Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordCamp 2012 WordPress Security: No Nonsense Edition


Published on

Michael R. McNeill's WordCamp 2012 presentation on "WordPress Security: No Nonsense Edition".

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WordCamp 2012 WordPress Security: No Nonsense Edition

  1. 1. WordPress Security: No Nonsense EditionMichael R. McNeillPower Users TrackWordCamp Raleigh 2012Saturday, November 3rd, 2012 @michaelrmcneill #WCRaleigh
  2. 2. A little about myself... Lovely girlfriend, Allie, who is with me today. From Wilkesboro, NC, right below Boone, NC. First-Year at the University of North Carolina at Chapel Hill with an intended business major. GO HEELS! Owner of Connected Site Solutions and Partner in Digital Strategy Works. I LOVE WORDPRESS! I’ve been using it for almost 3 years now and I wouldn’t use anything else. I currently work for Apple, Inc. and I truly love both the product and relationship we create! I’ve worked on exciting and wide ranging projects, such as Black Enterprise Magazine, DVJ Media, WiredHoods,, and MAXI Promotion and Records. I’ve also contracted for DRS Technologies, the United States Department of the Defense, and numerous other companies. @michaelrmcneill #WCRaleigh
  3. 3. A quick note... A question that is going to run through your head at some point and time in this presentation is “Why use WordPress when you have to do all this work to secure it?” The short answer to that is all web sites, content management systems, and web applications can and will have vulnerabilities. (Many of which are much, much, much, much worse than WordPress.) This presentation could scare you ****less, but this is really scary stuff. Sugarcoating it just makes it easier to ignore. @michaelrmcneill #WCRaleigh
  4. 4. WordPress Security 101First and foremost, congratulations on using WordPress!You’ve picked the most popular content managementsystem on the planet!Security is taken very seriously in the WordPresscommunity, but no matter what the contributors to theproject do, there is always going to be someoneattacking both documented and undocumentedvulnerabilities on WordPress sites.Although there can be no guarantees of completeimmunity, I’m going to help you do everything possible tosecure all the sites you maintain. @michaelrmcneill #WCRaleigh
  5. 5. Myths...
  6. 6. Myth 1WordPress is not secure.
  7. 7. This is not true, the WordPress core is in fact very secure,and when an issue arrises, the core team is quick topatch the vulnerability, and push that to end users.
  8. 8. Myth 2Nobody would want to hackmy* site. *clients included
  9. 9. Most hacking attempts are automated and are rarelyrelated to personal or political motives. Almost all theattacks I see have financial motives. Maybe you’rethinking, “I don’t have any sensitive information. Whatcould they possibly steal from my site?” Emails,usernames, passwords. And even worse, yourreputation.
  10. 10. Myth 3My WordPress site is 100%secure.
  11. 11. No site that’s accessible on the internet will ever be 100%secure. Security vulnerabilities will always exist.
  12. 12. Myth 4I only use themes and plugins from theWordPress repos, so they must besecure.
  13. 13. Although WordPress plugins and themes are reviewedbefore being added, that doesn’t prevent them fromhaving vulnerabilities and bugs. Even the bestprogrammers make mistakes.
  14. 14. Myth 5I paid $35.00 for a premium theme fromThemeForest. Since it was “premium” itmust be secure.
  15. 15. If you purchase a theme from somewhere like ThemeForest, beweary. I’ve seen numerous themes from ThemeForest comewith embedded malware in the code, infecting your and yourclient’s computer. If you do purchase a theme fromThemeForest or a site like it, throughly examine it to ensure thatthere is not any code that does not belong. When in doubt,contact a trusted developer.
  16. 16. Myth 6Updating WordPress core, plugins, andthemes aren’t urgent. They can wait.
  17. 17. You need to keep WordPress core, plugins, and themesupdated at all times. Whenever a security update isreleased the entire internet can see what the problem is andhow to exploit it. This obviously exposes any site that hasnot been updated.
  18. 18. Hosting...
  19. 19. What does WordPress need to run? LAMP STACK Linux Apache MySQL PHP Operating Web Database Scripting System Server Server LanguageAll of these can and do have numerous vulnerabilities. Keeping your own systems up to date is not an easy task, which is why most people (even myself) work with a web host to host their sites.
