Your SlideShare is downloading. ×
WordPress Security 12 WordPress Security Fundamentals
Why Security?•    SEO / Google rankings•    Downtime - Decreased Revenue•    Website / Business / Personal Credibility•   ...
“How do I completely secure my site?”
It’s all about “risk”
“The probability that a particular security threat will exploit a                particular vulnerability” ISC 2
Threat = A potential danger
Vulnerability = A Weakness
Weak Spots (Examples)• WordPress (Core, Themes & Plugins)  ‣ Bugs/Vulnerabilities in the code itself• Hosting (Web & Datab...
There are some simple things you can do to reduce the risk
1. Update WordPress• Simple
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
• If a vulnerability is discovered in WordPress and a new     version is released to address the issue, the information   ...
• REMOVE unused themes and plugins (or at least keep them    up to date as well). Even when not activated, a vulnerable   ...
2. Rename “admin” account• Make it hard for an attacker. If they already know your     username that’s half the battle• As...
• If you do happen to have an “admin” account there are a    few options:    ‣ Admin Renamer Extender - http://wordpress.o...
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
3. Change your table_prefix• My what? Its a database thing...• Many published WordPress-specific SQL-injection attacks     m...
• If you haven’t changed your prefix:  ‣ Change Table Prefix (http://wordpress.org/extend/        plugins/change-table-prefix...
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
4. Setup Security Keys• Often referred to as Salts - they add random elements to     your password when encrypting informa...
• WordPress now generates the salts for you if none are     provided - but it’s better to be safe than sorry.
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
5. Use Strong Passwords• Weak passwords leave your site vulnerable to:  ‣ Brute Force Attacks  ‣ Dictionary Attacks• Pleas...
Password1
jvYM89xwyzH?ah
• Try a password safe/generator like:  ‣ 1Password (https://agilebits.com/onepassword)  ‣ KeePass (http://keepass.info/)
6. Limit login attempts• Restrict number of failed attempts using a plugin like:  ‣ Login Lockdown - http://wordpress.org/...
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
7. Use SFTP or FTPS• FTP transmits all data in the clear - including passwords• If you need to regularly connect or upload...
8. Check File Permissions• Tricky to get right (especially in shared hosting where it is     more important to get it righ...
• http://codex.wordpress.org/Changing_File_Permissions
9. Move wp-config.php• wp-config.php is the main configuration file for your site• WordPress automatically checks the parent d...
• If WordPress is located here:  ‣ /public_html/mysite/wp-config.php• You can move wp-config.php to here:  ‣ /public_html/wp...
• This makes it much more difficult for anyone to access your     wp-config.php file as it now resides outside of your sites ...
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
10. Run Backups• Hosts may provide backups• However often...  ‣ they don’t back up the right things  ‣ they don’t back up ...
VaultPress - http://vaultpress.com/
Backup Buddy - http://ithemes.com/purchase/backupbuddy/
• Or just plain old...  ‣ WP-DB-Backup - http://wordpress.org/extend/        plugins/wp-db-backup/    ‣ WordPress Export (...
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Upda...
11. Choose hosting wisely• In my experience you get what you pay for• Look for hosts that have  ‣ Good backup regime  ‣ Wo...
12. Be Security Minded•   Keep your own machine clean•   Don’t share or reuse passwords•   If you use public computers be ...
There’s a plugin for that• There are also range of “all in one” solutions that will cover     most of the above as well as...
•   http://wordpress.org/extend/plugins/better-wp-security/•   http://wordpress.org/extend/plugins/secure-wordpress/•   ht...
Extra Resources• http://codex.wordpress.org/Hardening_WordPress• http://build.codepoet.com/2012/07/10/locking-down-    wor...
Summary1.   Update WordPress         7.   Use SFTP or FTPS2.   Rename “admin” user      8.   Check File Permissions3.   Ch...
Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress  Upd...
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
Upcoming SlideShare
Loading in...5
×

WordPress Security - 12 WordPress Security Fundamentals

6,295

Published on

WordPress Security Presentation by Jason Conroy (from Finding Simple - http://findingsimple.com) for the March 2013 WordPress Canberra Meetup (http://wpcanberra.com.au)

Published in: Technology

Transcript of "WordPress Security - 12 WordPress Security Fundamentals"

