Now That's What I Call WordPress Security 2010

Props @tweetsfromchris

Brad Williams Co-Founder of WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp) Who Am I?

The Goal of this Presentation…

The Goal of this Presentation… … Is to scare the crap out of you!

The Goal of this Presentation… … and then make everything better with the best security tips!

Example WordPress Hacks
Securing Your WordPress Website
How to Clean Up a Hacked Site
Recommended Plugins
Topics

Who Do Hackers Target?

Who Do Hackers Target? YOU

Who Is Safe?

Who Is Safe? NO ONE

Scared Yet?

Example WordPress Hacker bot finds a security hole on your website

Example Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file

Example WordPress Hacker Bot Hacker bot can now trigger this file/code remotely

Example WordPress Hacker Bot Common Hacker bot script jobs
Add spam content and links to your websites theme files
Create posts and pages with spam content and links
Delete posts/pages/settings wreaking havoc on your site
etc, etc, bad stuff, etc, etc

<b style=“display:none”>Any text you want to hide</b> CSS Hides the Spam

Hidden Spam Links

Only Noobs Get Hacked

WRONG!

Scobleizer.com: HACKED

Pearsonified.com: HACKED

FeaturedContentGallery.com: HACKED

Make it Stop!

Palette Cleanser

Securing WordPress

Don’t use the admin account UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL:
Or create a new/unique account with administrator privileges.
Create a new account. Make the username very unique
Assign account to Administrator role
Log out and log back in with new account
Delete admin account
Make it hard on the hacker! If they already know your username that’s half the battle

Don’t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!

The Great Permission Debate What folder permissions should you use?
Good Rule of Thumb:
Files should be set to 644
Folders should be set to 755
Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration

The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands

Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php

Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!

Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name="generator" content="WordPress 2.9.2" />  To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />  Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');

Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Recent WordPress hack only affected outdated WordPress installs

Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: toughpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right

Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again

Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘drupal_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie drupal_posts) 2. Change the prefix wp_ to something unique:

Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);

.htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 1. Create a .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin 2. Add the following lines of code:

Clean Up a Hacked Site

Step 1: Delete Everything and Start Over!

Step 1: Do a Fresh Install of WordPress
Delete, don’t overwrite, all original WordPress files
Upload fresh copies of all WordPress core files
Be sure to backup your theme, plugins, media, etc

Step 2: Re-install All Plugins
Install fresh copies of all WP plugins need
DON’T use the same plugin files from the hacked site

Step 3: Re-install Your Theme
If possible install a fresh copy of your theme
If using the old theme be sure to inspect every file for hack code

Step 4: Change all Passwords and Keys
Change your passwords: WordPress, FTP, MySQL
Verify the hacker didn’t create another user, if so delete it
Update your secret keys in wp-config.php (as shown earlier)

Step 5: Scan Database for Malicious Code
Look for common hack keywords:
eval, base64, strrev, iframe, noscript, display
Use WordPress Exploit Scanner plugin (discussed later)
Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'

Step 6: Verify folder/file permissions
Check all folder and file permissions are correct
Reset to 755 on folders and 644 on files if needed

Step 7: Pray

Recommended Security Plugins

WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/

WP-MalWatch http://wordpress.org/extend/plugins/wp-malwatch/
Nightly security scan
Detects files based on configurable file patterns
Detects hidden files

ServerBuddy http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/

WordPress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/

WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/

Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/

Security Related Codex Articles
http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Changing_File_Permissions
http://codex.wordpress.org/Editing_wp-config.php
http://codex.wordpress.org/htaccess_for_subdirectories
Blog Security Articles
http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
http://www.growmap.com/wordpress-exploits/
http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/
http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
Clean A Hacked Site
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
WordPress Security Resources

Brad Williams [email_address] Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba Contact

Tweet: @williamsba WordPress Security Rocks! #wcchicago Win a copy of Professional WordPress!

http://sideradesign.com	385
http://www.slideshare.net	168
http://university.webdesign.com	91
http://webdesign.com	56
http://basicblogsetup.com	16
http://wordpress.hyperarts.com	5
http://www.ig.gmodules.com	1
http://twitter.com	1

Now That's What I Call WordPress Security 2010

by Brad Williams on Jun 05, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

8 Embeds 723

Statistics

Now That’s What I Call WordPress Security 2010 — Presentation Transcript