SlideShare a Scribd company logo

Word camp2011 introwordpresssecurity

David Wilemski
David Wilemski
TechnologyBusiness
1 of 29
Download to read offline
An Introduction to WordPress Security WordCamp Detroit November 12th - 13th, 2011
David Wilemski @davidwilemski davidwilemski.com github.com/davidwilemski
The Goal: Staying Afloat photo by Flickr user davidesimonetti
WordPress Security ● Raise the security bar ● Plugins and services ● Disaster recovery
Vulnerabilities photo by Flickr user misterbisson
Drive by exploits ● Most attacks aren't targeted ● Little time per site ● Known exploits
timthumb.php exploit ● Common image library used in WP themes ● Exploited poor error checking ● Arbitrary code execution http://markmaunder.com/2011/08/01/zero-day-vulnerability-in- many-wordpress-themes/
Password Brute-forcing ● Automated attack on a user account ● Takes time, will show up in logs ● Some evidence of scripts that are distributed across multiple nodes http://isc.sans.edu/diary.html?storyid=7663
Raising The Bar photo by Flickr user Mike_tn
Change Database Table Prefix ● Defaults to "wp_" ● Use anything else ● Makes SQL injection a little more difficult
Delete 'admin' user ● In WP Dashboard create a new administrative user ● Log in as the new user, delete the original user ● Some scripts are programmed to target 'admin'
Use SSL (HTTPS) in wp-admin ● Encrypts traffic to your site ● Stops attackers from reading your traffic or stealing your login cookies ● Check with your hosting provider to see if you have support ● Can be a self-signed certificate if you are the only one using wp-admin
File Permissions ● Only as loose as required, NOT more ● Recommended 755 for directories and 644 for files http://codex.wordpress.org/Hardening_WordPress#File_Permissions
Change wp-config.php secrets ● Security keys used for setting various cookies and internal crypto properties ● Changing them will just cause any logged in user to need to re-authenticate ● Use the generator: https://api.wordpress.org/secret-key/1.1/salt/
● Bonus: IP restrict wp-admin ● Use .htaccess to restrict access to the dashboard ● If your public IP address changes you will get locked out of WP and need to edit the .htaccess via FTP or shell access http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
Unlimited Power photo by Flickr user Frank.Li
Limit Login Attempts ● Rate limits failed login attempts ● Can hinder brute force attacks ● Notifies in case of too many failures http://wordpress.org/extend/plugins/limit-login-attempts/
Duo WordPress ● Two-factor authentication for your WordPress site ● ● Protects from account take over
Duo Push Notification http://wordpress.org/extend/plugins/duo-wordpress/
Emergency Preparedness photo by Flickr user doisespressos
Backups! ● Backup your WP database regularly (and the site files)! ● Do them, test them! ● Plugins: WP-DB-Backup or PressBackup http://wordpress.org/extend/plugins/pressbackup/ http://wordpress.org/extend/plugins/wp-db-backup/
Disaster Recovery photo by Flickr user born1945
Restore your site ● Don't just try to clean the site ● You could miss hidden backdoors ● Backup the infected site for later analysis ● Restore from a known good backup
Protect your online identity ● Change your passwords to your database and WP user accounts ● Check your computer for malware ● Update your site and plugins
Investigate the attack ● Consider checking up the backed up copy of your site ● If the attack is made via a flaw in WP, file a bug or inform the mailing list http://ottopress.com/2011/how-to-cope-with-a-hacked-site/ http://codex.wordpress.org/FAQ_My_site_was_hacked
Overwhelmed yet? photo by Flickr user andresthor
VaultPress ● Paid service offered by Automattic to backup, scan, and protect your WordPress website ● Makes it easy to restore site backups ● Worth it if you don't have the time or want to manage things yourself
Once more ● Your site can be better protected with just a little effort ● It's all about raising the bar! ● Backups, backups, backups!
Thank You! Questions? David Wilemski @davidwilemski

Recommended

WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16tshellberg
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Building a community of Open Source intranet users
Building a community of Open Source intranet usersBuilding a community of Open Source intranet users
Building a community of Open Source intranet usersLuke Oatham
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIryanduff
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 

Recommended

WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16tshellberg
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Building a community of Open Source intranet users
Building a community of Open Source intranet usersBuilding a community of Open Source intranet users
Building a community of Open Source intranet usersLuke Oatham
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIryanduff
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Cliff Seal
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleKayleigh Thorpe
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Securityn|u - The Open Security Community
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!stk_jj
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Installing and Setting Up WordPress
Installing and Setting Up WordPressInstalling and Setting Up WordPress
Installing and Setting Up WordPressZero Point Development
 
Extending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIExtending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIryanduff
 
WordPress development checklist
WordPress development checklistWordPress development checklist
WordPress development checklistBinh Quan Duc
 
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014ryanduff
 
Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPRupesh Kumar
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
wp cli- don’t fear the command line
wp cli- don’t fear the command linewp cli- don’t fear the command line
wp cli- don’t fear the command lineDwayne McDaniel
 
Get Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentGet Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentCliff Seal
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.WP Engine
 

More Related Content

What's hot

Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Cliff Seal
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleKayleigh Thorpe
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!stk_jj
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Extending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIExtending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIryanduff
 
