Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure All The Things!


Published on

Slightly updated version of my previous WordPress Security presentation.

  • Be the first to comment

Secure All The Things!

  1. 1. Secure All The Things!When it comes tosecurity,WordPress is theleast of yourworries...
  2. 2. HACKERS!
  4. 4. HACKERS!Everybody says “hackers” anyways.Everybody says “hackers” anyways.Everybody says “hackers” anyways.
  5. 5. WordPress HacksWarning! Massive Number of GoDaddyWordPress Blogs Hacked!DreamHost: One Million Domains Hacked; WordPresWordPress Sites on GoDaddy, Bluehost HackedReuters Hacked Again, Outdated WordPress Blog AInMotion Hosting Servers Hacked, Thousandsof Web Sites Affected
  6. 6. WordPress HacksHistory shows there have been very few“WordPress Hacks”“In the vast majority of cases I see, attackersget in some other way, and then once alreadyin the system, they go looking for WordPressinstalls.” -- Mark Jaquith
  7. 7. If WordPress isn’t theweak point, what is?
  8. 8. WordPress HacksMost hacks that affect WordPress actuallyoriginate outside of WordPress Core. TimThumb (PHP library, many themes/plugins) Uploadify (jQuery plugin, many themes/plugins) Adserve (plugin) WassUp (plugin) Is Human (plugin)
  9. 9. We need to look at thebigger picture
  10. 10. The LAMP Stack
  11. 11. Other Services andAppsSMTP (email)FTPDNSOther web sites and utilities? Drupal, Joomla, forums PHPMyAdmin
  12. 12. Shared HostingShared hosting? Shared security!Other users on the same server as you canbecome a security risk that affects youWhat about your own users? Can you trusteveryone who has a login for your site? Reallytrust them? “Nobody cares as much about the survival of your business as yourself.” -- Ron Cain, business owner
  13. 13. How do hackers get in?Known exploits in vulnerable softwareBrute-force password hackingNetwork scanners Firesheep Wifi vulnerabilities (WEP/WPA)Automated toolsRootkits
  14. 14. Staying Safe
  15. 15. Three WordsUpdateUpdateUpdate
  16. 16. Three WordsUpdate CoreUpdate PluginsUpdate Themes
  17. 17. What Else?Hotfix PluginWP Security ScannerLogin LockdownBulletProof
  18. 18. What Else?Not using a pluginanymore? Deactivate DELETE! The same goes for themes
  19. 19. HACKED!
  20. 20. Now What?You can no longer trust any code filesNuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploadsReinstall data from backupsYou do have backups, right?Right?
  21. 21. What do I back up?DatabaseUploaded media (wp-content/uploads)Custom themes and pluginswp-config.phpKeep a list of your installed third-party plugins
  22. 22. How do I back up?Backup BuddyVaultPressWordPress Backup to Dropbox
  23. 23. It can happen to youIt can happen to meIt can happen to everyone, eventually -- Yes, It Can Happen, 90125
  24. 24. A Little Healthy Paranoia
  25. 25. Healthy ParanoiaUse strong passwordsTwo-factor authentication -- GoogleAuthenticator pluginUse separate WordPress logins for publishingday-to-day content and for site administrationLimit who can login to your site, and whatpermissions they have Create temporary accounts for developers, if necessary
  26. 26. Healthy Paranoia Use secure protocols: SFTP, SCP, SSH -- not FTP If possible, enforce SSL on WordPress logins and dashboard access Ensure MySQL server is not accessible to other hosts Same goes for memcache (or any other data store)
  27. 27. What? I don’t knowhow!
  28. 28. Getting helpSecurity is part of the cost of doing business, likeinsuranceIf you don’t know how to do all this, retain the servicesof someone who doesManaged hosting: WP Engine Zippykid
  29. 29. Security for DevelopersSettings API, nonces, validation handlersData escaping functions: esc_*() esc_html() esc_attr() esc_sql() esc_url() & esc_url_raw() esc_js
  31. 31. Thanks!Dougal