Beefy WordPress Security Wordcamp 2012 by Tammy Lee

WHERE’S THE BEEF?Beefing Up Your WordPress InstallationTammy Valgardson – Senior Web Developer@tammalee

INTRODUCTIONIntroduction Absolutely true! It will only take five minutes to download and install WordPress. But then what?

INTRODUCTIONIntroduction If you set up your blog and walk away, you leave yourself vulnerable to malicious activity! Further Reading WordPress Codex – Hardening WordPress http://codex.wordpress.org/Hardening_WordPress How To: Stop The Hacker By Hardening WordPress http://blog.sucuri.net/2012/06/how-to-stop-the- hacker-by-hardening-wordpress.html

INTRODUCTIONWhat’s at Stake?If you don’t follow password best practices your hacked WordPress account could lead to other compromised accounts!

INTRODUCTIONWhat’s at Stake? Shared hosting means more than just sharing a server. If one site gets hacked there is a chance malware infecting one site can spread to others on the same shared hosting space!

INTRODUCTIONWhat’s at Stake?If your site is compromised, and hackers get their way, your site will nowserve a nefarious purpose such as: Redirect visitors to a web site that will attempt to install malicious software. Compromise a shared hosting (soup kitchen) server and infect other web sites. Phish for sensitive information. Display spam to your visitors that you can’t see. Hijack links to other sections of your web site, such as ‘Contact’, and send visitors to an entirely different site.

INTRODUCTIONWhat’s at Stake?If your WordPress site is infected with malware it could be blacklisted byGoogle and other search engines! [ Source: http://www.malware-info.com/mal_faq_inject.html ]

THREATS EXPLAINED – BRUTE FORCE ATTACKSa.k.a. When bored hackers with password cracking programsdecide to cruise for fun on a Friday night.

THREATS EXPLAINED – BRUTE FORCE ATTACKSWhat is a brute force attack?[ Source: http://www.inmotionhosting.com/support/website/wordpress/wordpress-security-preventing-brute-force-attacks-on-admin-login ]

THREATS EXPLAINED – BRUTE FORCE ATTACKSHow often do brute force attacks happen? Brute force attacks happen all the time!Peter Abraham over at DNI Dynamic Net, Inc. wrote on October 15, 2012 “If you asked me fromSeptember 2012 forward, the answer would change dramatically with WordPress Brute ForceAttacks now exceeding 50% of all attacks being reported.”[source: http://www.dynamicnet.net/2012/10/wordpress-brute-force-attacks/][ Source: http://freethegnu.wordpress.com/2010/09/22/yet-another-ssh-brute-force-attack-and-how-to-protect-against-it-with-iptables-and-sshguard/ ]

THREATS EXPLAINED – BRUTE FORCE ATTACKSWhat’s the purpose of a brute force attack?If your account has administrator permissions they can do all sorts of ‘fun’ things to your site.One of the most common reasons for a brute force attack is to inject malware into your files ordatabase.

THREATS EXPLAINED - MALWARENot Firefly-related.Not that I’d mind Captain Malcolm Reynolds getting into myWordPress installation.#fullfrontalnerdity

THREATS EXPLAINED - MALWAREWhat is Malware?Malware is software designed to harvest sensitive information or gain access to computersystems. On a WordPress installation malware can be injected into your source code, database,.htaccess files etc. Malware hijacks the purpose of visiting your site for its programmed agenda.Who Creates Malware? Why?What sort of person creates malware? Why do people create malware? • Young programmers with something • Petty theft to prove • Cybercrime • Older, more experienced, virus • Support for spammers writers who write malware • Distributed network attacks professionally • Stealing electronic currency • ‘Researchers’ who create malware as proof of concept projects • ...and many more. [Source: http://www.securelist.com/en/threats/detect?chapter=72 ]

