Beefy WordPress Security Wordcamp 2012 by Tammy Lee


Published on

Originally presented at Wordcamp 2012 Edmonton, "Beefy WordPress Security" was presented by Tammy from Top Draw and describes potential threats to WordPress installations and what to do about it.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Beefy WordPress Security Wordcamp 2012 by Tammy Lee

  1. WHERE’S THE BEEF?Beefing Up Your WordPress InstallationTammy Valgardson – Senior Web Developer@tammalee
  2. INTRODUCTIONIntroduction Absolutely true! It will only take five minutes to download and install WordPress. But then what?
  3. INTRODUCTIONIntroduction If you set up your blog and walk away, you leave yourself vulnerable to malicious activity! Further Reading WordPress Codex – Hardening WordPress How To: Stop The Hacker By Hardening WordPress hacker-by-hardening-wordpress.html
  4. INTRODUCTIONWhat’s at Stake?If you don’t follow password best practices your hacked WordPress account could lead to other compromised accounts!
  5. INTRODUCTIONWhat’s at Stake? Shared hosting means more than just sharing a server. If one site gets hacked there is a chance malware infecting one site can spread to others on the same shared hosting space!
  6. INTRODUCTIONWhat’s at Stake?If your site is compromised, and hackers get their way, your site will nowserve a nefarious purpose such as: Redirect visitors to a web site that will attempt to install malicious software. Compromise a shared hosting (soup kitchen) server and infect other web sites. Phish for sensitive information. Display spam to your visitors that you can’t see. Hijack links to other sections of your web site, such as ‘Contact’, and send visitors to an entirely different site.
  7. INTRODUCTIONWhat’s at Stake?If your WordPress site is infected with malware it could be blacklisted byGoogle and other search engines! [ Source: ]
  8. THREATS EXPLAINED – BRUTE FORCE ATTACKSa.k.a. When bored hackers with password cracking programsdecide to cruise for fun on a Friday night.
  9. THREATS EXPLAINED – BRUTE FORCE ATTACKSWhat is a brute force attack?[ Source: ]
  10. THREATS EXPLAINED – BRUTE FORCE ATTACKSHow often do brute force attacks happen? Brute force attacks happen all the time!Peter Abraham over at DNI Dynamic Net, Inc. wrote on October 15, 2012 “If you asked me fromSeptember 2012 forward, the answer would change dramatically with WordPress Brute ForceAttacks now exceeding 50% of all attacks being reported.”[source:][ Source: ]
  11. THREATS EXPLAINED – BRUTE FORCE ATTACKSWhat’s the purpose of a brute force attack?If your account has administrator permissions they can do all sorts of ‘fun’ things to your site.One of the most common reasons for a brute force attack is to inject malware into your files ordatabase.
  12. THREATS EXPLAINED - MALWARENot Firefly-related.Not that I’d mind Captain Malcolm Reynolds getting into myWordPress installation.#fullfrontalnerdity
  13. THREATS EXPLAINED - MALWAREWhat is Malware?Malware is software designed to harvest sensitive information or gain access to computersystems. On a WordPress installation malware can be injected into your source code, database,.htaccess files etc. Malware hijacks the purpose of visiting your site for its programmed agenda.Who Creates Malware? Why?What sort of person creates malware? Why do people create malware? • Young programmers with something • Petty theft to prove • Cybercrime • Older, more experienced, virus • Support for spammers writers who write malware • Distributed network attacks professionally • Stealing electronic currency • ‘Researchers’ who create malware as proof of concept projects • ...and many more. [Source: ]
