Higher Order WP Security Hacks, attacks, and getting       your site backDougal Campbell
HACKERS!
HACKERS!CRACKERS!
HACKERS!Everybody says “hackers” anyways.
WordPress HacksWarning! Massive Number of GoDaddy WordPress BlogsHacked!DreamHost: One Million Domains Hacked; WordPress B...
WordPress HacksHistory shows there have been very few “WordPress Hacks”“ In the vast majority of cases I see, attackers ge...
If WordPress isn’t the weak      point, what is?
WordPress HacksMost hacks that affect WordPress actually originate outsideof WordPress Core.  TimThumb (PHP library, many ...
We need to look at the   bigger picture
The LAMP Stack
Other Services and AppsSMTP (email)FTPDNSOther web sites and utilities?  Drupal, Joomla, forums  PHPMyAdmin
Shared HostingShared hosting? Shared security!Other users on the same server as you can become a securityrisk that affects...
How do hackers get in?Known exploits in vulnerable softwareBrute-force password hackingNetwork scanners  Firesheep  Wifi vu...
Staying Safe
Three Words
Three WordsUpdate
Three WordsUpdateUpdate
Three WordsUpdateUpdateUpdate
Three WordsUpdate CoreUpdate PluginsUpdate Themes
What Else?Hotfix PluginWP Security ScannerLogin LockdownBulletProof SecuritySucuri.net
What Else?Not using a pluginanymore?  Deactivate  DELETE!  The same goes for  themes
HACKED!
Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies  Save wp-config.php and wp-co...
Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies  Save wp-config.php and wp-co...
Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies  Save wp-config.php and wp-co...
What do I back up?DatabaseUploaded media (wp-content/uploads)Custom themes and pluginswp-config.phpKeep a list of your inst...
How do I back up?Backup BuddyVaultPressWordPress Backup to Dropbox
It can happen to youIt can happen to meIt can happen to everyone, eventually -- Yes, It Can Happen, 90125
A Little Healthy Paranoia
Healthy Paranoia!Use strong passwordsTwo-factor authentication -- Google Authenticator pluginUse separate WordPress logins...
Healthy Paranoia! Use secure protocols: SFTP, SCP, SSH -- not FTP If possible, enforce SSL on WordPress logins and dashboa...
What? I don’t know how!
Getting helpSecurity is part of the cost of doing business, like insuranceIf you don’t know how to do all this, retain the...
Security for DevelopersSettings API, nonces, validation handlersData escaping functions: esc_*()  esc_html()  esc_attr()  ...
Now, SECURE ALL THE      THINGS!
Thanks!Dougal Campbell@dougaldougal.gunters.org
Higher Order WordPress Security
Upcoming SlideShare
Loading in …5
×

Higher Order WordPress Security

4,003 views

Published on

WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.

In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.

Download the original Keynote file for my presenter's notes with more details.

Published in: Technology, Business
  • Hrm. Once again, Slideshare has dropped images from my presentation. Download a full version (with speaker's notes) from my site: http://dougal.gunters.org/blog/2012/09/27/presentation-higher-order-wordpress-security/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Higher Order WordPress Security

  1. 1. Higher Order WP Security Hacks, attacks, and getting your site backDougal Campbell
  2. 2. HACKERS!
  3. 3. HACKERS!CRACKERS!
  4. 4. HACKERS!Everybody says “hackers” anyways.
  5. 5. WordPress HacksWarning! Massive Number of GoDaddy WordPress BlogsHacked!DreamHost: One Million Domains Hacked; WordPress BlogsInfectedWordPress Sites on GoDaddy, Bluehost HackedReuters Hacked Again, Outdated WordPress Blog At Fault?InMotion Hosting Servers Hacked, Thousands of Web SitesAffected
  6. 6. WordPress HacksHistory shows there have been very few “WordPress Hacks”“ In the vast majority of cases I see, attackers get in some other way,and then once already in the system, they go looking for WordPressinstalls.” -- Mark Jaquith
  7. 7. If WordPress isn’t the weak point, what is?
  8. 8. WordPress HacksMost hacks that affect WordPress actually originate outsideof WordPress Core. TimThumb (PHP library, many themes/plugins) Uploadify (jQuery plugin, many themes/plugins) Adserve (plugin) WassUp (plugin) Is Human (plugin)
  9. 9. We need to look at the bigger picture
  10. 10. The LAMP Stack
  11. 11. Other Services and AppsSMTP (email)FTPDNSOther web sites and utilities? Drupal, Joomla, forums PHPMyAdmin
  12. 12. Shared HostingShared hosting? Shared security!Other users on the same server as you can become a securityrisk that affects youWhat about your own users? Can you trust everyone who hasa login for your site? Really trust them? “Nobody cares as much about the survival of your business as yourself.” -- Ron Cain, business owner
  13. 13. How do hackers get in?Known exploits in vulnerable softwareBrute-force password hackingNetwork scanners Firesheep Wifi vulnerabilities (WEP/WPA)Automated toolsRootkits
  14. 14. Staying Safe
  15. 15. Three Words
  16. 16. Three WordsUpdate
  17. 17. Three WordsUpdateUpdate
  18. 18. Three WordsUpdateUpdateUpdate
  19. 19. Three WordsUpdate CoreUpdate PluginsUpdate Themes
  20. 20. What Else?Hotfix PluginWP Security ScannerLogin LockdownBulletProof SecuritySucuri.net
  21. 21. What Else?Not using a pluginanymore? Deactivate DELETE! The same goes for themes
  22. 22. HACKED!
  23. 23. Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploadsReinstall data from backups
  24. 24. Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploadsReinstall data from backupsYou do have backups, right?
  25. 25. Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploadsReinstall data from backupsYou do have backups, right?Right?
  26. 26. What do I back up?DatabaseUploaded media (wp-content/uploads)Custom themes and pluginswp-config.phpKeep a list of your installed third-party plugins
  27. 27. How do I back up?Backup BuddyVaultPressWordPress Backup to Dropbox
  28. 28. It can happen to youIt can happen to meIt can happen to everyone, eventually -- Yes, It Can Happen, 90125
  29. 29. A Little Healthy Paranoia
  30. 30. Healthy Paranoia!Use strong passwordsTwo-factor authentication -- Google Authenticator pluginUse separate WordPress logins for publishing day-to-daycontent and for site administrationLimit who can login to your site, and what permissions theyhave Create temporary accounts for developers, if necessary
  31. 31. Healthy Paranoia! Use secure protocols: SFTP, SCP, SSH -- not FTP If possible, enforce SSL on WordPress logins and dashboard access Ensure MySQL server is not accessible to other hosts Same goes for memcache (or any other data store)
  32. 32. What? I don’t know how!
  33. 33. Getting helpSecurity is part of the cost of doing business, like insuranceIf you don’t know how to do all this, retain the services ofsomeone who doesManaged hosting: Page.ly WordPress.com WP Engine Zippykid
  34. 34. Security for DevelopersSettings API, nonces, validation handlersData escaping functions: esc_*() esc_html() esc_attr() esc_sql() esc_url() & esc_url_raw() esc_js
  35. 35. Now, SECURE ALL THE THINGS!
  36. 36. Thanks!Dougal Campbell@dougaldougal.gunters.org

×