THREATS EXPLAINED - MALWAREMalware - Backdoors Malware - Drive-by Downloads“A backdoor lets an attacker gain access to “The point of a drive-by download is often toyour environment via what you would download a payload onto your user’s localconsider to be abnormal methods — FTP, machine. One of the most common payloadsSFTP, WP-ADMIN, etc…” informs the user that their website has been[ Source: infected and that they need to install an anti-http://wp.smashingmagazine.com/2012/10/09/four- virus product...”malware-infections-wordpress/ ] [ Source: http://wp.smashingmagazine.com/2012/10/09/four- malware-infections-wordpress/ ] Malware – Malicious Redirects “When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.” [ Source: http://wp.smashingmagazine.com/2012/10/09/four- malware-infections-wordpress/ ]

THREATS EXPLAINED - MALWAREMalware – Pharma Hacks“Pharma hack is one of the most prevalent infections around. It should not be confused withmalware; it’s actually categorized as SPAM — “stupid pointless annoying messages.” If you’refound to be distributing SPAM, you run the risk of being flagged by Google…”[ Source: http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ ] [ Source: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php ]

THREATS EXPLAINED - MALWAREHow does malware infect WordPress?Old and outdated plugins, themes, and WordPress installations may have holes in their securitythat can be exploited.Malware is injected into a file or your database where it hijacks your visitors experience whenthey visit your web site. Its written using a Web 2.0 language, usually PHP, Javascript, Ruby,Perl, etc. Because WordPress is so widely distributed and open-source there is not only anexcellent chance there are outdated installations with security holes but the code of thoseinstallations is free for a hacker to study.Third-party plugins and themes may have backdoors coded into them that allow access tohackers. (eg. Tim Thumb hack) [ Source: http://www.intechgrity.com/timthumb-vulerability-how-it-got-hacked-how-to-recover/# ]

THREATS EXPLAINED - MALWAREHow do I know I’m infected? Plugins that help scan your site • Formatting/theme is altered Sucuri Sitecheck Malware Scaner • You run a plugin that tells you http://wordpress.org/extend/plugins/sucuri- • Links/text have been inserted at the scanner/ bottom of the website • Warning in search results WordFence Security • Browsing the website with Google http://wordpress.org/extend/plugins/wordfe Chrome results in a warning nce/ (Multi-site support in beta!)

THREATS EXPLAINED - MALWAREHow do I know I’m infected? • Google Webmaster Tools messages [ www.google.com/webmasters/tools/ ] • Google’s pretty good about notifying webmasters when it sees weird stuff going on.Example: Notice of Suspected Hacking on http://www.yourwebsite.com/ May 17, 2012 Dear owner or webmaster of http://www.yourwebsite.com/, We are writing to let you know that some pages from http://www.yourwebsite.com/ will be labeled as potentially compromised in our search results. This is because some of your pages contain content which may harm the quality and relevance of our search results. It appears that these pages were created or modified by a third party, who may have hacked all or part of your site. Many times, they will upload files or modify existing ones, which then show up as spam in our index. The following are some example URLs which exhibit this behavior:

THREATS EXPLAINED - MALWAREHow do I get rid of Malware? Scan your Web site for possible infections by using the free service below: sitecheck.sucuri.net/scanner If you have an infection, I highly recommend hiring Sucuri.net to clean it up for you. They specialize in removing malware infections and they’re quick, specialized, and inexpensive. You could hire a developer to comb through your infected code, database, and .htaccess files. However, most developers don’t specialize in malware removal and when you pay an hourly rate for that inexperience you may be better off hiring a specialist.

PASSWORDS & ADMINISTRATIVE USERSIf you’re starting to fall asleep, wake up!This is the most important section I’ll be talking about today.

YOUR PASSWORD & ADMINISTRATIVE USERSCreating your Password Further ReadingWhen creating a password, do NOT use: Common passwords to avoid • Your birthdate, wedding http://www.labnol.org/internet/common- anniversary, or dates of birth of your passwords-to-avoid/14136/ children or spouse • Your name, username, company Avoiding Common Passwords name, names of your children or http://www.passworddragon.com/avoid- spouse common-passwords • Your SIN number • Only numbers or only letters • A short, easy to remember, password • The word, ‘password’. No, not even ‘password01’ or ‘password2012’ • No words found in a dictionary of any language (BUT WAIT! We’ll talk about multi-word passwords very soon!)

