Props @tweetsfromchris
Who Am I?

Brad Williams
Co-Founder of WebDevStudios.com
Organizer NJ/Philly WordPress Meetup
Co-Host SitePoint Podcast


...
The Goal of this Presentation…
The Goal of this Presentation…




   …Is to scare the crap out of you!
The Goal of this Presentation…




   …and then make everything better
   with the best security tips!
Topics

 Example  WordPress Hacks
 Securing Your WordPress Website
 How to Clean Up a Hacked Site
 Hosting Considerati...
Who Do Hackers Target?
Who Do Hackers Target?




  YOU
Who Is Safe?
Who Is Safe?




NO ONE
Scared Yet?
Example

Hacker bot finds a security hole on your website




                     WordPress
Example

Hacker bot hides a file in your WordPress installation



      WordPress




         Akismet.cache.php is NOT a...
Example

Hacker bot can now trigger this file/code remotely




        WordPress             Hacker Bot
Example
    Common Hacker bot script jobs


• Add spam content and links to your websites theme files
• Create posts and p...
CSS Hides the Spam

<b style=“display:none”>Any text you want to hide</b>
Hidden Spam Links
Only Noobs Get Hacked
WRONG!
Only Noobs Get Hacked
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Pearsonified.com: HACKED
FeaturedContentGallery.com: HACKED
Make it Stop!
Palette Cleanser
Securing WordPress
Don‟t use the admin account

                  If you are using the admin account you are wrong!



     Either change the...
Don‟t use the admin account



WordPress 3.0 lets you set
the administrator username
   during the installation
         p...
The Great Permission Debate
               What folder permissions should you use?



Good Rule of Thumb:
• Files should b...
The Great Permission Debate

Permissions can be set via FTP




Or via SSH with the following commands

find [your path he...
Move the wp-config.php file
      WordPress 2.6 added the ability to move the wp-config.php
           file one directory ...
Move the wp-content Directory
        WordPress 2.6 added the ability to move the wp-content directory



1. Move your wp-...
Stay Current on Updates
    Keep WordPress core, plugins, and theme files up to date

Recent WordPress hack only affected ...
Use Secure Passwords
Use strong passwords to protect your website from dictionary attacks
         Not just for WordPress,...
Use Secret Keys
              A secret key is a hashing salt which makes your site harder to
                   hack by ad...
Change WordPress Table Prefix

       1. Edit wp-config.php before installing WordPress
       2. Change the prefix wp_ to...
Force SSL Login and Admin Access

      Set the below option in wp-config.php to force SSL (https) on login

define('FORCE...
.htaccess lockdown

      1. Create a .htaccess file in your wp-admin directory
      2. Add the following lines of code:
...
Hosting Considerations
You Get What You Pay For
Shared Hosting
           Shared Hosting Server


Website   Website        Website   Website
Website   Website        Webs...
Shared Hosting
 What‟s
wrong with
that guy?       Shared Hosting Server


     Website   Website        Website   Website
...
Shared Hosting
Oh frack!
                Shared Hosting Server


     Website   Website        Website   Website
     Webs...
Shared Hosting
braaaaains
                Shared Hosting Server


     Website   Website        Website   Website
     Web...
#protip
Invest In Your Website




Go VPS or Dedicated
Clean Up a Hacked Site
Step 1: Delete Everything and Start Over!
OR
Step 1: Do a Fresh Install of WordPress



    • Delete, don‟t overwrite, all original WordPress files
    • Upload fresh ...
Step 2: Re-install All Plugins



   • Install fresh copies of all WP plugins need
   • DON‟T use the same plugin files fr...
Step 3: Re-install Your Theme



• If possible install a fresh copy of your theme
• If using the old theme be sure to insp...
Step 4: Change all Passwords and Keys



• Change your passwords: WordPress, FTP, MySQL
• Verify the hacker didn‟t create ...
Step 5: Scan Database for Malicious Code



• Look for common hack keywords:
    • eval, base64, strrev, iframe, noscript,...
Step 6: Verify folder/file permissions



• Check all folder and file permissions are correct
• Reset to 755 on folders an...
Step 7: Pray
Recommended Security Plugins
WP Security Scan




http://wordpress.org/extend/plugins/wp-security-scan/
ServerBuddy




http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
WordPress Exploit Scanner




http://wordpress.org/extend/plugins/exploit-scanner/
WordPress File Monitor




http://wordpress.org/extend/plugins/wordpress-file-monitor/
Login Lockdown




http://wordpress.org/extend/plugins/login-lockdown/
WordPress Security Resources
   Security Related Codex Articles
    ›   http://codex.wordpress.org/Hardening_WordPress
  ...
Contact

Brad Williams
brad@webdevstudios.com

Blog: strangework.com
Twitter: @williamsba
IRC: WDS-Brad

       http://www...
Tweet: @williamsba WordPress Security Rocks! #wcma
        Win a copy of Professional WordPress!
WordCamp Mid-Atlantic WordPress Security
Upcoming SlideShare
Loading in...5
×

WordCamp Mid-Atlantic WordPress Security

6,895

Published on

My WordPress Security presentation given at WordCamp Mid-Atlantic 2010.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,895
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

