WordPress Security
Best Practices
Brennen Byrne
@brennenbyrne

Sam Hotchkiss
@hotchkissconsulting
How to make your site
impossible to hack:
Delete it.
This talk is for the rest
of you.
For the next 100 minutes,
we’ll cover the:
5 Rules
• 4 Tools and
• 3 Important Habits
•

To keep your site safe.
Sam Hotchkiss
I run a WordPress agency in Bath, Maine and am the lead
developer for the WordPress security plugin BrutePro...
Brennen Byrne
I’m one of the founders of Clef, a security plugin for
WordPress that lets you log in without a password.
WordPress Security
Best Practices
Brennen Byrne
@brennenbyrne

Sam Hotchkiss
@hotchkissweb
Slides
getclef.com/wordcamp-security

Checklist
getclef.com/wordpress-security-checklist
Who attacks and why?
it’s not usually because they want to be friends
pharma / affiliate
if you’re not using akismet, you know these well
link injection
SEO hacking at its worst
hacktivists
Syrian Electronic Army, lulzsec, anonops, etc.
drive by download
you’re just the host
redirects
pretty much just hijacking your site
How do they attack?
know your own weaknesses
XSS
cross site scripting: comments or posts that
attack other visitors to your site
CSRF
cross site request forgery: once you’re
authenticated, other sites can pretend to be you
brute force
how many tries does it take to guess
your password?
brute force + botnet
how long does it take an army to guess your
password?
server breach
sites where you log in store your password.
(even though they shouldn’t…)
what happens if they mess up?
bucket brigade
an attacker sits between you and a site you log in to, when
you send your password, they read it before pas...
but really, insecure
plugins and themes
WordPress core has a team of security experts looking
for these flaws all the time...
Do you need to worry?
some people think that their site is too small to be
attacked
WordPress is 20% of
the web
most attackers are counting on a small success
rate across a huge number of sites
Bots attack every site
BruteProtect blocked more than 20m attacks last
year, and it’s on less than 0.01% of WordPress site...
Botnet Economics
one small site infects hundreds of users, who will
help infect more, bigger sites
Now, The Rules
The first rule of WordPress is…
1.
Respect your
passwords
“password” doesn’t cut it anymore
Require strong
passwords
if you use them at all
Don’t email them
to anyone, ever.
Don’t submit them
without SSL on public wifi
or even private wifis that you don’t know that well
2.
respect admin
even if you don’t respect your administrators
keep admin separate
only use it when you need it
change db table
prefix
wp-avoidinghackersallday_users
>
wp_users
make admin
something other than
“admin”
why make things easier?
3.
Sanitize user input
you don’t know where it’s been
do not write your own
SQL
or, if you do, clean it carefully before you use it
validate data before
you display it
avoid running hack.js in your users’ browsers
4.
Disclose Responsibly
and quietly
Tools
not that kind of tool
SFTP
whichever you like
BruteProtect
awesome
Clef
also awesome
Cloak
because WiFi is dangerous
!

(this only works for Mac users)
Important habits
good security hygiene
check for ssl
look for the little lock before typing anything
use different
passwords
more important than using individually strong
ones
!

better yet… don’t use passwords at all
use a password
manager
computers have better memories for this kind of stuff
don’t trust new
senders
.exe and .zip should be feared
educate your clients
it’s your responsibility (and will save you a lot of
headache)
Cleaning up
how do you recover after your site gets
compromised?
first step
change all of your passwords — admin, users,
host, keys, everything you can
save wp-content
copy the folder of your actual content
scan your local
machine
make sure your computer is not infected
burn it with fire
/www, chron, plugins and themes
fresh install
you can restore a backup, save old themes, but
nothing works as well as starting from scratch
re-add wp-content
get back the things you’ve created
last step
change all of your passwords — admin, users,
host, everything you can
Slides
getclef.com/wordcamp-security

Checklist
getclef.com/wordpress-security-checklist
Questions
http://getclef.com/wordpress-security-checklist
Upcoming SlideShare
Loading in …5
×

WordPress Security Best Practices

5,321 views

Published on

The slides for Brennen Byrne and Sam Hotchkiss' talk on WordPress security best practices at WordCamp Phoenix 2014.

