Successfully reported this slideshow.
Your SlideShare is downloading. ×

WordCamp 2012 WordPress Security: No Nonsense Edition

Loading in …3

Check these out next

1 of 39 Ad

More Related Content

Recently uploaded (20)


WordCamp 2012 WordPress Security: No Nonsense Edition

  1. 1. WordPress Security: No Nonsense Edition Michael R. McNeill Power Users Track WordCamp Raleigh 2012 Saturday, November 3rd, 2012 @michaelrmcneill #WCRaleigh
  2. 2. A little about myself... Lovely girlfriend, Allie, who is with me today. From Wilkesboro, NC, right below Boone, NC. First-Year at the University of North Carolina at Chapel Hill with an intended business major. GO HEELS! Owner of Connected Site Solutions and Partner in Digital Strategy Works. I LOVE WORDPRESS! I’ve been using it for almost 3 years now and I wouldn’t use anything else. I currently work for Apple, Inc. and I truly love both the product and relationship we create! I’ve worked on exciting and wide ranging projects, such as Black Enterprise Magazine, DVJ Media, WiredHoods,, and MAXI Promotion and Records. I’ve also contracted for DRS Technologies, the United States Department of the Defense, and numerous other companies. @michaelrmcneill #WCRaleigh
  3. 3. A quick note... A question that is going to run through your head at some point and time in this presentation is “Why use WordPress when you have to do all this work to secure it?” The short answer to that is all web sites, content management systems, and web applications can and will have vulnerabilities. (Many of which are much, much, much, much worse than WordPress.) This presentation could scare you ****less, but this is really scary stuff. Sugarcoating it just makes it easier to ignore. @michaelrmcneill #WCRaleigh
  4. 4. WordPress Security 101 First and foremost, congratulations on using WordPress! You’ve picked the most popular content management system on the planet! Security is taken very seriously in the WordPress community, but no matter what the contributors to the project do, there is always going to be someone attacking both documented and undocumented vulnerabilities on WordPress sites. Although there can be no guarantees of complete immunity, I’m going to help you do everything possible to secure all the sites you maintain. @michaelrmcneill #WCRaleigh
  5. 5. Myths...
  6. 6. Myth 1 WordPress is not secure.
  7. 7. This is not true, the WordPress core is in fact very secure, and when an issue arrises, the core team is quick to patch the vulnerability, and push that to end users.
  8. 8. Myth 2 Nobody would want to hack my* site. *clients included
  9. 9. Most hacking attempts are automated and are rarely related to personal or political motives. Almost all the attacks I see have financial motives. Maybe you’re thinking, “I don’t have any sensitive information. What could they possibly steal from my site?” Emails, usernames, passwords. And even worse, your reputation.
  10. 10. Myth 3 My WordPress site is 100% secure.
  11. 11. No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.
  12. 12. Myth 4 I only use themes and plugins from the WordPress repos, so they must be secure.
  13. 13. Although WordPress plugins and themes are reviewed before being added, that doesn’t prevent them from having vulnerabilities and bugs. Even the best programmers make mistakes.
  14. 14. Myth 5 I paid $35.00 for a premium theme from ThemeForest. Since it was “premium” it must be secure.
  15. 15. If you purchase a theme from somewhere like ThemeForest, be weary. I’ve seen numerous themes from ThemeForest come with embedded malware in the code, infecting your and your client’s computer. If you do purchase a theme from ThemeForest or a site like it, throughly examine it to ensure that there is not any code that does not belong. When in doubt, contact a trusted developer.
  16. 16. Myth 6 Updating WordPress core, plugins, and themes aren’t urgent. They can wait.
  17. 17. You need to keep WordPress core, plugins, and themes updated at all times. Whenever a security update is released the entire internet can see what the problem is and how to exploit it. This obviously exposes any site that has not been updated.
  18. 18. Hosting...
  19. 19. What does WordPress need to run? LAMP STACK Linux Apache MySQL PHP Operating Web Database Scripting System Server Server Language All of these can and do have numerous vulnerabilities. Keeping your own systems up to date is not an easy task, which is why most people (even myself) work with a web host to host their sites.
  20. 20. Who is your Host? How do you connect to your server? Through FTP, SFTP, SSH, Plesk, cPanel, etc? What security does your host provide? Do they offer advanced services to provide further protection? What will your host do if you get hacked? Will they shut you down or lock your account? Does your host have a good track record? Does your host have 24/7 support? @michaelrmcneill #WCRaleigh
  21. 21. How do we protect ourselves?
  22. 22. PASSWORDS... Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many password generators are available that can be used to create secure passwords. Things to avoid when choosing a password: Any combination of your own real name, username, company name, or name of your website. A word from a dictionary, in any language. A short password. Any numeric-only or alphabetic-only password (a mixture of both is best). A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server and ruin your reputation. @michaelrmcneill #WCRaleigh
  23. 23. Look to your computer... Make sure to have anti-malware software installed on your computer, no matter if it is Windows, Mac OS X, or Linux. ALL computers can get some type of malware, and that can lead to an infected site. Always keep your operating system and the software on it, especially your web browser and SFTP/SSH/FTP client, up to date in order to protect against security vulnerabilities. @michaelrmcneill #WCRaleigh