  14. THREATS EXPLAINED - MALWAREMalware - Backdoors Malware - Drive-by Downloads“A backdoor lets an attacker gain access to “The point of a drive-by download is often toyour environment via what you would download a payload onto your user’s localconsider to be abnormal methods — FTP, machine. One of the most common payloadsSFTP, WP-ADMIN, etc…” informs the user that their website has been[ Source: infected and that they need to install an anti- virus product...”malware-infections-wordpress/ ] [ Source: malware-infections-wordpress/ ] Malware – Malicious Redirects “When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at; when someone visits it, the website could take the visitor to, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.” [ Source: malware-infections-wordpress/ ]
  15. THREATS EXPLAINED - MALWAREMalware – Pharma Hacks“Pharma hack is one of the most prevalent infections around. It should not be confused withmalware; it’s actually categorized as SPAM — “stupid pointless annoying messages.” If you’refound to be distributing SPAM, you run the risk of being flagged by Google…”[ Source: ] [ Source: ]
  16. THREATS EXPLAINED - MALWAREHow does malware infect WordPress?Old and outdated plugins, themes, and WordPress installations may have holes in their securitythat can be exploited.Malware is injected into a file or your database where it hijacks your visitors experience whenthey visit your web site. Its written using a Web 2.0 language, usually PHP, Javascript, Ruby,Perl, etc. Because WordPress is so widely distributed and open-source there is not only anexcellent chance there are outdated installations with security holes but the code of thoseinstallations is free for a hacker to study.Third-party plugins and themes may have backdoors coded into them that allow access tohackers. (eg. Tim Thumb hack) [ Source: ]
  17. THREATS EXPLAINED - MALWAREHow do I know I’m infected? Plugins that help scan your site • Formatting/theme is altered Sucuri Sitecheck Malware Scaner • You run a plugin that tells you • Links/text have been inserted at the scanner/ bottom of the website • Warning in search results WordFence Security • Browsing the website with Google Chrome results in a warning nce/ (Multi-site support in beta!)
  18. THREATS EXPLAINED - MALWAREHow do I know I’m infected? • Google Webmaster Tools messages [ ] • Google’s pretty good about notifying webmasters when it sees weird stuff going on.Example: Notice of Suspected Hacking on May 17, 2012 Dear owner or webmaster of, We are writing to let you know that some pages from will be labeled as potentially compromised in our search results. This is because some of your pages contain content which may harm the quality and relevance of our search results. It appears that these pages were created or modified by a third party, who may have hacked all or part of your site. Many times, they will upload files or modify existing ones, which then show up as spam in our index. The following are some example URLs which exhibit this behavior:
  19. THREATS EXPLAINED - MALWAREHow do I get rid of Malware? Scan your Web site for possible infections by using the free service below: If you have an infection, I highly recommend hiring to clean it up for you. They specialize in removing malware infections and they’re quick, specialized, and inexpensive. You could hire a developer to comb through your infected code, database, and .htaccess files. However, most developers don’t specialize in malware removal and when you pay an hourly rate for that inexperience you may be better off hiring a specialist.
  20. PASSWORDS & ADMINISTRATIVE USERSIf you’re starting to fall asleep, wake up!This is the most important section I’ll be talking about today.
  21. YOUR PASSWORD & ADMINISTRATIVE USERSCreating your Password Further ReadingWhen creating a password, do NOT use: Common passwords to avoid • Your birthdate, wedding anniversary, or dates of birth of your passwords-to-avoid/14136/ children or spouse • Your name, username, company Avoiding Common Passwords name, names of your children or spouse common-passwords • Your SIN number • Only numbers or only letters • A short, easy to remember, password • The word, ‘password’. No, not even ‘password01’ or ‘password2012’ • No words found in a dictionary of any language (BUT WAIT! We’ll talk about multi-word passwords very soon!)