YOUR PASSWORD & ADMINISTRATIVE USERSCreating your PasswordWhen creating a password, do use: • At least 10 characters • A mix of numbers, upper and lower case letters, and special characters • A password you have never used before • Have a system or mnemonicPassword Generatorwww.StrongPasswordGenerator.comGot to Password Meter to test the strength of your new password - www.PasswordMeter.comBrute Force calculator: https://www.grc.com/haystack.htmFurther ReadingSalting Passwordshttp://www.onextrapixel.com/2011/11/02/wordpress-security-how-to-secure-wordpress-thoroughly/

YOUR PASSWORD & ADMINISTRATIVE USERSCreating your Password – Multi-word combo passwords [ Source: http://xkcd.com/936/ ]

YOUR PASSWORD & ADMINISTRATIVE USERSMulti-word combo passwords Test your password outMulti-word combo passwords are more likely https://www.grc.com/haystack.htmto be remembered but there are a few thingsto consider: My coworker came up with and tested: • The words must be random Staple2Deers@dawn • The words must not relate And found it would take 1.34 billion trillion • Throw in upper & lower cases centuries to crack using brute force. • Throw in numbers • Throw in special characters Further Reading “Numbers substituted for letters is really, Which are more secure, multi-wordreally bad. Most password applications will passwords or passwords made using atry that before they do plain English,...” combination of letters, numbers and[ Source: http://www.nettechblog.com/yes-your- symbols?passwords-suck-hints-on-creating-solid-passwords/ ] http://www.quora.com/Which-are-more- secure-multi-word-passwords-or-passwords- made-using-a-combination-of-letters- numbers-and-symbols

YOUR PASSWORD & ADMINISTRATIVE USERSRemembering your Password DO NOT store it in an obvious place! • NOT on a sticky note on your monitor • NOT in your daily planner Use a Password Keeper • www.keepass.info • https://agilebits.com/OnePassword • http://www.lastpass.com Don’t Panic! Password recovery is built into WordPress!

YOUR PASSWORD & ADMINISTRATIVE USERSPassword Recovery Always keep your email up to date on your WordPress site!

YOUR PASSWORD & ADMINISTRATIVE USERSStrong, Unique Passwords aren’t just for WordPressThe way you communicate with your web host should also be secure. You want strongpasswords for: • Your cPanel user • Your FTP user (which you should make different from your cPanel user) • Your MySQL database user • Your PHPMyAdmin userUse SFTP to move files to your hosting space Every password should be different!Try to use SFTP for your file transfers. SFTP If you use a different password forstands for Secure File Transfer Protocol and it every service you have accounts for,uses encrypted SSH transport for it’soperations. you minimize the amount of damage a hacker can do! http://filezilla-project.org/

YOUR PASSWORD & ADMINISTRATIVE USERSAdministration Users If you have an administrator-level user named ‘Admin’ or ‘Administrator’ get rid of it!Create a new administrator user Remove your old administrator user1. Log into WordPress as your current 1. Log into WordPress as your new admin admin user2. Create a new user 2. Go to Users and delete your old admin3. Give it a name other than Admin or user Administrator 3. Or, set your old Admin user’s role to4. Assign your new user an ‘administrator’ ‘subscriber’ and change the password to role something ridiculously long and complex

YOUR PASSWORD & ADMINISTRATIVE USERSAdministration UsersYou don’t need to write posts as an administrator! Keep your administrator user separate fromyour blog-writing user. Hackers can find your username from your postsIf you go to Your Profile you can change what your name is displayed as. I recommend changingthis from the default of your username to something else.Clean up old admin accounts PASSWORD STRENGTH IS KEY!If you’ve got old admin accounts sitting The best security for your administration useraround – like ones that you’ve created for is having a strong passworddevelopers to work on your site with, removethem. Make sure you reset your admin passwordsNot all of your users need to be on a regular basis and make sure you haventadministrators, either. If you have used that password elsewhere before!contributors to your site, test out varioussettings to see how much access they reallyneed.

