Don’t Get Hacked!

WordPress Security
Michael Carnell - @carnellm"
http://www.MichaelCarnell.com
These slides are availabl...
Who is Michael Carnell?
• Currently programmer at MUSC"
• Web developer since the old days (HTML, ASP)"
• WordPress user s...
Why This Presentation?
Because I Don’t Want You!
To Ever Call Me!
The Type of Problems
• External “Acts of God”"
• Hard drive failure"
• Someone leaned on the keyboard"
• Collateral Damage...
Three Phase Approach
• Prevent!
• Correct setup"
• Secure and harden"
• Monitor!
• Alerts of problems or activity"
• Autom...
Before The Setup
Secure Your Identity
• Your Domain Name"
• Domain Name Registrar"
• Need not be the same as your host (should not?)"
• Nee...
Hosting - The Not So Good
• GoDaddy - common back end database that
isn’t secured well and suffers from
performance overlo...
Hosting - The Good Guys
• BlueHost – My current favorite"
• MediaTemple – May not be the cheapest, but
very stable and sec...
The Basic Rules
• Do your research - 

http://www.MichaelCarnell.com/hosting
• Check their own support forums"
• Is there ...
The Dirty Details

for WordPress
Install Correctly
• While installing (most will use OneClick) . . ."
• Consider your directory? Do you use the standard?
R...
Double Check the Install
• File level tasks to be done via SFTP . . ."
• Delete ..wp-admininstall.php"
• In wp-config.php,...
Post Install Setup
• Create new admin user with strong password"
• Change Admin password and give no role

Why not delete?...
As You Build
• Themes and Plug-ins : be safe"
• Consider the source"
• Always be suspicious"
• Again, do you research and ...
Discussion Settings
Discussion Settings, part 2
Other Hardening
• Disable File Editing – placing this line in wp-config.php is
equivalent to removing the 'edit_themes', '...
Security Plugins You Need
• Some more plugins that you should have:"
• Askimet - AntiSpam, comes with the install, you wil...
Monitor
Monitoring Users
• Other plugins to consider:"
• Search Meter - What are your visitors looking for, but also shows
extrane...
Monitoring The Site"
What do you look like to the world?"
"
How do you know if your site goes down?"
"
• Hit your site reg...
Who Gets Notified?"
Make sure that the address the monitoring
alerts go to is not tied to the site or what you
are monitor...
After The Storm

(Recovery)
The Key To Recovery

Is Good Backup
• Your content is your responsibility, not your host’s"
• They may help you, but not g...
Simple Backup for WP
• Your content is your responsibility, not your host’s"
• Great a GMail account or use your current o...
More Complete
• Use a tool such as UpdraftPlus
• This will backup all files and databases"
• Will transfer those to DropBo...
Know How To Restore
• You’ve made a backup, do you know how to use it?"
• Test it occasionally"
• Make sure you know what ...
Stay Up-To-Date
• WordPress 3.9.1 is out "
"
• You will need to update your base software – unless your
host does it for y...
Michael Carnell
@carnellm on Twitter
Slides available on

http://www.MichaelCarnell.com/presentations
Q & A
WordPress Setup and Security - WordCamp, Charleston 2014
Upcoming SlideShare
Loading in …5
×

WordPress Setup and Security - WordCamp, Charleston 2014

1,698 views

Published on

Delivered at the first WordCamp in Charleston, SC, in 2014. This presentation covers some of the best practices in setting up and running your WordPress installation so that you don't get hacked or go down. And, just as important, how to make sure that you can recover if something does happen.

Published in: Internet, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,698
On SlideShare
0
From Embeds
0
Number of Embeds
871
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