  20. 20. Who is your Host?How do you connect to your server? Through FTP,SFTP, SSH, Plesk, cPanel, etc?What security does your host provide? Do they offeradvanced services to provide further protection?What will your host do if you get hacked? Will they shut you down or lock your account?Does your host have a good track record?Does your host have 24/7 support? @michaelrmcneill #WCRaleigh
  21. 21. How do we protectourselves?
  22. 22. PASSWORDS...Many potential vulnerabilities can be avoided with good security habits. A strong passwordis an important aspect of this.The goal with your password is to make it hard for other people to guess and hard for abrute force attack to succeed. Many password generators are available that can be used tocreate secure passwords.Things to avoid when choosing a password: Any combination of your own real name, username, company name, or name of your website. A word from a dictionary, in any language. A short password. Any numeric-only or alphabetic-only password (a mixture of both is best).A strong password is necessary not just to protect your blog content. A hacker who gainsaccess to your administrator account is able to install malicious scripts that can potentiallycompromise your entire server and ruin your reputation. @michaelrmcneill #WCRaleigh
  23. 23. Look to your computer... Make sure to have anti-malware software installed on your computer, no matter if it is Windows, Mac OS X, or Linux. ALL computers can get some type of malware, and that can lead to an infected site. Always keep your operating system and the software on it, especially your web browser and SFTP/SSH/FTP client, up to date in order to protect against security vulnerabilities. @michaelrmcneill #WCRaleigh
  24. 24. Connecting to your site... SFTP/SSH is greatly preferred over standard FTP. If you must use FTP, check if your host offers FTP-SSL. SFTP/SSH/FTP username and password SHOULD NOT be the same as your WordPress Administration username or password. You don’t need to log in as the administrator/root user all the time. Less access means less to exploit. Use isolated SFTP/SSH/FTP accounts that can only access certain necessary parts of the site. @michaelrmcneill #WCRaleigh
  25. 25. User Restrictions are important! Everyone DOES NOT need to be an administrator. Focus on the role that you are assigning users, only assign their role with what they NEED at the current time, you can always change their permissions later. Get rid of generic account names (e.x. admin, administrator, root, etc.) and use something custom. Create two accounts for yourself, one as an administrator account for managing and administering the site, and the other for common tasks. Everyone DOES NOT need to access the site via SFTP/ SSH/FTP. @michaelrmcneill #WCRaleigh
  26. 26. Backup, Backup, Backup...You must backup your site!Your WordPress database contains every post, every comment and everylink you have on your blog. If something goes wrong, you will lose everythingyou have ever written. There are many reasons why this could happen andnot all are things you can control. With a proper backup of your WordPressdatabase and files, you can quickly restore things back to normal.You should be backing up at least once a week and storing one backup permonth off the main web server (either your computer or a cloud storageprovider like Amazon Web Services).Disaster will strike at some point and time and you need to be in a position totake action when it happens. Spending a few minutes to set up an easy,convenient backup of your site will make your life much easier in the long run. @michaelrmcneill #WCRaleigh
  27. 27. Kill PHP execution permissions. Try this in your ~/wp-includes/ and ~/wp-content/ uploads/ folders. Be aware, it could break your theme and/or plugins, so try it and if it breaks anything, delete it. #PROTECT PHP EXECUTION <Files *.php> Order Allow, Deny Deny from all </Files> @michaelrmcneill #WCRaleigh
  28. 28. Disable Plugin/Theme Editing. Add this to your wp-config.php file before the “/* Thats all, stop editing! Happy blogging. */”. #Disable Plugin and Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); @michaelrmcneill #WCRaleigh
