How many of you know someone who’s had a hacked site?
Your site doesn’t need to be huge to be of value to hackers. They can use your blog or small business site for a variety of purposes.They can install malware on your site, which infect people who visit your site.Your site can house ads or even new pages for Viagra, Cialis, gambling, or other unsavory things.They can find information on other people registered to your site.They can use your email server to send spam to other victims. They can use your server resource as part of a botnet to attack other sites, mine Bitcoin, or just get recognition in the hacking community.
WordPress runs one in every four sites on Earth. If hackers can find vulnerabilities in WordPress, and automate attacks, they have the potential to take over hundreds of thousands of sites.
When you first install iThemes Security and go to the Dashboard, you’ll see four calls to action.First, a prompt to make a backup of your database. This is emailed to the administrator email. It’s always best to get backups that are not stored on the server. Because if your server is infected, the database backup on your server is also likely to be infected. Second, will you allow the plugin to update the wp-config and .htaccess files? The plugin uses these to help keep bad guys out.Third, a one-click button for default settings. There are about six settings here that go into effect. We’ll look at those in a minute. Last, Can we observe how you’re using this plugin so we can make improvements to the plugin?
These are the settings we enabled with the one-click settings on the last page.We’ve removed “admin” as a username. When you do a fresh install of WordPress these days, you can choose any username you want. This wasn’t always the case. In years past, it used to default to “admin” as a username.Sites that were launched a few years ago may still have “admin” as a main username. Now hackers only need to guess the password that goes with admin to break into your site. User nicknames are different from the display name. This prevents your username being displayed in plain sight by themes displaying author credits. User profiles with no published posts are also not displayed. This is so dormant accounts don’t become an easy target for hackers. The login page is not giving out information on failed login, like “The username was incorrect” or “The password was incorrect”. We don’t want to give hackers any clues to get into your site. The Windows Live Writer header is also removed.
One of the first things you should always do is white-list your IP address for 24 hours. Since we’re changing the site configuration, we can accidentally lock ourselves out. Whitelisting our IP helps prevent that.
I’d like to go over some of these tabs here: Dashboard and Settings help you keep track of what security measures are in place. Advanced are security settings you can use, but have a good backup of your site before you implement these. The Logs tab records details of activity and changes on your site.
This is some of what you will find on your Logs page after a while. Here, it is recording 404 errors, where two different IP’s were hitting 404’s while trying to find a login URL, and also looking for known plugin vulnerabilities for plugins that are not on this site. More on this in a few minutes.
These are settings in the Advanced tab. This setting changes the admin user and changes user 1 to another number. When you install WordPress, who is the first user in the Users database table? That is the administrator. This deflects attacks aimed at the first user in the database.
For those familiar with the wp-config file, the WordPress salts are those random characters attached to logins. When you change the salts, it logs everyone out everywhere. So if someone is logged into your site, they have to log back in.
This setting changes the folder name of the wp-content folder. Many attacks are aimed at plugin and theme vulnerabilities. Where are those located? In the wp-content folder. IF we rename this folder, it prevents automated attacks against those files. Be careful with this one, as it will affect your whole site.
This setting changes the default database table prefix. When you install WordPress, the default prefix is “wp_”. This changes the prefix on those tables, so attacks looking for those specific database tables get derailed. Some managed WordPress hosts will do this automatically for you.
From here on in, we’ll look at the Dashboard, organized into suggested actions by High, Medium, Low, and Completed, and the corresponding places where the Fix It buttons link to in Settings.
The first setting says we don’t have regular backups scheduled.
Whn we click the Fix It button, it takes us to scheduling database backups in Settings
You can choose how often you back up your database by how many days in between running backups.
XML-RPC is something used by Jetpack, the mobile app, certain plugins, and Pingbacks.
This used to be one setting, in the last version this became two settings.At the top, you can allow all XML-RPC, disable only Pingbacks, or Disable XML-RPC completely.Pingbacks can also be used in a Ddos, or denial of service attack.The second setting lets you disable multiple username and password combos per authentication. This helps prevent brute force attacks.
In Medium Priority, the first setting is turning on 404 protection.
Remember when I showed you the Logs a minute ago? When we turn on 404 protection, this locks out bad guys looking for things they shouldn’t be looking for, if they hit too many 404’s in a certain time span.
