How to Keep Your Blog               from Being            Hacked, Stolen or            Otherwise Violated                 ...
Introduction• Who I am. What I do. What I see.• What software do your blogs run on?• Who here has had a blog  hacked, defa...
Well Known Blog Hacks•   Twitter           •   PayPal’s Blog•   Gawker            •   CorneliaMarie.com•   PhotoMatt      ...
Antivirus Campaign   http://bit.ly/AVCampaign
Define “hacked”•   Content or uploads destroyed•   Hidden hyperlinks added to your site•   Redirect to another site•   Con...
Definition of Terms     How attacks happen…•   CSRF/XSRF – Cross Site Request Forgery•   XSS – Cross Site Scripting•   SQL...
Open source Responses to        Vulnerabilities• WordPress  • http://codex.wordpress.org/Hardening_WordPress  • security@w...
Security Through Obscurity• What is it? You tell me…• Who is right?• My thought:   Any steps that may eliminate a large su...
Tactics YOU can use no matter  what platform you are on• The basics  • Passwords  • Communication (Plain Text vs. SSL)  • ...
Passwords• Use strong passwords• Make them unique in high value situations
Communication• Pay attention to how you are sending your  passwords  • Wireless Networks = Risk  • FTP – Use SFTP instead ...
Updates• Keep your blog, plugins, themes, & operating  system current – yes, even Linux• Security and attacks improve over...
Watch what you add…• Every plugin or theme is a security risk• “Free Theme” sites are a very high risk• Less popular & hig...
Backups• Both files and database• Keep the files offline• If you have files online keep them out of  public_html• As impor...
Google Webmaster Tools• How do you know you are hacked?• Google will email you when they consider you  a risk  • http://ww...
Coding Practices• EVERYTHING that is displayed on the screen  must be filtered.  • WordPress provides: esc_html esc_url es...
Servers• Permissions - The 755 myth  • chmod -R 755 *  • Generic: Directories Should be 755 Files 644  • Reality: The leas...
WordPress Specific     Security Techniques• Create a “Editor” user for posting• Create a new “Administrator”, delete the o...
WordPress Techniques     (Expected Answers)• Move wp-config.php• Remove version Info• Rename the admin user• Move your wp-...
WordPress Techniques• Free Plugins  http://wordpress.org/extend/plugins/  • exploit-scanner  • wp-security-scan  • wordpre...
Who can help?Managed Hosting & Clean Up • iThemes.com • Page.ly • WPSecuritylock.com • WebDevStudios.com • CoveredWebServi...
Brian Laymanhttp://eHermitsInc.com/slideshttp://twitter.com/brianlayman @eHermitsBrian@eHermitsInc.comText ehermits to 50500
Upcoming SlideShare
Loading in …5
×

Blog World 2010 - How to Keep Your Blog from Being Hacked

808 views

Published on

This presentation was given in Las Vegas at BlogWorld 2010 by Brian Layman. It describes techniques that can be used to keep your WordPress website safe.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
808
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Blog World 2010 - How to Keep Your Blog from Being Hacked