  29. 29. Move wp-config.php file.To add an extra layer of protection, you can move thewp-config.php file up one directory. This protects you ifyour PHP handler gets broken or modified in someway. This will prevent your DB information from beingexposed. @michaelrmcneill #WCRaleigh
  30. 30. Use salts. Use the online generator ( secret-key/1.1/salt/) to generate salts, and place them in your wp-config.php file. define(AUTH_KEY, =(jUjXE=,sZxY-+@_YX]OyDuo-`%}eQeQ jE-A-ZHo`A,B%*D+^3@~&5%X!>+&R+); define(SECURE_AUTH_KEY, 6e)tLmd#ogG8@|)A8UNhl%Ql+gNR++Frg,#am4_rWY9)bcT$uk]`g7`FA(2%AIn9); define(LOGGED_IN_KEY, bkW+7S+-Fsk y&A|gl{D=|Yv3h,U5uj,72{0%/& R/8VRzGM9_!?l])rw,); define(NONCE_KEY, Y4 HXcx6t|3-2%&[/daW~V%QK<{KxH<|SVf|otwbh(9U-!RpY^7sbds+qWC4dISb); define(AUTH_SALT, x[Tl$wtoJ]FKZawPiR&m%etK%.!N=8;?5?NUZO*g.mUL;6.v`biw+Z%DkL[2sp*&); define(SECURE_AUTH_SALT, ~JO0w%;$jrM}<n1+T)R:lM1-+y;n7F86*5)JDe@YqdL]6I@<I9Ve8R[Y&Kz?H{O&); define(LOGGED_IN_SALT, x6aoLDs:NO]%uF(N|G`iK{$#j.*&.0hL)C:C&dHwP*&X[k|h<oeI}b$b4l175/nB); define(NONCE_SALT, 9L[)xS=-<^YKV/d~JUA28Q]k;ibu#yB|%mMOG98:gwiD*`FZem%yHaq+NyyKD0<); @michaelrmcneill #WCRaleigh
  31. 31. Secure wp-includes. Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file in ~/wp-includes/ # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] @michaelrmcneill #WCRaleigh
  32. 32. Change the database prefix.Many published WordPress-specific SQL-injectionattacks make the assumption that the table_prefix is wp_,the default. Changing this can block at least some SQLinjection attacks. You can change it with this plugin: you use that plugin to change the prefix, go intoyour wp-config.php file and change the line$table_prefix = wp_; // Only numbers, letters, and underscores please!to reflect what you selected through the plugin. @michaelrmcneill #WCRaleigh
  33. 33. Implement CloudFlare.A little about CloudFlare:CloudFlare protects and accelerates any website online by takingcontrol of your DNS and separating your DNS from your domainregistrar. Once your website is a part of the CloudFlare community,its web traffic is routed through their intelligent global network.They automatically optimize the delivery of your web pages so yourvisitors get the fastest page load times and best performance.They also block threats and limit abusive bots and crawlers fromwasting your bandwidth and server resources. The result:CloudFlare-powered websites see a significant improvement inperformance and a decrease in spam and other attacks. @michaelrmcneill #WCRaleigh
  34. 34. Plugins...
  35. 35. Wordfence (Pro Version - $17.95 per year) Wordfence scans your site for viruses, malware, trojans, malicious links, protects your site against scrapers, aggressive robots, fake Googlebots, protects against brute force attacks and much much more.Duo Two-Factor Mobile Authentication(First 10 users free, then $3.00/per user/per month) Duo Security enables your users to secure their logins with their phones. @michaelrmcneill #WCRaleigh
  36. 36. VaultPress (Starts at $15.00 per month) VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dashboard setting.BackupBuddy (Starts at $75.00) Back up your entire WordPress installation and move it, store it, and restore it as much as you’d like!
  37. 37. Know what to do if the inevitablehappens... Stay calm! You are going to be upset, but panicking and being frantic about the situation just makes things worse. Visit these sites: wordpress-site-using-wordfence/ If you are lost, or at any point and time feel uncomfortable with what you are doing STOP and contact a professional (like myself) to get your issues resolved. It might cost a few pennies, but it will be worth avoiding the headache, wasted time, and frustration in the end. @michaelrmcneill #WCRaleigh
  38. 38. Who do you recommend I hostwith?I host all my sites with Media Temple, and I recommendfor you to do the same.Because I trust them with my sites, you know you cantrust them with yours.If you do decide to sign up here is a coupon code for15% off (gs) Grid-Service (kirupa07). The link to sign upis here: (DISCLAIMER: this gives meaffiliate credit.)
  39. 39. Contact info. Michael R. McNeill Connected Site Solutions 336.818.9540