Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Now That's What I Call WordPress Security 2010



My WordCamp Chicago 2010 WordPress Security presentation

My WordCamp Chicago 2010 WordPress Security presentation



Total Views
Views on SlideShare
Embed Views



11 Embeds 1,052

http://sideradesign.com 389
http://webdesign.com 353
http://www.slideshare.net 168
http://university.webdesign.com 93
http://basicblogsetup.com 32
http://wordpress.hyperarts.com 7
http://lesson.dev 6
http://www.ig.gmodules.com 1
http://new.webdesign.com 1
http://www.coolryan.com 1
http://twitter.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :            www.goo.gl/yT1SNP
    Are you sure you want to
    Your message goes here
  • Nice work and easy to follow. I have not been careful enough with my WP in
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Now That's What I Call WordPress Security 2010 Now That's What I Call WordPress Security 2010 Presentation Transcript

  • Props @tweetsfromchris
  • Brad Williams Co-Founder of WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp) Who Am I?
  • The Goal of this Presentation…
  • The Goal of this Presentation… … Is to scare the crap out of you!
  • The Goal of this Presentation… … and then make everything better with the best security tips!
    • Example WordPress Hacks
    • Securing Your WordPress Website
    • How to Clean Up a Hacked Site
    • Recommended Plugins
  • Who Do Hackers Target?
  • Who Do Hackers Target? YOU
  • Who Is Safe?
  • Who Is Safe? NO ONE
  • Scared Yet?
  • Example WordPress Hacker bot finds a security hole on your website
  • Example Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file
  • Example WordPress Hacker Bot Hacker bot can now trigger this file/code remotely
  • Example WordPress Hacker Bot Common Hacker bot script jobs
    • Add spam content and links to your websites theme files
    • Create posts and pages with spam content and links
    • Delete posts/pages/settings wreaking havoc on your site
    • etc, etc, bad stuff, etc, etc
  • <b style=“display:none”>Any text you want to hide</b> CSS Hides the Spam
  • Hidden Spam Links
  • Only Noobs Get Hacked
  • WRONG!
  • Scobleizer.com: HACKED
  • Scobleizer.com: HACKED
  • Scobleizer.com: HACKED
  • Pearsonified.com: HACKED
  • FeaturedContentGallery.com: HACKED
  • Make it Stop!
  • Palette Cleanser
  • Securing WordPress
  • Don’t use the admin account UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL:
    • Or create a new/unique account with administrator privileges.
    • Create a new account. Make the username very unique
    • Assign account to Administrator role
    • Log out and log back in with new account
    • Delete admin account
    Make it hard on the hacker! If they already know your username that’s half the battle
  • Don’t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!
  • The Great Permission Debate What folder permissions should you use?
    • Good Rule of Thumb:
    • Files should be set to 644
    • Folders should be set to 755
    Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
  • The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
  • Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
  • Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!
  • Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name=&quot;generator&quot; content=&quot;WordPress 2.9.2&quot; /> <!-- leave this for stats --> To remove find the code below in your header.php file of your theme and remove it <meta name=&quot;generator&quot; content=&quot;WordPress <?php bloginfo('version'); ?>&quot; /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');
  • Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Recent WordPress hack only affected outdated WordPress installs
  • Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: toughpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
  • Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
  • Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘drupal_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie drupal_posts) 2. Change the prefix wp_ to something unique:
  • Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
  • .htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName &quot;Access Control&quot; AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from allow from 1. Create a .htaccess file in your wp-admin directory Only a user with the IP or can access wp-admin 2. Add the following lines of code:
  • Clean Up a Hacked Site
  • Step 1: Delete Everything and Start Over!
  • OR
  • Step 1: Do a Fresh Install of WordPress
    • Delete, don’t overwrite, all original WordPress files
    • Upload fresh copies of all WordPress core files
    Be sure to backup your theme, plugins, media, etc
  • Step 2: Re-install All Plugins
    • Install fresh copies of all WP plugins need
    • DON’T use the same plugin files from the hacked site
  • Step 3: Re-install Your Theme
    • If possible install a fresh copy of your theme
    • If using the old theme be sure to inspect every file for hack code
  • Step 4: Change all Passwords and Keys
    • Change your passwords: WordPress, FTP, MySQL
    • Verify the hacker didn’t create another user, if so delete it
    • Update your secret keys in wp-config.php (as shown earlier)
  • Step 5: Scan Database for Malicious Code
    • Look for common hack keywords:
      • eval, base64, strrev, iframe, noscript, display
    • Use WordPress Exploit Scanner plugin (discussed later)
    Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
  • Step 6: Verify folder/file permissions
    • Check all folder and file permissions are correct
    • Reset to 755 on folders and 644 on files if needed
  • Step 7: Pray
  • Recommended Security Plugins
  • WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
  • WP-MalWatch http://wordpress.org/extend/plugins/wp-malwatch/
    • Nightly security scan
    • Detects files based on configurable file patterns
    • Detects hidden files
  • ServerBuddy http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
  • WordPress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/
  • WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/
  • Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
    • Security Related Codex Articles
      • http://codex.wordpress.org/Hardening_WordPress
      • http://codex.wordpress.org/Changing_File_Permissions
      • http://codex.wordpress.org/Editing_wp-config.php
      • http://codex.wordpress.org/htaccess_for_subdirectories
    • Blog Security Articles
      • http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
      • http://www.growmap.com/wordpress-exploits/
      • http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
      • http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
      • http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
      • http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
    • Clean A Hacked Site
      • http://codex.wordpress.org/FAQ_My_site_was_hacked
      • http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
      • http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
      • http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
      • http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
    WordPress Security Resources
  • Brad Williams [email_address] Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba Contact
  • Tweet: @williamsba WordPress Security Rocks! #wcchicago Win a copy of Professional WordPress!