injection DDOS – (Distributed) Denial of Service DNS Hijacking – Spoofing or Poisoning Malvertising – Malicious Advertising Stolen Password Bad Code
  •  WordPress   Drupal   Joomla  
  •  What is it? You tell me…  Who is right?  My thought: Any steps that may eliminate a large subset ofattacks on your blog should be taken.
  •  The basics  Passwords  Communication (Plain Text vs. SSL)  Updates  Watch what you add to your sites (plugins/themes/add-ons)  Backups  Google Webmaster Tools
  •  Use strong passwords Make them unique in high value situations
  •  Pay attention to how you are sending your passwords  Wireless Networks = Risk  FTP – Use SFTP instead  Email – Use SSL Ports 587,995,993 vs 25,110,143  Skype – Syncs history upon connect, never send secure passwords – EVER  CPanel/WHM/Admin pages – if it is http not https, your password can be scraped
  •  Keep your blog, plugins, themes, & operating system current – yes, even Linux Security and attacks improve over time 2005 – Admin operations required a referrer 2006 – Admin operations required a NONCE 2007 – Plugin pages forced to check security 2008 – Randomized keys and salts & upgrades 2009 – Security escalations issues – full review 2010 – Automated plugin and theme upgrades 2011 – Sniffing, upload, clickjacking, file cleanup
  •  Every plugin or theme is a security risk “Free Theme” sites are a very high risk Less popular & highly specialized plugins have had less eyes on them and are riskier Older plugins used older security standards - we simply knew less and had fewer tools You are responsible for your site. Learn how to identify problems or make a friend who can.
  •  Both files and database Keep the files offline If you have files online keep them out of public_html As important as having the backups… Know how to restore them! Before you restore – delete the files and directories to remove the hack files
  •  How do you know you are hacked? Google will email you when they consider you a risk    You can configure multiple owners
  •  EVERYTHING that is displayed on the screen must be filtered.  WordPress provides: esc_html esc_url esc_* EVERYTHING that you send to the database must be filtered.  WordPress provides: $wpdb->prepare TRUST NOTHING  Try to use your text instead of user input
  •  Permissions - The 755 myth  chmod -R 755 *  Generic: Directories Should be 755 Files 644  Reality: The least privileges provides the most access VPS vs Shared Hosting vs Managed Hosting  Flexibility, Access, Less risk = More $  Harden your own server or let someone do it  suPHP – Isolates your installation
  •  Create a “Editor” user for posting Create a new “Administrator”, delete the old one, then only use it for maintenance Never use wp_ as your table prefix Look at wp-config-sample.php now and then and update your wp-config.php Force Secure password logins 
  •  Move wp-config.php Remove version Info Rename the admin user Move your wp-content directory – Possibly worth doing but will break many plugins and themes Use .htaccess to white list IP addresses or add an extra password layer
  •  Free Plugins  exploit-scanner  wp-security-scan  wordpress-file-monitor Paid Plugins
  • Site Rescue, Securing & Code Review     Managed Hosting    WPSecuritylock.comAnd of course doing it all: 
  • http://eHermitsinc.comhttp://thecodecave.com ehermits to