WordCamp Mid-Atlantic WordPress Security

  1. 1. Props @tweetsfromchris
  2. 2. Who Am I? Brad Williams Co-Founder of WebDevStudios.com Organizer NJ/Philly WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp)
  3. 3. The Goal of this Presentation…
  4. 4. The Goal of this Presentation… …Is to scare the crap out of you!
  5. 5. The Goal of this Presentation… …and then make everything better with the best security tips!
  6. 6. Topics  Example WordPress Hacks  Securing Your WordPress Website  How to Clean Up a Hacked Site  Hosting Considerations  Recommended Plugins
  7. 7. Who Do Hackers Target?
  8. 8. Who Do Hackers Target? YOU
  9. 9. Who Is Safe?
  10. 10. Who Is Safe? NO ONE
  11. 11. Scared Yet?
  12. 12. Example Hacker bot finds a security hole on your website WordPress
  13. 13. Example Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file
  14. 14. Example Hacker bot can now trigger this file/code remotely WordPress Hacker Bot
  15. 15. Example Common Hacker bot script jobs • Add spam content and links to your websites theme files • Create posts and pages with spam content and links • Delete posts/pages/settings wreaking havoc on your site • etc, etc, bad stuff, etc, etc WordPress Hacker Bot
  16. 16. CSS Hides the Spam <b style=“display:none”>Any text you want to hide</b>
  17. 17. Hidden Spam Links
  18. 18. Only Noobs Get Hacked
  19. 19. WRONG! Only Noobs Get Hacked
  20. 20. Scobleizer.com: HACKED
  21. 21. Scobleizer.com: HACKED
  22. 22. Scobleizer.com: HACKED
  23. 23. Pearsonified.com: HACKED
  24. 24. FeaturedContentGallery.com: HACKED
  25. 25. Make it Stop!
  26. 26. Palette Cleanser
  27. 27. Securing WordPress
  28. 28. Don‟t use the admin account If you are using the admin account you are wrong! Either change the username in MySQL: UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; Or create a new/unique account with administrator privileges. 1. Create a new account. Make the username very unique 2. Assign account to Administrator role 3. Log out and log back in with new account 4. Delete admin account Make it hard on the hacker! If they already know your username that‟s half the battle
  29. 29. Don‟t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!
  30. 30. The Great Permission Debate What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above If your host requires 777…SWITCH HOSTS! Permission levels vary depending on server configuration
  31. 31. The Great Permission Debate Permissions can be set via FTP Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ;
  32. 32. Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website‟s root directory
  33. 33. Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); If you have compatibility issues with plugins there are two optional settings define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If hackers can‟t find your wp-content folder, they can‟t hack it!
  34. 34. Stay Current on Updates Keep WordPress core, plugins, and theme files up to date Recent WordPress hack only affected outdated WordPress installs The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
  35. 35. Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right Great resource: toughpassword.com Creates random passwords
  36. 36. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 1. Edit wp-config.php 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); AFTER define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
  37. 37. Change WordPress Table Prefix 1. Edit wp-config.php before installing WordPress 2. Change the prefix wp_ to something unique: /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = „wtf_'; All database tables will now have a unique prefix (ie wtf_posts)
  38. 38. Force SSL Login and Admin Access Set the below option in wp-config.php to force SSL (https) on login define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
  39. 39. .htaccess lockdown 1. Create a .htaccess file in your wp-admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin
  40. 40. Hosting Considerations
  41. 41. You Get What You Pay For
  42. 42. Shared Hosting Shared Hosting Server Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website
  43. 43. Shared Hosting What‟s wrong with that guy? Shared Hosting Server Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website
  44. 44. Shared Hosting Oh frack! Shared Hosting Server Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website
  45. 45. Shared Hosting braaaaains Shared Hosting Server Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website Website
  46. 46. #protip
  47. 47. Invest In Your Website Go VPS or Dedicated
  48. 48. Clean Up a Hacked Site
  49. 49. Step 1: Delete Everything and Start Over!
  50. 50. OR
  51. 51. Step 1: Do a Fresh Install of WordPress • Delete, don‟t overwrite, all original WordPress files • Upload fresh copies of all WordPress core files Be sure to backup your theme, plugins, media, etc
  52. 52. Step 2: Re-install All Plugins • Install fresh copies of all WP plugins need • DON‟T use the same plugin files from the hacked site
  53. 53. Step 3: Re-install Your Theme • If possible install a fresh copy of your theme • If using the old theme be sure to inspect every file for hack code
  54. 54. Step 4: Change all Passwords and Keys • Change your passwords: WordPress, FTP, MySQL • Verify the hacker didn‟t create another user, if so delete it • Update your secret keys in wp-config.php (as shown earlier)
  55. 55. Step 5: Scan Database for Malicious Code • Look for common hack keywords: • eval, base64, strrev, iframe, noscript, display • Use WordPress Exploit Scanner plugin (discussed later) Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
  56. 56. Step 6: Verify folder/file permissions • Check all folder and file permissions are correct • Reset to 755 on folders and 644 on files if needed
  57. 57. Step 7: Pray
  58. 58. Recommended Security Plugins
  59. 59. WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
  60. 60. ServerBuddy http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
  61. 61. WordPress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/
  62. 62. WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/
  63. 63. Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
  64. 64. WordPress Security Resources  Security Related Codex Articles › http://codex.wordpress.org/Hardening_WordPress › http://codex.wordpress.org/Changing_File_Permissions › http://codex.wordpress.org/Editing_wp-config.php › http://codex.wordpress.org/htaccess_for_subdirectories  Blog Security Articles › http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your- wordpress-admin-area/ › http://www.growmap.com/wordpress-exploits/ › http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress- blog/ › http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ › http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress- blog/ › http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog  Clean A Hacked Site › http://codex.wordpress.org/FAQ_My_site_was_hacked › http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/ › http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ › http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked- wordpress-installation/ › http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
  65. 65. Contact Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba
  66. 66. Tweet: @williamsba WordPress Security Rocks! #wcma Win a copy of Professional WordPress!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×