WordPress Security from WordCamp NYC 2012

WORDPRESS SECURITY BY BRAD WILLIAMS Brad Williams @williamsba

WHO IS BRAD?Brad Williams Co-‐Founder WebDevStudios.com Co-‐Author Professional WordPress & Professional WordPress Plugin Development Co-‐Organizer WordCamp Philly Co-‐Host WP Late Night Brad Williams @williamsba

HAPPY BIRTHDAY TO BRAD …and it’s my Birthday today! Brad Williams @williamsba

TODAY’S TOPICS • Security Stats • Example Hack • Top Security Tips • Recommended Plugins & Services • Resources Brad Williams @williamsba

SECURITY STATS FOR WORDPRESS Security Stats Brad Williams @williamsba

SECURITY STATS Brad Williams @williamsba

SECURITY STATS Websites 2500 700+ million websites May 2012 (NetcraX) 2000 300 million websites in 2011 (Pingdom) 10+ billion indexed pages (WorldWebSize) 1500 Projected: Websites 1000 •  1 Billion websites by 2013 •  2 Billion websites by 2015 500 0 2011 2012 2013 2015 Brad Williams @williamsba

SECURITY STATSWordPress Stats •  73+ Million WordPress powered websites •  16% of all websites are running WordPress •  22 out of every 100 new domains in the U.S. launches with WordPress •  Projected 300-‐500 Million WordPress sites by 2015 Brad Williams @williamsba

SECURITY STATSWeb Malware Stats •  403 Million unique variants of malware in 2011 (Symantec) •  140% growth since 2010 •  81% increase in malicious web-‐based adacks between 2010 -‐ 2011 Brad Williams @williamsba

SECURITY STATSIn Summary – Be Scared! Brad Williams @williamsba

HACK EXAMPLE Link Injecfon Hacker bots look for known exploits (SQL Injecfon, folder permissions, etc) This allows them to insert spam ﬁles/links into your WordPress Themes, plugins, and core ﬁles. Brad Williams @williamsba

HACK EXAMPLE Link Injecfon Hosfng account contained two separate websites WordPress WordPress Mulfsite Brad Williams @williamsba

HACK EXAMPLE Link Injecfon Hacker bot dropped a malicious ﬁle on a WP Mulfsite install WordPress WordPress Mulfsite Brad Williams @williamsba

HACK EXAMPLE Link Injecfon WordPress Mulfsite starts hacking WordPress install Inserfng spam links into the theme, plugins, and core ﬁles WordPress WordPress Mulfsite Brad Williams @williamsba

HACK EXAMPLE Link Injecfon WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon WordPress WordPress Mulfsite Cleaning up the WordPress website only resulted in more spam links a few days later Brad Williams @williamsba

HACK EXAMPLE Link Injecfon 375 spam links per page, only shown to search engines Brad Williams @williamsba

THIS IS A SAMPLE TITLE THIS IS THE SUBTITLE Default text box Scared Yet? Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS That’s It! Good luck! Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS Securing WordPress Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug ﬁxes and security patches Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 1. Update Update Update NO EXCUSES! UPDATE! Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 2. Use Secret Keys Some secrets should remain secrets Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 2. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 1. Edit wp-‐config.php BEFORE AFTER define(AUTH_KEY, put your unique phrase here); define(AUTH_KEY, *8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD); define(SECURE_AUTH_KEY, put your unique phrase here); define(SECURE_AUTH_KEY, q+i-‐|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1); define(LOGGED_IN_KEY, put your unique phrase here); define(LOGGED_IN_KEY, D/QoRf{=&OC=CrT/^Zq}M9MPT&49Ô}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+); define(NONCE_KEY, put your unique phrase here); define(NONCE_KEY, oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H); define(AUTH_SALT, put your unique phrase here); define(AUTH_SALT, r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt); define(SECURE_AUTH_SALT, put your unique phrase here); define(SECURE_AUTH_SALT, 3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐); define(LOGGED_IN_SALT, put your unique phrase here); define(LOGGED_IN_SALT, `@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4ùF`*); define(NONCE_SALT, put your unique phrase here); define(NONCE_SALT, O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6); 2. Visit this URL to get your secret keys: hdps://api.wordpress.org/secret-‐key/1.1/salt Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS Do you login with username admin? Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 3. Delete the Admin user account Change the admin username in MySQL: UPDATE wp_users SET user_login=hulkster WHERE user_login=admin; Or create a new account with administrator privileges. 1.  Create a new account. Make the username very unique 2.  Set account to Administrator role 3.  Log out and log back in with new account 4.  Delete admin account WordPress will allow you to reassign all content wriden by admin to an account of your choice. Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 3. Delete the Admin user account WordPress lets you set the username during the installafon process! DONT USE ADMIN! Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 3. Delete the Admin user account Knowing your username is half the badle. Dont make it easy on the hackers. Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: •  Files should be set to 644 •  Folders should be set to 755 Start with the default se…ngs above If your host requires 777…SWITCH HOSTS! Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 4. File and Folder Permissions Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 5. Move wp-‐config.php WordPress features the ability to move the wp-‐config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-‐config.php file to here public_html/wp-config.php WordPress automafcally checks the parent directory if a wp-‐config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-‐config.php file from a browser as it now resides outside of your website’s root directory Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 6. Lock Down WP Login and WP Admin Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 6. Lock Down WP Login and WP Admin Add the code below to wp-‐config.php to force SSL (hdps) on login define(FORCE_SSL_LOGIN, true); Add the code below to wp-‐config.php to force SSL (hdps) on all admin pages define(FORCE_SSL_ADMIN, true); Using SSL (hdps) on all admin screens in WordPress will encrypt all data transmided with the same encrypfon as online shopping Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 6. Lock Down WP Login and WP Admin 1. Create an .htaccess ﬁle in your wp-‐admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.* Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-‐admin Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1.  Safe: 1 2.  Iﬀy: 1 3.  Avoid: 8 Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/ Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/ Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date •  Ensure you’re patching or installing updates ASAP •  Automafc updates rock! Install an anO-‐virus soluOon •  Ensure you’re keeping deﬁnifons current •  Automafc updates aren’t a bad idea here either! Yes, personal ﬁrewalls sOll apply! Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 8. Be Secure Locally It’s your informafon, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet ConnecOon Use SSL whenever possible, especially on an unveriﬁed connecOon. •  HTTPS is a great way to ensure your transacfons & traﬃc are traveling with security in mind. ConnecOng To Your Site(s) Consider using sFTP or SSH vs. FTP • Sfll widely marketed, but did you know your credenfals are passed unencrypted when using FTP? • If unavoidable, do not allow anonymous logins, limit connecfons, pracfce least privilege. • Don’t store your credenfals in your FTP client. Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 9. Use a Trusted Host You get what you pay for… Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 9. Use a Trusted Host " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " Your Lovely Host! " " •  Cheap doesn’t always mean best, or " safe!! •  How many sites on their network are blacklisted for malware reasons?" •  What version of software do they run and how often do they update?" •  How are account credentials stored & who has access?" " Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 9. Use a Trusted Host " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress speciﬁc hosting!" Brad Williams @williamsba