You can set how many 404s it takes to trigger a lockout in how long a time.Also has a white-list for file types, like jpgs, so accidental lockouts due to incorrect file paths.
User with id of 1 still exists, we just covered this on the Advanced tab.
This is what it looks like when we rename the admin user and change User ID 1.
Your WordPress Dashboard is available 24 hours a day. This on e is really interesting.
Let’s say you only have one or two people working on your site. Should people be logging in when you’re normally asleep?
Away Mode lets you designate what time access to the backend automatically shuts down. Between these hours, the login screen is completely inaccessible, and you’ll be logged out when that away time starts.
Your login area is partially protected from brute force attacks.
Network brute force protection keeps track not only of the IP’s that try to break into your site, but also the IP’s that have tried to break into other sites in a network. By entering your email here, IP’s that have been identified as malicious by other sites will also be blocked from your site.
You can also control lockouts locally, for IP’s that try to force your site open. These are settings for when those lockouts trigger, and how long to remember bad IP addresses.You can also automatically ban anyone that attempts to login with “admin” username. This is commonly used, because many older, unmaintained WordPress sites have admin for a username, usually accompanied by a weak password.
You website is not looking for changed files.
iThemes Security will observe if files get changed on your site, and send you an email alerting you to exactly what got changed.
You can split file checking into chunks, or exclude certain files from being checked (though I would not enable this).
Your WordPress Dashboard is using the default web address. This feature allows you to change the default logins URLs.
Instead of default /wp-login.php or /wp-admin/ login screens, you can make the login URL whatever you want. Hackers send automated attacks to the default addresses, and when they don’t find those, that results in a 404, which we are protecting against. This is security by obscurity. Sophisticated hackers can still find your login URL, but this will eliminate many automated attacks. Don’t use wplogin or anything obvious for a URL. Use a secret phrase, word or random string of characters that is difficult to guess.
You are not protecting common WordPress files from access.
These settings protect people from browsing the wp-config file, .htaccess, wp-includes folder, and install.php files.You can also prevent people from browsing empty directories, filter out suspicious request methods in URLs, disallow non-English characters in the URL, and limit unusually long URLs. These can all be means people are trying to use to gain access to your site.
The reduce comment spam option denies comments without a user agent. Browsers have user-agent headers. Search engine crawlers even have user-agent headers. Generally, only comment spam bots are missing a referrer or identifiable user-agent.
Users can execute PHP from the uploads folder.
This setting prevents people form uploading PHP files to execute in your uploads folder.
Here’s the Low Priority Items. Enable Ban Users.
You can ban IP addresses. You can also ban user-agents (certain crawler bots you want to restrict from your site).
Changing salts in the wp-config file logs everyone out, everywhere.
Require secure connection = Forcing SSL / HTTPS for login.
You can lock everyone out of the site. Get help with this one.
Enforce Strong Passwords
New WordPress installs now prompt admins for strong passwords. But what about Editors or other people with advanced roles and privileges? Someone can hack an Edotr account and still do damage to your site. With this, you can select which role level strong passwords are enforced at.
Wp-Config and .htacces files are writeable by default. This is a vulnerability.
This screenshot is at bottom of the Dashboard screen. You can see file permissions and what the recommendations are.
Change permissions on these sensitive files here.
Really Simple Discovery header is information used by certain services like Flickr, but it’s likely you don’t need it displaying in your source code.
RSD header can give away information we don’t want bad guys to have,
Disabling the file editor
This means you won’t be able to edit theme or plugin files in the backend of the site. This also prevents someone from cracking your site and altering those files from the backend, if they hack into your site.
Check to see if your theme is loading a safe version of jQuery.
To test, click “Check your homepage”. This is important because if a theme bundles an old version of jQuery in the actual theme files, that theme can be hacked and that file can be malformed to become malicious. Same thing if you link to an unmaintained code repo for jQuery.
Once your home page is checked, refresh the screen. You should see the okay message here.
John locke-word camp-sacramento-2015
Plugins Part 1:
Why Do People Want To Hack Your
• Malware Downloads
• Run Ads / Page takeovers
• Get User information
• Use your email for spam
• Mining Bitcoin
• Prestige In Hacking Community
WordPress Is A Lucrative Target
• One In Four Websites Run WordPress
• Find Vulnerabilities In WordPress
• Automate Attacks
@Lockedown_ on Twitter