  1. 1. How to Keep Your Blog from Being Hacked, Stolen or Otherwise Violated Brian LaymanExhibits: October 15-16 | Conference: October 14-16 | Mandalay Bay Convention Center | Las Vegas Nevada
  2. 2. Introduction• Who I am. What I do. What I see.• What software do your blogs run on?• Who here has had a blog hacked, defaced, stolen or taken down?• Is your site safe? (No one would ever want to hack my blog about _____.)• The title is a lie…
  3. 3. Well Known Blog Hacks• Twitter • PayPal’s Blog• Gawker • CorneliaMarie.com• PhotoMatt • ClimateCrisis.net• Problogger • Twilight Lexicon • Go Daddy • DreamHost • Blue Host • Bizland • Network Solutions
  4. 4. Antivirus Campaign http://bit.ly/AVCampaign
  5. 5. Define “hacked”• Content or uploads destroyed• Hidden hyperlinks added to your site• Redirect to another site• Content edited• Hijacked website• Defacement• Bank fraud
  6. 6. Definition of Terms How attacks happen…• CSRF/XSRF – Cross Site Request Forgery• XSS – Cross Site Scripting• SQL Injection• DDOS – (Distributed) Denial of Service• DNS Hijacking – Spoofing or Poisoning• Malvertising – Malicious Advertising• Stolen Password• Bad Code
  7. 7. Open source Responses to Vulnerabilities• WordPress • http://codex.wordpress.org/Hardening_WordPress • security@wordpress.org• Drupal • http://drupal.org/security-team • security@drupal.org• Joomla • http://developer.joomla.org/security.html • security@joomla.org
  8. 8. Security Through Obscurity• What is it? You tell me…• Who is right?• My thought: Any steps that may eliminate a large subsetof attacks on your blog should be taken.
  9. 9. Tactics YOU can use no matter what platform you are on• The basics • Passwords • Communication (Plain Text vs. SSL) • Updates • Watch what you add to your sites (plugins/themes/add-ons) • Backups • Google Webmaster Tools
  10. 10. Passwords• Use strong passwords• Make them unique in high value situations
  11. 11. Communication• Pay attention to how you are sending your passwords • Wireless Networks = Risk • FTP – Use SFTP instead • Email – Use SSL Ports 587,995,993 vs 25,110,143 • Skype – Syncs history upon connect, never send secure passwords – EVER • CPanel/WHM/Admin pages – if it is http not https, your password can be scraped
  12. 12. Updates• Keep your blog, plugins, themes, & operating system current – yes, even Linux• Security and attacks improve over time 2005 – Admin operations required a referrer 2006 – Admin operations required a NONCE 2007 – Plugin pages forced to check security 2008 – Randomized keys and salts & upgrades 2009 – Security escalations issues – full review 2010 – Automated plugin and theme upgrades
  13. 13. Watch what you add…• Every plugin or theme is a security risk• “Free Theme” sites are a very high risk• Less popular & highly specialized plugins have had less eyes on them and are riskier• Older plugins used older security standards - we simply knew less and had fewer tools• You are responsible for your site. Learn how to identify problems or make a friend who can.
  14. 14. Backups• Both files and database• Keep the files offline• If you have files online keep them out of public_html• As important as having the backups… Know how to restore them!• Before you restore – delete the files and directories to remove the hack files
  15. 15. Google Webmaster Tools• How do you know you are hacked?• Google will email you when they consider you a risk • http://www.google.com/webmasters/ • http://www.google.com/webmasters/checklist/ • https://www.google.com/webmasters/tools/reconsi deration• You can configure multiple owners
  16. 16. Coding Practices• EVERYTHING that is displayed on the screen must be filtered. • WordPress provides: esc_html esc_url esc_* http://codex.wordpress.org/Data_Validation• EVERYTHING that you send to the database must be filtered. • WordPress provides: $wpdb->prepare• TRUST NOTHING • Try to use your text instead of user input
  17. 17. Servers• Permissions - The 755 myth • chmod -R 755 * • Generic: Directories Should be 755 Files 644 • Reality: The least privileges provides the most access• VPS vs Shared Hosting vs Managed Hosting • Flexibility, Access, Less risk = More $ • Harden your own server or let someone do it • suPHP – Isolates your installation
  18. 18. WordPress Specific Security Techniques• Create a “Editor” user for posting• Create a new “Administrator”, delete the old one, then only use it for maintenance• Never use wp_ as your table prefix• Look at wp-config-sample.php now and then and update your wp-config.php• Force Secure password logins • http://codex.wordpress.org/Administration_Over_SSL
  19. 19. WordPress Techniques (Expected Answers)• Move wp-config.php• Remove version Info• Rename the admin user• Move your wp-content directory – Possibly worth doing but will break many plugins and themes• Use .htaccess to white list IP addresses or add an extra password layer
  20. 20. WordPress Techniques• Free Plugins http://wordpress.org/extend/plugins/ • exploit-scanner • wp-security-scan • wordpress-file-monitor• Paid Pluginshttp://pluginbuddy.com/purchase/backupbuddy/
  21. 21. Who can help?Managed Hosting & Clean Up • iThemes.com • Page.ly • WPSecuritylock.com • WebDevStudios.com • CoveredWebServices.com And of course: • eHermitsInc.com
  22. 22. Brian Laymanhttp://eHermitsInc.com/slideshttp://twitter.com/brianlayman @eHermitsBrian@eHermitsInc.comText ehermits to 50500

×