WordPress development checklist
WordPress development checklistWordPress development checklist
WordPress development checklistBinh Quan Duc
 
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014ryanduff
 
Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPRupesh Kumar
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
wp cli- don’t fear the command line
wp cli- don’t fear the command linewp cli- don’t fear the command line
wp cli- don’t fear the command lineDwayne McDaniel
 
Get Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentGet Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentCliff Seal
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 

What's hot (20)

Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Installing and Setting Up WordPress
Installing and Setting Up WordPressInstalling and Setting Up WordPress
Installing and Setting Up WordPress
 
Extending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIExtending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLI
 
WordPress development checklist
WordPress development checklistWordPress development checklist
WordPress development checklist
 
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
 
Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHP
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
 
wp cli- don’t fear the command line
wp cli- don’t fear the command linewp cli- don’t fear the command line
wp cli- don’t fear the command line
 
Get Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentGet Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & Development
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 

Similar to Word camp2011 introwordpresssecurity

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.WP Engine
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Trivandrum
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 

Similar to Word camp2011 introwordpresssecurity (20)

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress Installation
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Word camp2011 introwordpresssecurity

  • 1. An Introduction to WordPress Security WordCamp Detroit November 12th - 13th, 2011
  • 2. David Wilemski @davidwilemski davidwilemski.com github.com/davidwilemski
  • 3. The Goal: Staying Afloat photo by Flickr user davidesimonetti
  • 4. WordPress Security ● Raise the security bar ● Plugins and services ● Disaster recovery
  • 5. Vulnerabilities photo by Flickr user misterbisson
  • 6. Drive by exploits ● Most attacks aren't targeted ● Little time per site ● Known exploits
  • 7. timthumb.php exploit ● Common image library used in WP themes ● Exploited poor error checking ● Arbitrary code execution http://markmaunder.com/2011/08/01/zero-day-vulnerability-in- many-wordpress-themes/
  • 8. Password Brute-forcing ● Automated attack on a user account ● Takes time, will show up in logs ● Some evidence of scripts that are distributed across multiple nodes http://isc.sans.edu/diary.html?storyid=7663
  • 9. Raising The Bar photo by Flickr user Mike_tn
  • 10. Change Database Table Prefix ● Defaults to "wp_" ● Use anything else ● Makes SQL injection a little more difficult
  • 11. Delete 'admin' user ● In WP Dashboard create a new administrative user ● Log in as the new user, delete the original user ● Some scripts are programmed to target 'admin'
  • 12. Use SSL (HTTPS) in wp-admin ● Encrypts traffic to your site ● Stops attackers from reading your traffic or stealing your login cookies ● Check with your hosting provider to see if you have support ● Can be a self-signed certificate if you are the only one using wp-admin
  • 13. File Permissions ● Only as loose as required, NOT more ● Recommended 755 for directories and 644 for files http://codex.wordpress.org/Hardening_WordPress#File_Permissions
  • 14. Change wp-config.php secrets ● Security keys used for setting various cookies and internal crypto properties ● Changing them will just cause any logged in user to need to re-authenticate ● Use the generator: https://api.wordpress.org/secret-key/1.1/salt/
  • 15. ● Bonus: IP restrict wp-admin ● Use .htaccess to restrict access to the dashboard ● If your public IP address changes you will get locked out of WP and need to edit the .htaccess via FTP or shell access http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
  • 16. Unlimited Power photo by Flickr user Frank.Li
  • 17. Limit Login Attempts ● Rate limits failed login attempts ● Can hinder brute force attacks ● Notifies in case of too many failures http://wordpress.org/extend/plugins/limit-login-attempts/
  • 18. Duo WordPress ● Two-factor authentication for your WordPress site ● ● Protects from account take over
  • 20. Emergency Preparedness photo by Flickr user doisespressos
  • 21. Backups! ● Backup your WP database regularly (and the site files)! ● Do them, test them! ● Plugins: WP-DB-Backup or PressBackup http://wordpress.org/extend/plugins/pressbackup/ http://wordpress.org/extend/plugins/wp-db-backup/
  • 22. Disaster Recovery photo by Flickr user born1945
  • 23. Restore your site ● Don't just try to clean the site ● You could miss hidden backdoors ● Backup the infected site for later analysis ● Restore from a known good backup
  • 24. Protect your online identity ● Change your passwords to your database and WP user accounts ● Check your computer for malware ● Update your site and plugins
  • 25. Investigate the attack ● Consider checking up the backed up copy of your site ● If the attack is made via a flaw in WP, file a bug or inform the mailing list http://ottopress.com/2011/how-to-cope-with-a-hacked-site/ http://codex.wordpress.org/FAQ_My_site_was_hacked
  • 26. Overwhelmed yet? photo by Flickr user andresthor
  • 27. VaultPress ● Paid service offered by Automattic to backup, scan, and protect your WordPress website ● Makes it easy to restore site backups ● Worth it if you don't have the time or want to manage things yourself
  • 28. Once more ● Your site can be better protected with just a little effort ● It's all about raising the bar! ● Backups, backups, backups!
  • 29. Thank You! Questions? David Wilemski @davidwilemski