0
Props @tweetsfromchris
Brad Williams
Co-Founder of WebDevStudios.com
Organizer NJ WordPress Meetup
Co-Host SitePoint Podcast
Co-Author of Profess...
The Goal of this Presentation…
The Goal of this Presentation…
…Is to scare the crap out of you!
The Goal of this Presentation…
…and then make everything better
with the best security tips!
 Example WordPress Hacks
 Securing Your WordPress Website
 How to Clean Up a Hacked Site
 Recommended Plugins
Topics
Who Do Hackers Target?
Who Do Hackers Target?
YOU
Who Is Safe?
Who Is Safe?
NO ONE
Scared Yet?
ExampleExample
WordPress
Hacker bot finds a security hole on your website
ExampleExample
Hacker bot hides a file in your WordPress installation
WordPress
Akismet.cache.php is NOT an Akismet file
ExampleExample
WordPress Hacker Bot
Hacker bot can now trigger this file/code remotely
ExampleExample
WordPress Hacker Bot
Common Hacker bot script jobs
• Add spam content and links to your websites theme file...
<b style=“display:none”>Any text you want to hide</b>
CSS Hides the SpamCSS Hides the Spam
Hidden Spam LinksHidden Spam Links
Only Noobs Get HackedOnly Noobs Get Hacked
WRONG!
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Pearsonified.com: HACKED
FeaturedContentGallery.com: HACKED
Make it Stop!
Palette Cleanser
Securing WordPress
Don’t use the admin account
UPDATE wp_users SET user_login='newuser' WHERE user_login='admin';
If you are using the admin ...
Don’t use the admin account
WordPress 3.0 lets you set
the administrator username
during the installation
process!
The Great Permission Debate
What folder permissions should you use?
Good Rule of Thumb:
• Files should be set to 644
• Fol...
The Great Permission Debate
Permissions can be set via FTP
find [your path here] -type d -exec chmod 755 {} ;
find [your p...
Move the wp-config.php file
WordPress 2.6 added the ability to move the wp-config.php
file one directory above your WordPr...
Move the wp-content Directory
WordPress 2.6 added the ability to move the wp-content directory
1. Move your wp-content dir...
Remove WordPress Version from Header
Viewing source on most WP sites will reveal the version they are running
This helps h...
Stay Current on Updates
Keep WordPress core, plugins, and theme files up to date
The plugin Changelog tab
makes it very ea...
Use Secure Passwords
Use strong passwords to protect your website from dictionary attacks
Not just for WordPress, but also...
Use Secret Keys
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here'...
Change WordPress Table Prefix
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one databa...
Force SSL Login and Admin Access
define('FORCE_SSL_LOGIN', true);
Set the below option in wp-config.php to force SSL (http...
.htaccess lockdown
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allo...
Clean Up a Hacked Site
Step 1: Delete Everything and Start Over!
OR
Step 1: Do a Fresh Install of WordPress
• Delete, don’t overwrite, all original WordPress files
• Upload fresh copies of a...
Step 2: Re-install All Plugins
• Install fresh copies of all WP plugins need
• DON’T use the same plugin files from the ha...
Step 3: Re-install Your Theme
• If possible install a fresh copy of your theme
• If using the old theme be sure to inspect...
Step 4: Change all Passwords and Keys
• Change your passwords: WordPress, FTP, MySQL
• Verify the hacker didn’t create ano...
Step 5: Scan Database for Malicious Code
• Look for common hack keywords:
• eval, base64, strrev, iframe, noscript, displa...
Step 6: Verify folder/file permissions
• Check all folder and file permissions are correct
• Reset to 755 on folders and 6...
Step 7: Pray
Recommended Security Plugins
WP Security Scan
http://wordpress.org/extend/plugins/wp-security-scan/
WP-MalWatch
http://wordpress.org/extend/plugins/wp-malwatch/
• Nightly security scan
• Detects files based on
configurable...
ServerBuddy
http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
WordPress Exploit Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
WordPress File Monitor
http://wordpress.org/extend/plugins/wordpress-file-monitor/
Login Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
 Security Related Codex Articles
› http://codex.wordpress.org/Hardening_WordPress
› http://codex.wordpress.org/Changing_F...
Brad Williams
brad@webdevstudios.com
Blog: strangework.com
Twitter: @williamsba
IRC: WDS-Brad
http://www.slideshare.net/wi...
Tweet: @williamsba WordPress Security Rocks! #wcchicago
Win a copy of Professional WordPress!
Now That's What I Call WordPress Security 2010
Upcoming SlideShare
Loading in...5
×

Now That's What I Call WordPress Security 2010

9,783

Published on

My WordCamp Chicago 2010 WordPress Security presentation

Published in: Technology, Business
2 Comments
16 Likes
Statistics
Notes
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :            www.goo.gl/yT1SNP
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Nice work and easy to follow. I have not been careful enough with my WP in
    stalls.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
9,783
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
227
Comments
2
Likes
16
Embeds 0
No embeds

No notes for slide

Transcript of "Now That's What I Call WordPress Security 2010"