  1. 1. WordPress Security 12 WordPress Security Fundamentals
  2. 2. Why Security?• SEO / Google rankings• Downtime - Decreased Revenue• Website / Business / Personal Credibility• Increased Costs with cleaning up the mess ( Potentially Law Suits )• Lose everything - no site :-(
  3. 3. “How do I completely secure my site?”
  4. 4. It’s all about “risk”
  5. 5. “The probability that a particular security threat will exploit a particular vulnerability” ISC 2
  6. 6. Threat = A potential danger
  7. 7. Vulnerability = A Weakness
  8. 8. Weak Spots (Examples)• WordPress (Core, Themes & Plugins) ‣ Bugs/Vulnerabilities in the code itself• Hosting (Web & Database Server/s) ‣ Poor File Permissions• You ‣ Weak Password Choice
  9. 9. There are some simple things you can do to reduce the risk
  10. 10. 1. Update WordPress• Simple
  11. 11. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  12. 12. • If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain.• This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
  13. 13. • REMOVE unused themes and plugins (or at least keep them up to date as well). Even when not activated, a vulnerable plugin or theme can be used to attack a site.
  14. 14. 2. Rename “admin” account• Make it hard for an attacker. If they already know your username that’s half the battle• As of 3.0 WordPress asks upfront during installation for an admin account name - dont use "admin" and I recommend not using anything related to the domain.
  15. 15. • If you do happen to have an “admin” account there are a few options: ‣ Admin Renamer Extender - http://wordpress.org/ extend/plugins/admin-renamer-extended/ ‣ Create another administrator user and then login as new administrator user and delete "admin" user. ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly
  16. 16. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  17. 17. 3. Change your table_prefix• My what? Its a database thing...• Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default.• Changing this can block at least some SQL injection attacks.• Good news - WordPress now asks upfront during installation for you to specify a table prefix - so don’t use “wp”.
  18. 18. • If you haven’t changed your prefix: ‣ Change Table Prefix (http://wordpress.org/extend/ plugins/change-table-prefix/) ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly (remember to update your wp-config.php file as well)
  19. 19. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  20. 20. 4. Setup Security Keys• Often referred to as Salts - they add random elements to your password when encrypting information in cookies ( that are used during the WordPress login process )• They live in your sites wp-config.php and can be changed at any time• https://api.wordpress.org/secret-key/1.1/salt/
  21. 21. • WordPress now generates the salts for you if none are provided - but it’s better to be safe than sorry.
  22. 22. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  23. 23. 5. Use Strong Passwords• Weak passwords leave your site vulnerable to: ‣ Brute Force Attacks ‣ Dictionary Attacks• Please use a strong password• Don’t reuse passwords• WordPress has a built in strength meter (don’t ignore it)
  24. 24. Password1
  25. 25. jvYM89xwyzH?ah
  26. 26. • Try a password safe/generator like: ‣ 1Password (https://agilebits.com/onepassword) ‣ KeePass (http://keepass.info/)
  27. 27. 6. Limit login attempts• Restrict number of failed attempts using a plugin like: ‣ Login Lockdown - http://wordpress.org/extend/ plugins/login-lockdown/ ‣ Simple Login Lockdown - http://wordpress.org/ extend/plugins/simple-login-lockdown/
  28. 28. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  29. 29. 7. Use SFTP or FTPS• FTP transmits all data in the clear - including passwords• If you need to regularly connect or upload files to your site use SFTP or FTPS (especially if you are using public wifi)
  30. 30. 8. Check File Permissions• Tricky to get right (especially in shared hosting where it is more important to get it right)• A good rule of thumb is to set file and folder permissions at 644 for files and 755 for folders
  31. 31. • http://codex.wordpress.org/Changing_File_Permissions
  32. 32. 9. Move wp-config.php• wp-config.php is the main configuration file for your site• WordPress automatically checks the parent directory if a wp- config.php file is not found in your root directory• Recommended that it is moved up one level (to the parent directory) to make sure only your account and the server can read the file
  33. 33. • If WordPress is located here: ‣ /public_html/mysite/wp-config.php• You can move wp-config.php to here: ‣ /public_html/wp-config.php
  34. 34. • This makes it much more difficult for anyone to access your wp-config.php file as it now resides outside of your sites root directory
  35. 35. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  36. 36. 10. Run Backups• Hosts may provide backups• However often... ‣ they don’t back up the right things ‣ they don’t back up regularly enough ‣ they don’t know WordPress ‣ they may charge you to restore your site
  37. 37. VaultPress - http://vaultpress.com/
  38. 38. Backup Buddy - http://ithemes.com/purchase/backupbuddy/
  39. 39. • Or just plain old... ‣ WP-DB-Backup - http://wordpress.org/extend/ plugins/wp-db-backup/ ‣ WordPress Export (note the export doesn’t contain your uploaded or options)
  40. 40. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
  41. 41. 11. Choose hosting wisely• In my experience you get what you pay for• Look for hosts that have ‣ Good backup regime ‣ WordPress Expertise (tougher than you think) ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
  42. 42. 12. Be Security Minded• Keep your own machine clean• Don’t share or reuse passwords• If you use public computers be sure to log out of WP• If you use public networks ‣ avoid using ftp (thats the insecure one) ‣ avoid logging into WP if your not using HTTPS
  43. 43. There’s a plugin for that• There are also range of “all in one” solutions that will cover most of the above as well as things like: ‣ Remove the WordPress version/generator tag ‣ Remove update notifications ‣ Remove login error messages ‣ Change location of login urls
  44. 44. • http://wordpress.org/extend/plugins/better-wp-security/• http://wordpress.org/extend/plugins/secure-wordpress/• http://wordpress.org/extend/plugins/bulletproof-security/• http://wordpress.org/extend/plugins/wp-security-scan/
  45. 45. Extra Resources• http://codex.wordpress.org/Hardening_WordPress• http://build.codepoet.com/2012/07/10/locking-down- wordpress/ (E-book)• http://codex.wordpress.org/Changing_File_Permissions• http://sucuri.net/ (Malware Scanner)
  46. 46. Summary1. Update WordPress 7. Use SFTP or FTPS2. Rename “admin” user 8. Check File Permissions3. Change the table_prefix 9. Move wp-config.php4. Setup Security Keys 10. Run Backups5. Use Strong Passwords 11. Choose Hosting Wisely6. Limit Login Attempts 12. Be Security Minded
  47. 47. Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPressUpdate WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPressUpdate WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPressUpdate WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress

×