UPDATES & HOUSEKEEPINGIf only my condo was as clean as my server.

UPDATES & HOUSEKEEPINGUpdates The majority of hacked WordPress sites are not updated! Updates include: • Core WordPress files • Themes • Plugins Outdated WordPress files, themes, and plugins can have holes in security that can be exploited by malware![ Source: WPbeginner.com ]

UPDATES & HOUSEKEEPINGChallenges to Updating Recommended ReadingTheme hasn’t been coded according to WP WordPress Codex: Updating WordPressbest guidelines and the site breaks if you http://codex.wordpress.org/Updating_Wordupgrade. PressPlug-in has been abandoned by thedeveloper and you’re afraid to update yourcore files or you continue using the pluginyears after it’s been abandoned.You’re afraid to update because you’re notvery web-savvy. Abandoned Plugin Suggestion Matt Jones (http://pluginchief.com/) suggests a plugin adoption program: http://digwp.com/2012/10/abandoned- plugin-adoption-program/

UPDATES & HOUSEKEEPINGBacking up before updatingUsing an SFTP program (filezilla-project.org),back up all your web files to yourComputer.Using PHPMyAdmin or cPanel to back yourdatabase up.Never leave .sql or other database backupfiles on your server!http://vaultpress.com/ Update Now!It’s not free but it’s highly recommended. WordPress Codex: WordPressBackups http://codex.wordpress.org/WordPress_Back ups

UPDATES & HOUSEKEEPINGSafety First! Safe themes and pluginsCurtis McHale, who spoke at WordCamp Edmonton 2011 (you can view his slide show here:http://www.slideshare.net/curtismchale) is part of a team that checks themes submitted to theWordPrss.org repository to make sure they are secure and well-formed.If you are interested in joining the WordPress Theme Review Team:http://make.wordpress.org/themes/about/how-to-join-wptrt/ This page has a list of usefulplugins that they use to examine a theme and may be useful for anyone developing their owntheme. http://www.woothemes.com/ http://wordpress.org/extend/themes/ Has a good reputation for paid themes. Themes are vetted by teams of Volunteers and are free. Nothing is 100% un-hackable!

UPDATES & HOUSEKEEPINGHousekeeping Removing WordPress VersionDont leave files on your server that may give Altering your functions.php file:hackers information about yours site or old http://www.wpbeginner.com/wp-code that may be exploitable: tutorials/the-right-way-to-remove- • .sql backups wordpress-version-number/ • readme files • inactive plugins and themes • Phpinfo.phpFurther Readinghttp://resources.infosecinstitute.com/hardening-wordpress/http://wiki.dreamhost.com/Harden_WordPressHow to: Stop the Hacker by Hardening WPhttp://blog.sucuri.net/2012/06/how-to-stop-the-hacker-by-hardening-wordpress.html

UPDATES & HOUSEKEEPINGUse a plugin to change your database prefix Manually change your database prefixAlso this plugin can help you change your Change your database prefixdatabase prefix: http://digwp.com/2010/10/change-http://wordpress.org/extend/plugins/wp- database-prefix/security-scan/ If you are setting up a new WordPress siteI use this plugin to scan my site on a regular the option is there to change your databasebasis. prefix when you first set it up.WP Security Scan

UPDATES & HOUSEKEEPINGThe scary world of CHMOD Equally scary .htaccess!Check permissions of upload, upgrade, and .htaccess is a powerful file when usedbackup directories correctly! You can use it to secure: • wp-config.phpWordPress Codex – Changing File • set up admin access from your IP onlyPermissions: • ban bad usershttp://codex.wordpress.org/Changing_File_P • stop directory browsingermissions • prevent access to /wp-content/ • protect your .htaccess file! Protect Your WordPress Site with .htaccess http://www.netmagazine.com/tutorials/prot If you change your permalink ect-your-wordpress-site-htaccess structure any customization Securing directories with .htaccess: on your .htaccess file may be http://digwp.com/2012/09/secure-media- overwritten! uploads/ How to Password Protect your WP Admin http://www.wpbeginner.com/wp- tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/

