Re Bar Camp Presentation Wordpress Lamp Security 2010 06 17

1,222 views

Published on

A brief intro to some simple but effective things that
individual Wordpress site owners (and you don\'t have to be a
programmer) can do to keep hackers out of their site(s).

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,222
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Re Bar Camp Presentation Wordpress Lamp Security 2010 06 17

  1. 1. Securing Wordpress & it’s underlying LAMP stack<br />rICh morrow<br />Principal Engineer, quicloud.com<br />
  2. 2. An OGRE is like an ONION(or something like that… I want a parfait now)<br />rich@quicloud.com<br />2<br />Browser<br />Wordpress<br />PHP (Logic), MySQL (Database)<br />Apache (Web Server)<br />Linux (Operating System)<br />6/17/10 RE Bar Camp Denver<br />
  3. 3. Vulnerabilities at each layer<br />Wordpress, poor Wordpress.<br />No core security team like Drupal<br />Popularity makes it a target<br />“ease of use” = “lack of security”<br />Contrib Modules can inject vulnerabilities<br />LAMP stack depends heavily on your host<br />You may or may not have control.<br />Even if you have control, each layer is a job unto itself.<br />Even the best hosts use “default” installs which are far from secure.<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />3<br />
  4. 4. Across all layers <br />Update & Patch religiously, or make sure someone is.<br />Only enable what you need (Wordpress or Apache modules, ports/services in Linux)<br />Passwords<br />Choose tough passwords & change them every 3 months or when contractors exit.<br />NEVER email or IM usernames & passwords together.<br />Install security products on every layer possible.<br />Schedule & plan 2-3 hrs/ at least quarterly (if not monthly) to review policies.<br />Back up before changes.<br />Assume you will be hacked at some point.<br />Set up monitoring to alert you w/i 5 minutes of a hack.<br />Back up religiously & test those backups.<br />Have at least 2-3 Wordpress &/or LAMP Security pros on call.<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />4<br />
  5. 5. Linux<br />Regularly Scan for vulnerabilities with free products like Nessus, or get a $25 scan done with a provider like quicloud. Send “high” and “medium” vulnerabilities to your host or “Linux dude” & ask them to remediate.<br />Use SFTP, not FTP<br />Disable “Root” login and create different login accounts for each consultant.<br />Have a consultant install a “Denail of Service” or “DOS” prevention tool (like fail2ban), a monitoring system (like Nagios) and/or an IDS (like Snort).<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />5<br />
  6. 6. Apache<br />Make sure you have “mod_security” installed.<br />Make sure Apache is running as a distinct user (typically “apache”).<br />Disable “Root” login and create different login accounts for each consultant.<br />Make sure these are OFF: ‘DirectoryIndexes’, ‘ServerSignature’, ‘ServerTokens’, ‘ExecCGI’, ‘Server Side Includes’.<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />6<br />
  7. 7. PHP<br />Make sure there are no ‘phpinfo’ entries in any files. (have your “Linux Dude” do a “find . –type f | xargsgrep ‘phpinfo’” from your root web directory).<br />Make sure users can’t upload “.php” files.<br />Scrub all user input (you need a programmer).<br />Turn on and use “error_reporting” on high load pages or suspicious code.<br />Have your “Linux Dude” use PhpSecInfo, “PHP Security Scanner” or the “Spike PHP Security Audit” tool to find & fix problems.<br />Make sure ‘register_globals’ is OFF<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />7<br />
  8. 8. MySQL<br />Disable “root” user (after making sure you’re not using it)<br />Remove unused users in the “mysql.User” table.<br />Close remote access (port 3306) to the database (again, after you’ve checked you’re not using it).<br />Make sure MySQL is running as a distinct user (usually “mysql”).<br />Remove “test” users and “test” databases that are in default install.<br />Ensure that all users are set for only “localhost” access (again, after you’ve checked “remote” is not needed).<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />8<br />
  9. 9. Wordpress (finally :-)<br />Install and use:<br />“Login LockDown” module (records IP of failed login and can block login after many attempts in a short period of time).<br />“Stealth Login” module (creates hidden URLs for login, logout, admin, etc)<br />In the “.htaccess” of your “wp-admin” folder, restrict login to your IP (if your IP is static)<br />Move your “wp-config.php” file out of your Web root (possible after wp 2.x).<br />Change the Wordpress table prefix (from “wp_” to something cryptic). Easy prior to installing Wordpress, tough afterwards.<br />Create a 2nd “admin” account, and delete the default “admin” user.<br />Disable browsing of your “wp-content/plugins/” folder.<br />Stop advertising your Wordpress version to hackers. Remove the code “<?phpbloginfo(‘version’); ?>’ from your theme’s “header.php” file.<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />9<br />
  10. 10. Security can be quick & easy<br />Just regularly patching & updating is huge.<br />Instructions in here will secure probably 80-90% of your problems, and an experienced Sys Admin can do all “the big stuff” in probably 4-6 hours.<br />If you’re not a system administrator, don’t “tinker”. In Linux, you can delete your whole server with just 7 characters… and there’s no “undo”.<br />Use a free/cheap monitoring service like ‘pingdom’, ‘site24x7’, or ‘BinaryCanary’ to set up SMS or email messages if your site is down or hacked.<br />Ask for help if you’re in over your head and/or don’t want to bother. Security is definitely one area you don’t want to ‘skimp’ on.<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />10<br />
  11. 11. quicloud.com<br />We help the smallest of small businesses create secure, scalable Websites using LAMP, Wordpress, Drupal, and Joomla!<br />Services:<br />Build an entirely new secure server for as low as $200 per server.<br />Patch and secure an existing server for as low as $150 per server.<br />Update and support your systems for as low as $20 per month, per server.<br />Emergency “I’ve been hacked” resolution.<br />We can help you build, deploy, and maintain your services in the cloud, reducing your hosting costs and improving your service level.<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />11<br />
  12. 12. Resources / further reading<br />Wordpress Security:<br />http://codex.wordpress.org/Hardening_WordPress<br />http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/<br />http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow<br />LAMP Stack Security:<br />http://blog.taragana.com/index.php/archive/top-10-linux-security-tips-for-system-administrators/<br />http://www.noupe.com/php/php-security-tips.html<br />http://dev.mysql.com/doc/refman/5.0/en/security.html<br />http://www.fail2ban.org/wiki/index.php/Main_Page<br />http://www.nessus.org/ (Security Scanner which you can run from your desktop)<br />Rackspace Cloud (excellent cloud hosting for as low as $11/month, great for us “small guys”):<br />http://www.rackspacecloud.com/<br />Site Monitoring tools (most offer a “free” version to monitor one site):<br />http://pingdom.com/<br />http://site24x7.com/<br />http://binarycanary.com/<br />http://www.nagios.org/ (Nagiosmonitors your Linux server internally)<br />6/17/10 RE Bar Camp Denver<br />rich@quicloud.com<br />12<br />

×