TOP SECURITY TIPS FOR WORDPRESS 10. Use Common Sense •  Use a strong password" •  BAD: bradisawesome" •  GOOD: SCrEE79joLly$" •  A=@, E=3, S=$, O=0 (This is not unique, they know this)" •  Update passwords regularly (Monthly, make a schedule)" •  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" •  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)" Brad Williams @williamsba

PLUGINS & SERVICES FOR WORDPRESS Plugins & Services Brad Williams @williamsba

PLUGINS & SERVICES FOR WORDPRESS Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/ Brad Williams @williamsba

PLUGINS & SERVICES FOR WORDPRESS BulletProof Security •  .htaccess lockdown rules for various directories (root, wp-‐ admin, etc) •  Security status scanner for folder/ﬁle permissions and ﬁle checks •  Very well documented http://wordpress.org/extend/plugins/bulletproof-security/ Brad Williams @williamsba

PLUGINS & SERVICES FOR WORDPRESS Secure WordPress •  Hides login error messages •  Adds index.php to / themes and /plugins to prevent directory lisfng •  Removes WP, plugin, and theme update nofces for non-‐admins •  and more! http://wordpress.org/extend/plugins/secure-wordpress/ Brad Williams @williamsba

PLUGINS & SERVICES FOR WORDPRESS Exploit Scanner •  Scans your ﬁles and database for potenfally malicious code •  Does not remove code, only detects it http://wordpress.org/extend/plugins/exploit-scanner/ Brad Williams @williamsba

PLUGINS & SERVICES FOR WORDPRESS hdp://Sucuri.net •  Free Website Malware Scanner: hdp://sitecheck.sucuri.net/scanner/ •  Website monitoring •  Hack cleanup services •  Sucuri Security Plugin •  Free to clients •  Web Applicafon Firewall •  Integrity Monitoring •  Audifng •  Hardening http://Sucuri.net Brad Williams @williamsba

RESOURCES FOR WORDPRESS •  Security Related Arfcles •  hdp://codex.wordpress.org/Hardening_WordPress •  hdp://blog.sucuri.net/2012/04/lockdown-‐wordpress-‐a-‐security-‐webinar-‐with-‐dre-‐armeda.html •  hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐how-‐to-‐stop-‐the-‐hacker-‐and-‐ensure-‐your-‐site-‐is-‐ locked.html •  hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐what-‐should-‐i-‐know-‐when-‐engaging-‐a-‐web-‐ malware-‐company.html •  Clean a Hacked Site •  hdp://codex.wordpress.org/FAQ_My_site_was_hacked •  hdp://www.markefngtechblog.com/wordpress-‐hacked/ •  Support Forums •  Hacked: hdp://wordpress.org/tags/hacked •  Malware: hdp://wordpress.org/tags/malware Brad Williams @williamsba

CONTACT BRADBrad Williams brad@webdevstudios.com Blog: strangework.com Twider: @williamsba IRC: WDS-‐Brad Professional WordPress Second Edifon coming December 2012! Brad Williams @williamsba

http://wpmu.org	1392
http://www.conseilsmarketing.com	188
http://nicewpthemes.blogspot.com	67
http://martinbeasnunez.com.ar	65
http://www.online-marketing-automation.com	29
http://feeds.feedburner.com	8
http://wpdojo.net	7
http://127.0.0.1	2
http://top-wordpressthemes.blogspot.com	2
http://tweetedtimes.com	2
http://nicewpthemes.blogspot.nl	1
http://www.hanrss.com	1
http://top-wordpressthemes.blogspot.de	1
http://webcache.googleusercontent.com	1

WordPress Security from WordCamp NYC 2012

by Brad Williams on Jun 09, 2012

Accessibility

Categories

Upload Details

Usage Rights

14 Embeds 1,766

Statistics

WordPress Security from WordCamp NYC 2012 Presentation Transcript