  1. 1. Props @tweetsfromchris
  2. 2. Brad Williams Co-Founder of WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp) Who Am I?
  3. 3. The Goal of this Presentation…
  4. 4. The Goal of this Presentation… …Is to scare the crap out of you!
  5. 5. The Goal of this Presentation… …and then make everything better with the best security tips!
  6. 6.  Example WordPress Hacks  Securing Your WordPress Website  How to Clean Up a Hacked Site  Recommended Plugins Topics
  7. 7. Who Do Hackers Target?
  8. 8. Who Do Hackers Target? YOU
  9. 9. Who Is Safe?
  10. 10. Who Is Safe? NO ONE
  11. 11. Scared Yet?
  12. 12. ExampleExample WordPress Hacker bot finds a security hole on your website
  13. 13. ExampleExample Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file
  14. 14. ExampleExample WordPress Hacker Bot Hacker bot can now trigger this file/code remotely
  15. 15. ExampleExample WordPress Hacker Bot Common Hacker bot script jobs • Add spam content and links to your websites theme files • Create posts and pages with spam content and links • Delete posts/pages/settings wreaking havoc on your site • etc, etc, bad stuff, etc, etc
  16. 16. <b style=“display:none”>Any text you want to hide</b> CSS Hides the SpamCSS Hides the Spam
  17. 17. Hidden Spam LinksHidden Spam Links
  18. 18. Only Noobs Get HackedOnly Noobs Get Hacked
  19. 19. WRONG!
  20. 20. Scobleizer.com: HACKED
  21. 21. Scobleizer.com: HACKED
  22. 22. Scobleizer.com: HACKED
  23. 23. Pearsonified.com: HACKED
  24. 24. FeaturedContentGallery.com: HACKED
  25. 25. Make it Stop!
  26. 26. Palette Cleanser
  27. 27. Securing WordPress
  28. 28. Don’t use the admin account UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL: Or create a new/unique account with administrator privileges. 1.Create a new account. Make the username very unique 2.Assign account to Administrator role 3.Log out and log back in with new account 4.Delete admin account Make it hard on the hacker! If they already know your username that’s half the battle
  29. 29. Don’t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!
  30. 30. The Great Permission Debate What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
  31. 31. The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
  32. 32. Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
  33. 33. Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!
  34. 34. Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name="generator" content="WordPress 2.9.2" /> <!-- leave this for stats --> To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');
  35. 35. Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Recent WordPress hack only affected outdated WordPress installs
  36. 36. Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: toughpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
  37. 37. Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
  38. 38. Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘drupal_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie drupal_posts) 2. Change the prefix wp_ to something unique:
  39. 39. Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
  40. 40. .htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 1. Create a .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin 2. Add the following lines of code:
  41. 41. Clean Up a Hacked Site
  42. 42. Step 1: Delete Everything and Start Over!
  43. 43. OR
  44. 44. Step 1: Do a Fresh Install of WordPress • Delete, don’t overwrite, all original WordPress files • Upload fresh copies of all WordPress core files Be sure to backup your theme, plugins, media, etc
  45. 45. Step 2: Re-install All Plugins • Install fresh copies of all WP plugins need • DON’T use the same plugin files from the hacked site
  46. 46. Step 3: Re-install Your Theme • If possible install a fresh copy of your theme • If using the old theme be sure to inspect every file for hack code
  47. 47. Step 4: Change all Passwords and Keys • Change your passwords: WordPress, FTP, MySQL • Verify the hacker didn’t create another user, if so delete it • Update your secret keys in wp-config.php (as shown earlier)
  48. 48. Step 5: Scan Database for Malicious Code • Look for common hack keywords: • eval, base64, strrev, iframe, noscript, display • Use WordPress Exploit Scanner plugin (discussed later) Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
  49. 49. Step 6: Verify folder/file permissions • Check all folder and file permissions are correct • Reset to 755 on folders and 644 on files if needed
  50. 50. Step 7: Pray
  51. 51. Recommended Security Plugins
  52. 52. WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
  53. 53. WP-MalWatch http://wordpress.org/extend/plugins/wp-malwatch/ • Nightly security scan • Detects files based on configurable file patterns • Detects hidden files •
  54. 54. ServerBuddy http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
  55. 55. WordPress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/
  56. 56. WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/
  57. 57. Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
  58. 58.  Security Related Codex Articles › http://codex.wordpress.org/Hardening_WordPress › http://codex.wordpress.org/Changing_File_Permissions › http://codex.wordpress.org/Editing_wp-config.php › http://codex.wordpress.org/htaccess_for_subdirectories  Blog Security Articles › http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress- admin-area/ › http://www.growmap.com/wordpress-exploits/ › http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress- blog/ › http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ › http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress- blog/ › http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog  Clean A Hacked Site › http://codex.wordpress.org/FAQ_My_site_was_hacked › http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/ › http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ › http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked- wordpress-installation/ › http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html WordPress Security Resources
  59. 59. Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba Contact
  60. 60. Tweet: @williamsba WordPress Security Rocks! #wcchicago Win a copy of Professional WordPress!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×