WordPress Setup and Security - WordCamp, Charleston 2014

  1. 1. Don’t Get Hacked!
 WordPress Security Michael Carnell - @carnellm" http://www.MichaelCarnell.com These slides are available at
 http://www.MichaelCarnell.com/presentations
 or http://slideshare.net/carnellm
  2. 2. Who is Michael Carnell? • Currently programmer at MUSC" • Web developer since the old days (HTML, ASP)" • WordPress user since …" • British car devotee" • Train and trolley enthusiast" • Writer / Reader / General Eccentric
  3. 3. Why This Presentation? Because I Don’t Want You! To Ever Call Me!
  4. 4. The Type of Problems • External “Acts of God”" • Hard drive failure" • Someone leaned on the keyboard" • Collateral Damage" • DOS (Denial of Service) attacks" • Shared hosting site hack" • Direct Attacks" • Hacking the security of your site" • Vandalism" • Hijacking - not just the site itself" " In the end, our process is still …
  5. 5. Three Phase Approach • Prevent! • Correct setup" • Secure and harden" • Monitor! • Alerts of problems or activity" • Automated actions" • Recover! • Backup, backup, backup
  6. 6. Before The Setup
  7. 7. Secure Your Identity • Your Domain Name" • Domain Name Registrar" • Need not be the same as your host (should not?)" • Needs to be in YOUR name" • Privacy? Depends on type of site and you" • My preferred registrar these 
 days is Hover.com
  8. 8. Hosting - The Not So Good • GoDaddy - common back end database that isn’t secured well and suffers from performance overload, poor support" • Brinkster - has been hacked numerous times" • FreeHostia - slow, free account is very limited, always pushing the upsell" • Doing it yourself – 
 the pros and cons …
  9. 9. Hosting - The Good Guys • BlueHost – My current favorite" • MediaTemple – May not be the cheapest, but very stable and secure. Monitors scripts" • HostGator – I have not used them personally, but have heard good things" • DreamHost – Used to be good, some still like them and use them. They are on my “iffy” list. But watch CPU usage as they will cut off processes
  10. 10. The Basic Rules • Do your research - 
 http://www.MichaelCarnell.com/hosting • Check their own support forums" • Is there a free trial or money back guarantee?" • If you are a high traffic site (really), you may need a dedicated server or upgraded hosting" • None of this really applies to 
 WordPress.com
  11. 11. The Dirty Details
 for WordPress
  12. 12. Install Correctly • While installing (most will use OneClick) . . ." • Consider your directory? Do you use the standard? Root?" • Consider altering the database name if your install allows" • Make database username and password long and cryptic. Store them away not to be used" • Don’t use redundant info - admin name 
 same as username, same as blog name, etc...
  13. 13. Double Check the Install • File level tasks to be done via SFTP . . ." • Delete ..wp-admininstall.php" • In wp-config.php, add the optional security keys - http:// api.wordpress.org/secret-key/1.1/ • Add index.php, a blank file to all plugin and theme directories if it isn’t already there" • Check the file directory privileges(if you are comfortable)
  14. 14. Post Install Setup • Create new admin user with strong password" • Change Admin password and give no role
 Why not delete??" • Make your main admin’s display name different from login name " • Change setting to allow editing by outside packages if wanted - but know what you are doing" • Change “permalink” structure (thank you WP 3.3!)" • Demo Time Again....
  15. 15. As You Build • Themes and Plug-ins : be safe" • Consider the source" • Always be suspicious" • Again, do you research and ask around" • Consider Search Engine Visibility (under Settings / Reading)" • Put up a Coming Soon or Down for Maintenance screen" • Understand your Discussion Settings
  16. 16. Discussion Settings
  17. 17. Discussion Settings, part 2
  18. 18. Other Hardening • Disable File Editing – placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:
 " " define('DISALLOW_FILE_EDIT', true);" • Check out further in depth hardening options at
 http://codex.wordpress.org/Hardening_WordPress
  19. 19. Security Plugins You Need • Some more plugins that you should have:" • Askimet - AntiSpam, comes with the install, you will just need key" • Block Bad Queries - blocks code injection through queries" • Acunetix WordPress Security - basically a security audit & fix" • AntiVirus or another such" Demo Time Again!
  20. 20. Monitor
  21. 21. Monitoring Users • Other plugins to consider:" • Search Meter - What are your visitors looking for, but also shows extraneous search injections" • Limit Login Attempts – Helps protect against dictionary attacks" • ThreeWP Activity Monitor - Shows who did what and when" • Demo Time Again!
  22. 22. Monitoring The Site" What do you look like to the world?" " How do you know if your site goes down?" " • Hit your site regularly with different browsers" • IE, Chrome, Firefox, mobile" • Do this while not logged in" • Google’s tools" • What does Google see?" • Fetch As Google (part of Webmaster Tools)" • Site monitor" • Such as SiteUptime
  23. 23. Who Gets Notified?" Make sure that the address the monitoring alerts go to is not tied to the site or what you are monitoring! Alert that site is down! Can’t send alert because the site is down.
  24. 24. After The Storm
 (Recovery)
  25. 25. The Key To Recovery
 Is Good Backup • Your content is your responsibility, not your host’s" • They may help you, but not guaranteed" • The only good backup is an automated one" • You will forget at the worst time" • Decide on how much you can afford to lose" • A manual backup every now and then doesn’t hurt" • Before or after a big change, back it up" • Have more than one copy of the backups" • Different locations" • Different formats" • 3-2-1 backup …
  26. 26. Simple Backup for WP • Your content is your responsibility, not your host’s" • Great a GMail account or use your current one with custom address such as 
 “yourname+backups@gmail.com” • Make a filter that auto files away all email coming in to that address" • Database - WP-DB-Backup • Images & Themes - WordPress Backup " • Doesn’t hurt to occasionally backup 
 manually too
  27. 27. More Complete • Use a tool such as UpdraftPlus • This will backup all files and databases" • Will transfer those to DropBox, FTP, etc…" • Keep a document of your settings" • Custom setting you change" • Menu options" • Date that you change things" • Some screen captures" • If you are really safe (paranoid?)" • Create a test / backup site" • Can also serve as a fail-over
  28. 28. Know How To Restore • You’ve made a backup, do you know how to use it?" • Test it occasionally" • Make sure you know what does and doesn’t get recovered and that you have a work around" • Do you have a place to use it?" • Alternative hosting or domain" • Have you tested on a different server?" • Is your site directory dependent?" • Anticipate the worst case" • Loss of access to GMail?" • Corrupt backups
  29. 29. Stay Up-To-Date • WordPress 3.9.1 is out " " • You will need to update your base software – unless your host does it for you or you are WordPress.com" " • You will also need to update both your plug-ins and themes
 • Test your plug-ins so you can rollback if they don’t work" • Be careful of what theme updates will do to any customizations you have made" • As always, backup first
  30. 30. Michael Carnell @carnellm on Twitter Slides available on
 http://www.MichaelCarnell.com/presentations Q & A

×