  22. YOUR PASSWORD & ADMINISTRATIVE USERSCreating your PasswordWhen creating a password, do use: • At least 10 characters • A mix of numbers, upper and lower case letters, and special characters • A password you have never used before • Have a system or mnemonicPassword Generatorwww.StrongPasswordGenerator.comGot to Password Meter to test the strength of your new password - www.PasswordMeter.comBrute Force calculator: ReadingSalting Passwords
  23. YOUR PASSWORD & ADMINISTRATIVE USERSCreating your Password – Multi-word combo passwords [ Source: ]
  24. YOUR PASSWORD & ADMINISTRATIVE USERSMulti-word combo passwords Test your password outMulti-word combo passwords are more likely be remembered but there are a few thingsto consider: My coworker came up with and tested: • The words must be random Staple2Deers@dawn • The words must not relate And found it would take 1.34 billion trillion • Throw in upper & lower cases centuries to crack using brute force. • Throw in numbers • Throw in special characters Further Reading “Numbers substituted for letters is really, Which are more secure, multi-wordreally bad. Most password applications will passwords or passwords made using atry that before they do plain English,...” combination of letters, numbers and[ Source: symbols?passwords-suck-hints-on-creating-solid-passwords/ ] secure-multi-word-passwords-or-passwords- made-using-a-combination-of-letters- numbers-and-symbols
  25. YOUR PASSWORD & ADMINISTRATIVE USERSRemembering your Password DO NOT store it in an obvious place! • NOT on a sticky note on your monitor • NOT in your daily planner Use a Password Keeper • • • Don’t Panic! Password recovery is built into WordPress!
  26. YOUR PASSWORD & ADMINISTRATIVE USERSPassword Recovery Always keep your email up to date on your WordPress site!
  27. YOUR PASSWORD & ADMINISTRATIVE USERSStrong, Unique Passwords aren’t just for WordPressThe way you communicate with your web host should also be secure. You want strongpasswords for: • Your cPanel user • Your FTP user (which you should make different from your cPanel user) • Your MySQL database user • Your PHPMyAdmin userUse SFTP to move files to your hosting space Every password should be different!Try to use SFTP for your file transfers. SFTP If you use a different password forstands for Secure File Transfer Protocol and it every service you have accounts for,uses encrypted SSH transport for it’soperations. you minimize the amount of damage a hacker can do!
  28. YOUR PASSWORD & ADMINISTRATIVE USERSAdministration Users If you have an administrator-level user named ‘Admin’ or ‘Administrator’ get rid of it!Create a new administrator user Remove your old administrator user1. Log into WordPress as your current 1. Log into WordPress as your new admin admin user2. Create a new user 2. Go to Users and delete your old admin3. Give it a name other than Admin or user Administrator 3. Or, set your old Admin user’s role to4. Assign your new user an ‘administrator’ ‘subscriber’ and change the password to role something ridiculously long and complex
  29. YOUR PASSWORD & ADMINISTRATIVE USERSAdministration UsersYou don’t need to write posts as an administrator! Keep your administrator user separate fromyour blog-writing user. Hackers can find your username from your postsIf you go to Your Profile you can change what your name is displayed as. I recommend changingthis from the default of your username to something else.Clean up old admin accounts PASSWORD STRENGTH IS KEY!If you’ve got old admin accounts sitting The best security for your administration useraround – like ones that you’ve created for is having a strong passworddevelopers to work on your site with, removethem. Make sure you reset your admin passwordsNot all of your users need to be on a regular basis and make sure you haventadministrators, either. If you have used that password elsewhere before!contributors to your site, test out varioussettings to see how much access they reallyneed.
  30. UPDATES & HOUSEKEEPINGIf only my condo was as clean as my server.
  31. UPDATES & HOUSEKEEPINGUpdates The majority of hacked WordPress sites are not updated! Updates include: • Core WordPress files • Themes • Plugins Outdated WordPress files, themes, and plugins can have holes in security that can be exploited by malware![ Source: ]
  32. UPDATES & HOUSEKEEPINGChallenges to Updating Recommended ReadingTheme hasn’t been coded according to WP WordPress Codex: Updating WordPressbest guidelines and the site breaks if you PressPlug-in has been abandoned by thedeveloper and you’re afraid to update yourcore files or you continue using the pluginyears after it’s been abandoned.You’re afraid to update because you’re notvery web-savvy. Abandoned Plugin Suggestion Matt Jones ( suggests a plugin adoption program: plugin-adoption-program/
  33. UPDATES & HOUSEKEEPINGBacking up before updatingUsing an SFTP program (,back up all your web files to yourComputer.Using PHPMyAdmin or cPanel to back yourdatabase up.Never leave .sql or other database backupfiles on your server! Update Now!It’s not free but it’s highly recommended. WordPress Codex: WordPressBackups ups
  34. UPDATES & HOUSEKEEPINGSafety First! Safe themes and pluginsCurtis McHale, who spoke at WordCamp Edmonton 2011 (you can view his slide show here: is part of a team that checks themes submitted to repository to make sure they are secure and well-formed.If you are interested in joining the WordPress Theme Review Team: This page has a list of usefulplugins that they use to examine a theme and may be useful for anyone developing their owntheme. Has a good reputation for paid themes. Themes are vetted by teams of Volunteers and are free. Nothing is 100% un-hackable!
