• Save
WordPress Security - 12 WordPress Security Fundamentals
Upcoming SlideShare
Loading in...5
×
 

WordPress Security - 12 WordPress Security Fundamentals

on

  • 2,721 views

WordPress Security Presentation by Jason Conroy (from Finding Simple - http://findingsimple.com) for the March 2013 WordPress Canberra Meetup (http://wpcanberra.com.au)

WordPress Security Presentation by Jason Conroy (from Finding Simple - http://findingsimple.com) for the March 2013 WordPress Canberra Meetup (http://wpcanberra.com.au)

Statistics

Views

Total Views
2,721
Views on SlideShare
2,717
Embed Views
4

Actions

Likes
7
Downloads
0
Comments
0

2 Embeds 4

https://twitter.com 3
http://arena.local.dev 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WordPress Security - 12 WordPress Security Fundamentals WordPress Security - 12 WordPress Security Fundamentals Presentation Transcript

    • WordPress Security 12 WordPress Security Fundamentals
    • Why Security?• SEO / Google rankings• Downtime - Decreased Revenue• Website / Business / Personal Credibility• Increased Costs with cleaning up the mess ( Potentially Law Suits )• Lose everything - no site :-(
    • “How do I completely secure my site?”
    • It’s all about “risk”
    • “The probability that a particular security threat will exploit a particular vulnerability” ISC 2
    • Threat = A potential danger
    • Vulnerability = A Weakness
    • Weak Spots (Examples)• WordPress (Core, Themes & Plugins) ‣ Bugs/Vulnerabilities in the code itself• Hosting (Web & Database Server/s) ‣ Poor File Permissions• You ‣ Weak Password Choice
    • There are some simple things you can do to reduce the risk
    • 1. Update WordPress• Simple
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • • If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain.• This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
    • • REMOVE unused themes and plugins (or at least keep them up to date as well). Even when not activated, a vulnerable plugin or theme can be used to attack a site.
    • 2. Rename “admin” account• Make it hard for an attacker. If they already know your username that’s half the battle• As of 3.0 WordPress asks upfront during installation for an admin account name - dont use "admin" and I recommend not using anything related to the domain.
    • • If you do happen to have an “admin” account there are a few options: ‣ Admin Renamer Extender - http://wordpress.org/ extend/plugins/admin-renamer-extended/ ‣ Create another administrator user and then login as new administrator user and delete "admin" user. ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • 3. Change your table_prefix• My what? Its a database thing...• Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default.• Changing this can block at least some SQL injection attacks.• Good news - WordPress now asks upfront during installation for you to specify a table prefix - so don’t use “wp”.
    • • If you haven’t changed your prefix: ‣ Change Table Prefix (http://wordpress.org/extend/ plugins/change-table-prefix/) ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly (remember to update your wp-config.php file as well)
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • 4. Setup Security Keys• Often referred to as Salts - they add random elements to your password when encrypting information in cookies ( that are used during the WordPress login process )• They live in your sites wp-config.php and can be changed at any time• https://api.wordpress.org/secret-key/1.1/salt/
    • • WordPress now generates the salts for you if none are provided - but it’s better to be safe than sorry.
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • 5. Use Strong Passwords• Weak passwords leave your site vulnerable to: ‣ Brute Force Attacks ‣ Dictionary Attacks• Please use a strong password• Don’t reuse passwords• WordPress has a built in strength meter (don’t ignore it)
    • Password1
    • jvYM89xwyzH?ah
    • • Try a password safe/generator like: ‣ 1Password (https://agilebits.com/onepassword) ‣ KeePass (http://keepass.info/)
    • 6. Limit login attempts• Restrict number of failed attempts using a plugin like: ‣ Login Lockdown - http://wordpress.org/extend/ plugins/login-lockdown/ ‣ Simple Login Lockdown - http://wordpress.org/ extend/plugins/simple-login-lockdown/
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • 7. Use SFTP or FTPS• FTP transmits all data in the clear - including passwords• If you need to regularly connect or upload files to your site use SFTP or FTPS (especially if you are using public wifi)
    • 8. Check File Permissions• Tricky to get right (especially in shared hosting where it is more important to get it right)• A good rule of thumb is to set file and folder permissions at 644 for files and 755 for folders
    • • http://codex.wordpress.org/Changing_File_Permissions
    • 9. Move wp-config.php• wp-config.php is the main configuration file for your site• WordPress automatically checks the parent directory if a wp- config.php file is not found in your root directory• Recommended that it is moved up one level (to the parent directory) to make sure only your account and the server can read the file
    • • If WordPress is located here: ‣ /public_html/mysite/wp-config.php• You can move wp-config.php to here: ‣ /public_html/wp-config.php
    • • This makes it much more difficult for anyone to access your wp-config.php file as it now resides outside of your sites root directory
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • 10. Run Backups• Hosts may provide backups• However often... ‣ they don’t back up the right things ‣ they don’t back up regularly enough ‣ they don’t know WordPress ‣ they may charge you to restore your site
    • VaultPress - http://vaultpress.com/
    • Backup Buddy - http://ithemes.com/purchase/backupbuddy/
    • • Or just plain old... ‣ WP-DB-Backup - http://wordpress.org/extend/ plugins/wp-db-backup/ ‣ WordPress Export (note the export doesn’t contain your uploaded or options)
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress
    • 11. Choose hosting wisely• In my experience you get what you pay for• Look for hosts that have ‣ Good backup regime ‣ WordPress Expertise (tougher than you think) ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
    • 12. Be Security Minded• Keep your own machine clean• Don’t share or reuse passwords• If you use public computers be sure to log out of WP• If you use public networks ‣ avoid using ftp (thats the insecure one) ‣ avoid logging into WP if your not using HTTPS
    • There’s a plugin for that• There are also range of “all in one” solutions that will cover most of the above as well as things like: ‣ Remove the WordPress version/generator tag ‣ Remove update notifications ‣ Remove login error messages ‣ Change location of login urls
    • • http://wordpress.org/extend/plugins/better-wp-security/• http://wordpress.org/extend/plugins/secure-wordpress/• http://wordpress.org/extend/plugins/bulletproof-security/• http://wordpress.org/extend/plugins/wp-security-scan/
    • Extra Resources• http://codex.wordpress.org/Hardening_WordPress• http://build.codepoet.com/2012/07/10/locking-down- wordpress/ (E-book)• http://codex.wordpress.org/Changing_File_Permissions• http://sucuri.net/ (Malware Scanner)
    • Summary1. Update WordPress 7. Use SFTP or FTPS2. Rename “admin” user 8. Check File Permissions3. Change the table_prefix 9. Move wp-config.php4. Setup Security Keys 10. Run Backups5. Use Strong Passwords 11. Choose Hosting Wisely6. Limit Login Attempts 12. Be Security Minded
    • Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPressUpdate WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPressUpdate WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPressUpdate WordPress Update WordPress THANK YOU Update WordPress Update WordPress Update WordPress Update WordPress UpdateWordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress Update WordPress