HOSTINGHosting Good Hosts (caveat emptor)When it comes to hosting, you get what you Recommended on WordPress.orgpay for. $5/month hosting is cheap but it’s Bluehost: http://www.bluehost.com/not terribly secure. You take your chanceswith shared hosting. DreamHost: http://www.dreamhost.com/ Laughing Squid: http://laughingsquid.us/How to identify a good WordPress host?A good WordPress host will mention what Recommended by WooThemessteps they take to provide you with a secure WPEngine: http://wpengine.com/hosting environment or how they caterspecifically to WordPress installations. Examples of good hostsSadly, many bloggers are paid to shill for Hardening WordPress on Dreamhosthosting companies so you have to do your http://wiki.dreamhost.com/Harden_WordPredue diligence when it comes to picking a sshost. WP Engine’s list of disallowed plugins http://support.wpengine.com/disallowed- plugins/

PLUG-INSPlugins Brute Force BlockingPlugins are not the be all and end all when it User Locker:comes to security. http://wordpress.org/extend/plugins/user- locker/That being said, here are some plugins youmay find useful. Don’t use them all at once! Limit Login Attempts: http://wordpress.org/extend/plugins/limit- login-attempts/Malware Scanning / Blocking General SecuritySucuri Sitecheck Malware Scanner Wordfence Security:http://wordpress.org/extend/plugins/sucuri- http://wordpress.org/extend/plugins/wordfescanner/ nce/Block Bad Queries: WP Security Scan:http://wordpress.org/extend/plugins/block- http://wordpress.org/extend/plugins/wp-bad-queries/ security-scan/

CONCLUSIONIn Conclusion Recommended ReadingThere are many more tips and tricks than http://my.safaribooksonline.com/book/-what I’ve covered here but I’m trying to keep /9781849512107things simple. http://blog.sucuri.net/category/wordpressTry as you might your security will never beperfect but the good news is you can easily http://codex.wordpress.org/Hardening_Wormake yourself less of a target by taking a few, dPresssimple, security precautions. http://blogvault.net/wordpress-security-1- securing-wp-config-php/Knowing how to protect yourself is the firststep towards a safe, secure WordPress site. http://www.copyblogger.com/wordpress- website-security/(The second step is to actually implementsome of this advice.) http://www.wpsecuritylock.com/dreamhost- one-click-wordpress-installed-timthumb- vulnerability-and-security-risks/ http://www.instantfundas.com/2011/12/qui ck-guide-to-secure-wordpress-setup.html

CREDIT WHERE CREDIT IS DUECredits:Cow hide photo in title graphic by Sherrie Thai of ShaireProductionshttp://www.flickr.com/photos/shaireproductions/3766840922/Bashful Cow purchased from istockphoto.com“Let’s have fun” scary graphic purchased from istockphoto.comHerd Infection photo purchased from istockphoto.comSocial Media icons from respective social media web sites‘Common passwords to avoid’ posterhttp://www.etsy.com/listing/52531459/500-worst-passwords-poster-fold-downSpecial thanks to:Adriel Michaud @ TopDraw.com for his inputSarah Sinfield @ KickPoint.ca for encouraging meCurtis McHale @ CurtisMcHale.com for inspiring meMy partner who makes sure my fuzzy blanket supply never runs out

http://www.topdraw.com	2237
http://www.conseilsmarketing.com	141
http://anthonyadam.wordpress.com	20
http://www.clinoba.pt	14
https://twitter.com	12
http://kingchange9161.wordpress.com	3
http://www3.gobiernodecanarias.org	1
http://webcache.googleusercontent.com	1

Beefy WordPress Security Wordcamp 2012 by Tammy Lee

by topdraw on Nov 16, 2012

Accessibility

Categories

Upload Details

Usage Rights

8 Embeds 2,429

Statistics

Beefy WordPress Security Wordcamp 2012 by Tammy Lee Presentation Transcript