  35. UPDATES & HOUSEKEEPINGHousekeeping Removing WordPress VersionDont leave files on your server that may give Altering your functions.php file:hackers information about yours site or old that may be exploitable: tutorials/the-right-way-to-remove- • .sql backups wordpress-version-number/ • readme files • inactive plugins and themes • Phpinfo.phpFurther Reading to: Stop the Hacker by Hardening WP
  36. UPDATES & HOUSEKEEPINGUse a plugin to change your database prefix Manually change your database prefixAlso this plugin can help you change your Change your database prefixdatabase prefix: database-prefix/security-scan/ If you are setting up a new WordPress siteI use this plugin to scan my site on a regular the option is there to change your databasebasis. prefix when you first set it up.WP Security Scan
  37. UPDATES & HOUSEKEEPINGThe scary world of CHMOD Equally scary .htaccess!Check permissions of upload, upgrade, and .htaccess is a powerful file when usedbackup directories correctly! You can use it to secure: • wp-config.phpWordPress Codex – Changing File • set up admin access from your IP onlyPermissions: • ban bad users • stop directory browsingermissions • prevent access to /wp-content/ • protect your .htaccess file! Protect Your WordPress Site with .htaccess If you change your permalink ect-your-wordpress-site-htaccess structure any customization Securing directories with .htaccess: on your .htaccess file may be overwritten! uploads/ How to Password Protect your WP Admin tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/
  38. HOSTINGHosting Good Hosts (caveat emptor)When it comes to hosting, you get what you Recommended on WordPress.orgpay for. $5/month hosting is cheap but it’s Bluehost: terribly secure. You take your chanceswith shared hosting. DreamHost: Laughing Squid: to identify a good WordPress host?A good WordPress host will mention what Recommended by WooThemessteps they take to provide you with a secure WPEngine: environment or how they caterspecifically to WordPress installations. Examples of good hostsSadly, many bloggers are paid to shill for Hardening WordPress on Dreamhosthosting companies so you have to do your diligence when it comes to picking a sshost. WP Engine’s list of disallowed plugins plugins/
  39. PLUG-INSPlugins Brute Force BlockingPlugins are not the be all and end all when it User Locker:comes to security. locker/That being said, here are some plugins youmay find useful. Don’t use them all at once! Limit Login Attempts: login-attempts/Malware Scanning / Blocking General SecuritySucuri Sitecheck Malware Scanner Wordfence Security: nce/Block Bad Queries: WP Security Scan: security-scan/
  40. CONCLUSIONIn Conclusion Recommended ReadingThere are many more tips and tricks than I’ve covered here but I’m trying to keep /9781849512107things simple. as you might your security will never beperfect but the good news is you can easily yourself less of a target by taking a few, dPresssimple, security precautions. securing-wp-config-php/Knowing how to protect yourself is the firststep towards a safe, secure WordPress site. website-security/(The second step is to actually implementsome of this advice.) one-click-wordpress-installed-timthumb- vulnerability-and-security-risks/ ck-guide-to-secure-wordpress-setup.html
  41. CREDIT WHERE CREDIT IS DUECredits:Cow hide photo in title graphic by Sherrie Thai of ShaireProductions Cow purchased from“Let’s have fun” scary graphic purchased from istockphoto.comHerd Infection photo purchased from istockphoto.comSocial Media icons from respective social media web sites‘Common passwords to avoid’ poster thanks to:Adriel Michaud @ for his inputSarah Sinfield @ for encouraging meCurtis McHale @ for inspiring meMy partner who makes sure my fuzzy blanket supply never runs out
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.