Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Now That's What I Call WordPress Security 2010

on

  • 11,586 views

My WordCamp Chicago 2010 WordPress Security presentation

My WordCamp Chicago 2010 WordPress Security presentation

Statistics

Views

Total Views
11,586
Slideshare-icon Views on SlideShare
10,536
Embed Views
1,050

Actions

Likes
16
Downloads
220
Comments
2

11 Embeds 1,050

http://sideradesign.com 389
http://webdesign.com 351
http://www.slideshare.net 168
http://university.webdesign.com 93
http://basicblogsetup.com 32
http://wordpress.hyperarts.com 7
http://lesson.dev 6
http://www.ig.gmodules.com 1
http://new.webdesign.com 1
http://www.coolryan.com 1
http://twitter.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :            www.goo.gl/yT1SNP
    Are you sure you want to
    Your message goes here
    Processing…
  • Nice work and easy to follow. I have not been careful enough with my WP in
    stalls.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Now That's What I Call WordPress Security 2010 Now That's What I Call WordPress Security 2010 Presentation Transcript

    • Props @tweetsfromchris
    • Brad Williams Co-Founder of WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp) Who Am I?
    • The Goal of this Presentation…
    • The Goal of this Presentation… … Is to scare the crap out of you!
    • The Goal of this Presentation… … and then make everything better with the best security tips!
      • Example WordPress Hacks
      • Securing Your WordPress Website
      • How to Clean Up a Hacked Site
      • Recommended Plugins
      Topics
    • Who Do Hackers Target?
    • Who Do Hackers Target? YOU
    • Who Is Safe?
    • Who Is Safe? NO ONE
    • Scared Yet?
    • Example WordPress Hacker bot finds a security hole on your website
    • Example Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file
    • Example WordPress Hacker Bot Hacker bot can now trigger this file/code remotely
    • Example WordPress Hacker Bot Common Hacker bot script jobs
      • Add spam content and links to your websites theme files
      • Create posts and pages with spam content and links
      • Delete posts/pages/settings wreaking havoc on your site
      • etc, etc, bad stuff, etc, etc
    • <b style=“display:none”>Any text you want to hide</b> CSS Hides the Spam
    • Hidden Spam Links
    • Only Noobs Get Hacked
    • WRONG!
    • Scobleizer.com: HACKED
    • Scobleizer.com: HACKED
    • Scobleizer.com: HACKED
    • Pearsonified.com: HACKED
    • FeaturedContentGallery.com: HACKED
    • Make it Stop!
    • Palette Cleanser
    • Securing WordPress
    • Don’t use the admin account UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL:
      • Or create a new/unique account with administrator privileges.
      • Create a new account. Make the username very unique
      • Assign account to Administrator role
      • Log out and log back in with new account
      • Delete admin account
      Make it hard on the hacker! If they already know your username that’s half the battle
    •  
    • Don’t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!
    • The Great Permission Debate What folder permissions should you use?
      • Good Rule of Thumb:
      • Files should be set to 644
      • Folders should be set to 755
      Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
    • The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
    • Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
    • Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!
    • Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name=&quot;generator&quot; content=&quot;WordPress 2.9.2&quot; /> <!-- leave this for stats --> To remove find the code below in your header.php file of your theme and remove it <meta name=&quot;generator&quot; content=&quot;WordPress <?php bloginfo('version'); ?>&quot; /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');
    • Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Recent WordPress hack only affected outdated WordPress installs
    • Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: toughpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
    • Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
    • Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘drupal_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie drupal_posts) 2. Change the prefix wp_ to something unique:
    • Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
    • .htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName &quot;Access Control&quot; AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 1. Create a .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin 2. Add the following lines of code:
    • Clean Up a Hacked Site
    • Step 1: Delete Everything and Start Over!
    • OR
    • Step 1: Do a Fresh Install of WordPress
      • Delete, don’t overwrite, all original WordPress files
      • Upload fresh copies of all WordPress core files
      Be sure to backup your theme, plugins, media, etc
    • Step 2: Re-install All Plugins
      • Install fresh copies of all WP plugins need
      • DON’T use the same plugin files from the hacked site
    • Step 3: Re-install Your Theme
      • If possible install a fresh copy of your theme
      • If using the old theme be sure to inspect every file for hack code
    • Step 4: Change all Passwords and Keys
      • Change your passwords: WordPress, FTP, MySQL
      • Verify the hacker didn’t create another user, if so delete it
      • Update your secret keys in wp-config.php (as shown earlier)
    • Step 5: Scan Database for Malicious Code
      • Look for common hack keywords:
        • eval, base64, strrev, iframe, noscript, display
      • Use WordPress Exploit Scanner plugin (discussed later)
      Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
    • Step 6: Verify folder/file permissions
      • Check all folder and file permissions are correct
      • Reset to 755 on folders and 644 on files if needed
    • Step 7: Pray
    • Recommended Security Plugins
    • WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
    • WP-MalWatch http://wordpress.org/extend/plugins/wp-malwatch/
      • Nightly security scan
      • Detects files based on configurable file patterns
      • Detects hidden files
    • ServerBuddy http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
    • WordPress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/
    • WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/
    • Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
      • Security Related Codex Articles
        • http://codex.wordpress.org/Hardening_WordPress
        • http://codex.wordpress.org/Changing_File_Permissions
        • http://codex.wordpress.org/Editing_wp-config.php
        • http://codex.wordpress.org/htaccess_for_subdirectories
      • Blog Security Articles
        • http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
        • http://www.growmap.com/wordpress-exploits/
        • http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
        • http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
        • http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
        • http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
      • Clean A Hacked Site
        • http://codex.wordpress.org/FAQ_My_site_was_hacked
        • http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
        • http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
        • http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
        • http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
      WordPress Security Resources
    • Brad Williams [email_address] Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba Contact
    • Tweet: @williamsba WordPress Security Rocks! #wcchicago Win a copy of Professional WordPress!