  24. 24. Connecting to your site... SFTP/SSH is greatly preferred over standard FTP. If you must use FTP, check if your host offers FTP-SSL. SFTP/SSH/FTP username and password SHOULD NOT be the same as your WordPress Administration username or password. You don’t need to log in as the administrator/root user all the time. Less access means less to exploit. Use isolated SFTP/SSH/FTP accounts that can only access certain necessary parts of the site. @michaelrmcneill #WCRaleigh
  25. 25. User Restrictions are important! Everyone DOES NOT need to be an administrator. Focus on the role that you are assigning users, only assign their role with what they NEED at the current time, you can always change their permissions later. Get rid of generic account names (e.x. admin, administrator, root, etc.) and use something custom. Create two accounts for yourself, one as an administrator account for managing and administering the site, and the other for common tasks. Everyone DOES NOT need to access the site via SFTP/ SSH/FTP. @michaelrmcneill #WCRaleigh
  26. 26. Backup, Backup, Backup... You must backup your site! Your WordPress database contains every post, every comment and every link you have on your blog. If something goes wrong, you will lose everything you have ever written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal. You should be backing up at least once a week and storing one backup per month off the main web server (either your computer or a cloud storage provider like Amazon Web Services). Disaster will strike at some point and time and you need to be in a position to take action when it happens. Spending a few minutes to set up an easy, convenient backup of your site will make your life much easier in the long run. @michaelrmcneill #WCRaleigh
  27. 27. Kill PHP execution permissions. Try this in your ~/wp-includes/ and ~/wp-content/ uploads/ folders. Be aware, it could break your theme and/or plugins, so try it and if it breaks anything, delete it. #PROTECT PHP EXECUTION <Files *.php> Order Allow, Deny Deny from all </Files> @michaelrmcneill #WCRaleigh
  28. 28. Disable Plugin/Theme Editing. Add this to your wp-config.php file before the “/* That's all, stop editing! Happy blogging. */”. #Disable Plugin and Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); @michaelrmcneill #WCRaleigh
  29. 29. Move wp-config.php file. To add an extra layer of protection, you can move the wp-config.php file up one directory. This protects you if your PHP handler gets broken or modified in some way. This will prevent your DB information from being exposed. @michaelrmcneill #WCRaleigh
  30. 30. Use salts. Use the online generator ( secret-key/1.1/salt/) to generate salts, and place them in your wp-config.php file. define('AUTH_KEY', '=(jUjXE=,sZxY-+@_YX]OyDuo-`%}eQeQ jE-A-ZHo`A,B%*D+^3@~&5%X!>+&R+'); define('SECURE_AUTH_KEY', '6e)tLmd#ogG8@|)A8UNhl%Ql+gNR++Frg,#am4_rWY9)bcT$uk]`g7`FA(2%AIn9'); define('LOGGED_IN_KEY', 'bkW+7S+-Fsk y&A|gl{D=|Yv3h,U5uj,72{0%/& R/8VRzGM9_!?l])rw,'); define('NONCE_KEY', 'Y4 HXcx6t|3-2%&[/daW~V%QK<{KxH<|SVf|otwbh(9U-!RpY^7sbds+qWC4dISb'); define('AUTH_SALT', 'x[Tl$wtoJ]FKZawPiR&m%etK%.!N=8;?5?NUZO*g.mUL;6.v`biw+Z%DkL[2sp*&'); define('SECURE_AUTH_SALT', '~JO0w%;$jrM}<n1+T)R:lM1-+y;n7F86*5)JDe@YqdL]6I@<I9Ve8R[Y&Kz?H{O&'); define('LOGGED_IN_SALT', 'x6aoLDs:NO]%uF(N|G`iK{$#j.*&.0hL)C:C&dHwP*&X[k|h<oeI}b$b4l175/nB'); define('NONCE_SALT', ' 9L[)xS=-<^YKV/d~JUA28Q]k;ibu#yB|%mMOG98:gwiD*`FZem%yHaq+NyyKD0<'); @michaelrmcneill #WCRaleigh
  31. 31. Secure wp-includes. Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file in ~/wp-includes/ # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] @michaelrmcneill #WCRaleigh
  32. 32. Change the database prefix. Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks. You can change it with this plugin: Once you use that plugin to change the prefix, go into your wp-config.php file and change the line $table_prefix = 'wp_'; // Only numbers, letters, and underscores please! to reflect what you selected through the plugin. @michaelrmcneill #WCRaleigh
  33. 33. Implement CloudFlare. A little about CloudFlare: CloudFlare protects and accelerates any website online by taking control of your DNS and separating your DNS from your domain registrar. Once your website is a part of the CloudFlare community, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks. @michaelrmcneill #WCRaleigh
  34. 34. Plugins...
  35. 35. Wordfence (Pro Version - $17.95 per year) Wordfence scans your site for viruses, malware, trojans, malicious links, protects your site against scrapers, aggressive robots, fake Googlebots, protects against brute force attacks and much much more. Duo Two-Factor Mobile Authentication (First 10 users free, then $3.00/per user/per month) Duo Security enables your users to secure their logins with their phones. @michaelrmcneill #WCRaleigh
  36. 36. VaultPress (Starts at $15.00 per month) VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dashboard setting. BackupBuddy (Starts at $75.00) Back up your entire WordPress installation and move it, store it, and restore it as much as you’d like!
  37. 37. Know what to do if the inevitable happens... Stay calm! You are going to be upset, but panicking and being frantic about the situation just makes things worse. Visit these sites: wordpress-site-using-wordfence/ If you are lost, or at any point and time feel uncomfortable with what you are doing STOP and contact a professional (like myself) to get your issues resolved. It might cost a few pennies, but it will be worth avoiding the headache, wasted time, and frustration in the end. @michaelrmcneill #WCRaleigh
  38. 38. Who do you recommend I host with? I host all my sites with Media Temple, and I recommend for you to do the same. Because I trust them with my sites, you know you can trust them with yours. If you do decide to sign up here is a coupon code for 15% off (gs) Grid-Service (kirupa07). The link to sign up is here: (DISCLAIMER: this gives me affiliate credit.)
  39. 39. Contact info. Michael R. McNeill Connected Site Solutions 336.818.9540