The slides for Brennen Byrne and Sam Hotchkiss' talk on WordPress security best practices at WordCamp Phoenix 2014.

1. WordPress Security
Best Practices
Brennen Byrne
@brennenbyrne
Sam Hotchkiss
@hotchkissconsulting

2. How to make your site
impossible to hack:

3. Delete it.

4. This talk is for the rest
of you.

5. For the next 100 minutes,
we’ll cover the:
5 Rules
• 4 Tools and
• 3 Important Habits
•
To keep your site safe.

6. Sam Hotchkiss
I run a WordPress agency in Bath, Maine and am the lead
developer for the WordPress security plugin BruteProtect.

7. Brennen Byrne
I’m one of the founders of Clef, a security plugin for
WordPress that lets you log in without a password.

8. WordPress Security
Best Practices
Brennen Byrne
@brennenbyrne
Sam Hotchkiss
@hotchkissweb

9. Slides
getclef.com/wordcamp-security
Checklist
getclef.com/wordpress-security-checklist

10. Who attacks and why?
it’s not usually because they want to be friends

11. pharma / affiliate
if you’re not using akismet, you know these well

12. link injection
SEO hacking at its worst

13. hacktivists
Syrian Electronic Army, lulzsec, anonops, etc.

14. drive by download
you’re just the host

15. redirects
pretty much just hijacking your site

16. How do they attack?
know your own weaknesses

17. XSS
cross site scripting: comments or posts that
attack other visitors to your site

18. CSRF
cross site request forgery: once you’re
authenticated, other sites can pretend to be you

19. brute force
how many tries does it take to guess
your password?

20. brute force + botnet
how long does it take an army to guess your
password?

21. server breach
sites where you log in store your password.
(even though they shouldn’t…)
what happens if they mess up?

22. bucket brigade
an attacker sits between you and a site you log in to, when
you send your password, they read it before passing it on

23. but really, insecure
plugins and themes
WordPress core has a team of security experts looking
for these flaws all the time. Most plugins do not.

24. Do you need to worry?
some people think that their site is too small to be
attacked

25. WordPress is 20% of
the web
most attackers are counting on a small success
rate across a huge number of sites

26. Bots attack every site
BruteProtect blocked more than 20m attacks last
year, and it’s on less than 0.01% of WordPress sites

27. Botnet Economics
one small site infects hundreds of users, who will
help infect more, bigger sites

28. Now, The Rules
The first rule of WordPress is…

29. 1.
Respect your
passwords
“password” doesn’t cut it anymore

30. Require strong
passwords
if you use them at all

31. Don’t email them
to anyone, ever.

32. Don’t submit them
without SSL on public wifi
or even private wifis that you don’t know that well

33. 2.
respect admin
even if you don’t respect your administrators

34. keep admin separate
only use it when you need it

35. change db table
prefix
wp-avoidinghackersallday_users
>
wp_users

36. make admin
something other than
“admin”
why make things easier?

37. 3.
Sanitize user input
you don’t know where it’s been

38. do not write your own
SQL
or, if you do, clean it carefully before you use it

39. validate data before
you display it
avoid running hack.js in your users’ browsers

40. 4.
Disclose Responsibly
and quietly

41. Tools
not that kind of tool

42. SFTP
whichever you like

43. BruteProtect
awesome

44. Clef
also awesome

45. Cloak
because WiFi is dangerous
!
(this only works for Mac users)

46. Important habits
good security hygiene

47. check for ssl
look for the little lock before typing anything

48. use different
passwords
more important than using individually strong
ones
!
better yet… don’t use passwords at all

49. use a password
manager
computers have better memories for this kind of stuff

50. don’t trust new
senders
.exe and .zip should be feared

51. educate your clients
it’s your responsibility (and will save you a lot of
headache)

52. Cleaning up
how do you recover after your site gets
compromised?

53. first step
change all of your passwords — admin, users,
host, keys, everything you can

54. save wp-content
copy the folder of your actual content

55. scan your local
machine
make sure your computer is not infected

56. burn it with fire
/www, chron, plugins and themes

57. fresh install
you can restore a backup, save old themes, but
nothing works as well as starting from scratch

58. re-add wp-content
get back the things you’ve created

59. last step
change all of your passwords — admin, users,
host, everything you can

60. Slides
getclef.com/wordcamp-security
Checklist
getclef.com/wordpress-security-checklist

61. Questions
http://getclef.com/wordpress-security-checklist