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,321
On SlideShare
0
From Embeds
0
Number of Embeds
3,354
Actions
Shares
0
Downloads
48
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

WordPress Security Best Practices

  1. 1. WordPress Security Best Practices Brennen Byrne @brennenbyrne Sam Hotchkiss @hotchkissconsulting
  2. 2. How to make your site impossible to hack:
  3. 3. Delete it.
  4. 4. This talk is for the rest of you.
  5. 5. For the next 100 minutes, we’ll cover the: 5 Rules • 4 Tools and • 3 Important Habits • To keep your site safe.
  6. 6. Sam Hotchkiss I run a WordPress agency in Bath, Maine and am the lead developer for the WordPress security plugin BruteProtect.
  7. 7. Brennen Byrne I’m one of the founders of Clef, a security plugin for WordPress that lets you log in without a password.
  8. 8. WordPress Security Best Practices Brennen Byrne @brennenbyrne Sam Hotchkiss @hotchkissweb
  9. 9. Slides getclef.com/wordcamp-security Checklist getclef.com/wordpress-security-checklist
  10. 10. Who attacks and why? it’s not usually because they want to be friends
  11. 11. pharma / affiliate if you’re not using akismet, you know these well
  12. 12. link injection SEO hacking at its worst
  13. 13. hacktivists Syrian Electronic Army, lulzsec, anonops, etc.
  14. 14. drive by download you’re just the host
  15. 15. redirects pretty much just hijacking your site
  16. 16. How do they attack? know your own weaknesses
  17. 17. XSS cross site scripting: comments or posts that attack other visitors to your site
  18. 18. CSRF cross site request forgery: once you’re authenticated, other sites can pretend to be you
  19. 19. brute force how many tries does it take to guess your password?
  20. 20. brute force + botnet how long does it take an army to guess your password?
  21. 21. server breach sites where you log in store your password. (even though they shouldn’t…) what happens if they mess up?
  22. 22. bucket brigade an attacker sits between you and a site you log in to, when you send your password, they read it before passing it on
  23. 23. but really, insecure plugins and themes WordPress core has a team of security experts looking for these flaws all the time. Most plugins do not.
  24. 24. Do you need to worry? some people think that their site is too small to be attacked
  25. 25. WordPress is 20% of the web most attackers are counting on a small success rate across a huge number of sites
  26. 26. Bots attack every site BruteProtect blocked more than 20m attacks last year, and it’s on less than 0.01% of WordPress sites
  27. 27. Botnet Economics one small site infects hundreds of users, who will help infect more, bigger sites
  28. 28. Now, The Rules The first rule of WordPress is…
  29. 29. 1. Respect your passwords “password” doesn’t cut it anymore
  30. 30. Require strong passwords if you use them at all
  31. 31. Don’t email them to anyone, ever.
  32. 32. Don’t submit them without SSL on public wifi or even private wifis that you don’t know that well
  33. 33. 2. respect admin even if you don’t respect your administrators
  34. 34. keep admin separate only use it when you need it
  35. 35. change db table prefix wp-avoidinghackersallday_users > wp_users
  36. 36. make admin something other than “admin” why make things easier?
  37. 37. 3. Sanitize user input you don’t know where it’s been
  38. 38. do not write your own SQL or, if you do, clean it carefully before you use it
  39. 39. validate data before you display it avoid running hack.js in your users’ browsers
  40. 40. 4. Disclose Responsibly and quietly
  41. 41. Tools not that kind of tool
  42. 42. SFTP whichever you like
  43. 43. BruteProtect awesome
  44. 44. Clef also awesome
  45. 45. Cloak because WiFi is dangerous ! (this only works for Mac users)
  46. 46. Important habits good security hygiene
  47. 47. check for ssl look for the little lock before typing anything
  48. 48. use different passwords more important than using individually strong ones ! better yet… don’t use passwords at all
  49. 49. use a password manager computers have better memories for this kind of stuff
  50. 50. don’t trust new senders .exe and .zip should be feared
  51. 51. educate your clients it’s your responsibility (and will save you a lot of headache)
  52. 52. Cleaning up how do you recover after your site gets compromised?
  53. 53. first step change all of your passwords — admin, users, host, keys, everything you can
  54. 54. save wp-content copy the folder of your actual content
  55. 55. scan your local machine make sure your computer is not infected
  56. 56. burn it with fire /www, chron, plugins and themes
  57. 57. fresh install you can restore a backup, save old themes, but nothing works as well as starting from scratch
  58. 58. re-add wp-content get back the things you’ve created
  59. 59. last step change all of your passwords — admin, users, host, everything you can
  60. 60. Slides getclef.com/wordcamp-security Checklist getclef.com/wordpress-security-checklist
  61. 61. Questions http://getclef.com/wordpress-security-checklist

×