Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security Best Practices


Published on

The slides for Brennen Byrne and Sam Hotchkiss' talk on WordPress security best practices at WordCamp Phoenix 2014.

Published in: Technology, Business
  • Be the first to comment

WordPress Security Best Practices

  1. 1. WordPress Security Best Practices Brennen Byrne @brennenbyrne Sam Hotchkiss @hotchkissconsulting
  2. 2. How to make your site impossible to hack:
  3. 3. Delete it.
  4. 4. This talk is for the rest of you.
  5. 5. For the next 100 minutes, we’ll cover the: 5 Rules • 4 Tools and • 3 Important Habits • To keep your site safe.
  6. 6. Sam Hotchkiss I run a WordPress agency in Bath, Maine and am the lead developer for the WordPress security plugin BruteProtect.
  7. 7. Brennen Byrne I’m one of the founders of Clef, a security plugin for WordPress that lets you log in without a password.
  8. 8. WordPress Security Best Practices Brennen Byrne @brennenbyrne Sam Hotchkiss @hotchkissweb
  9. 9. Slides Checklist
  10. 10. Who attacks and why? it’s not usually because they want to be friends
  11. 11. pharma / affiliate if you’re not using akismet, you know these well
  12. 12. link injection SEO hacking at its worst
  13. 13. hacktivists Syrian Electronic Army, lulzsec, anonops, etc.
  14. 14. drive by download you’re just the host
  15. 15. redirects pretty much just hijacking your site
  16. 16. How do they attack? know your own weaknesses
  17. 17. XSS cross site scripting: comments or posts that attack other visitors to your site
  18. 18. CSRF cross site request forgery: once you’re authenticated, other sites can pretend to be you
  19. 19. brute force how many tries does it take to guess your password?
  20. 20. brute force + botnet how long does it take an army to guess your password?
  21. 21. server breach sites where you log in store your password. (even though they shouldn’t…) what happens if they mess up?
  22. 22. bucket brigade an attacker sits between you and a site you log in to, when you send your password, they read it before passing it on
  23. 23. but really, insecure plugins and themes WordPress core has a team of security experts looking for these flaws all the time. Most plugins do not.
  24. 24. Do you need to worry? some people think that their site is too small to be attacked
  25. 25. WordPress is 20% of the web most attackers are counting on a small success rate across a huge number of sites
  26. 26. Bots attack every site BruteProtect blocked more than 20m attacks last year, and it’s on less than 0.01% of WordPress sites
  27. 27. Botnet Economics one small site infects hundreds of users, who will help infect more, bigger sites
  28. 28. Now, The Rules The first rule of WordPress is…
  29. 29. 1. Respect your passwords “password” doesn’t cut it anymore
  30. 30. Require strong passwords if you use them at all
  31. 31. Don’t email them to anyone, ever.
  32. 32. Don’t submit them without SSL on public wifi or even private wifis that you don’t know that well
  33. 33. 2. respect admin even if you don’t respect your administrators
  34. 34. keep admin separate only use it when you need it
  35. 35. change db table prefix wp-avoidinghackersallday_users > wp_users
  36. 36. make admin something other than “admin” why make things easier?
  37. 37. 3. Sanitize user input you don’t know where it’s been
  38. 38. do not write your own SQL or, if you do, clean it carefully before you use it
  39. 39. validate data before you display it avoid running hack.js in your users’ browsers
  40. 40. 4. Disclose Responsibly and quietly
  41. 41. Tools not that kind of tool
  42. 42. SFTP whichever you like
  43. 43. BruteProtect awesome
  44. 44. Clef also awesome
  45. 45. Cloak because WiFi is dangerous ! (this only works for Mac users)
  46. 46. Important habits good security hygiene
  47. 47. check for ssl look for the little lock before typing anything
  48. 48. use different passwords more important than using individually strong ones ! better yet… don’t use passwords at all
  49. 49. use a password manager computers have better memories for this kind of stuff
  50. 50. don’t trust new senders .exe and .zip should be feared
  51. 51. educate your clients it’s your responsibility (and will save you a lot of headache)
  52. 52. Cleaning up how do you recover after your site gets compromised?
  53. 53. first step change all of your passwords — admin, users, host, keys, everything you can
  54. 54. save wp-content copy the folder of your actual content
  55. 55. scan your local machine make sure your computer is not infected
  56. 56. burn it with fire /www, chron, plugins and themes
  57. 57. fresh install you can restore a backup, save old themes, but nothing works as well as starting from scratch
  58. 58. re-add wp-content get back the things you’ve created
  59. 59. last step change all of your passwords — admin, users, host, everything you can
  60. 60. Slides Checklist
  61. 61. Questions