WordPress Security Strategy for WordPress.org (condensed version)


Published on

Learn the practical steps you'll need to take to safeguard against security hacks on your WordPress website. Too late? Gain valuable information on Clean-up and Remediation. WordPress wizard Judy Wilson provides the information that'll keep you and WordPress site safe and sound.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security Strategy for WordPress.org (condensed version)

  1. 1. ________________________________________________copyright 2013 Site Shack Web Designall rights reservedMonday, June 17, 13
  2. 2. We’ve been designing and developing seo-optimized websites and digital media inNashville since January, 2004.WordPress too? Yep. And WordPress training,tailored to your exact needs.We are MyEMMA co-agents.We provide customized HTML Email Designand Account Management.Our work is mobile-friendly.Owner, Site Shack Web DesignJudy WilsonMonday, June 17, 13
  3. 3. Your WordPress siteis living in a high crime neighborhood.** Doesn’t matter if you’re on WordPress.com orusing Wordpress.org.Easy access is the key.Monday, June 17, 13
  4. 4. How do they get in?Hacks are most often delivered through cheesycredentials, old and/or evil software, themes,plugins + old, vulnerable scripts (such as the“timthumb script”) and cheap, poor-securityhosting environments.WRONG:Username: adminPassword: mypasswordMonday, June 17, 13
  5. 5. BackdoorsDrive-by DownloadsPharma HacksMalicious RedirectsMain Types of WordPress HacksMonday, June 17, 13
  6. 6. The Installation:Solid padlocks + lock your doorsand windowsAdvanced Security: Multiple locks,+ burglar bars +alarm systems + guard dog (see Appendix below)Before You Install:Map out your strategyMonday, June 17, 13
  7. 7. 2. Good Theme. Do not use any old free theme! Vet your premium theme!(including version appropriate)Run a virus/malware check on the theme after you download/buy it.Stay informed!Before You Install:Map out your Strategy1. Good Host. Do not use a “soup kitchen” host = high risk of crosscontamination.3. Good Plugins.Highly rated, updated often, check WordPress repository, correspond toyour version of WordPress.4. Backup regularly (your host should of course do this also)See the plugin “Backup Buddy.”Monday, June 17, 13
  8. 8. The Installation:Lock Your Doors and Windows1. Do NOT use “admin” for your user name.2. Do NOT use a password that can be found in a dictionary orthat you’ve ever used anywhere else at any time.3. Do NOT use sequential numbers and/or letters.4. Hire Sucuri to monitor your site: www.sucuri.net5. Use 2-factor authentication:Already in place at Wordpress.com but you can use Google2-step Authentication with Wordpress.org.Monday, June 17, 13
  9. 9. The Installation:Lock Your Doors and Windows3. Stop using FTP. Use SFTP -- call your host if you’re not sureabout using SFTP. Note: There are multiple methods for FTP.1. In your wp-config.php file: Salt your hashes aka use the“secret words.”2. Do not use “wp” for your table prefix. Make up something non-sequential like “jnm.”Monday, June 17, 13
  10. 10. The Installation:Lock Your Doors and Windows1. Turn off trackbacks and pingbacks.2. Comments ONLY when appropriate and always use Akismet.3. Use your Administrator accounts for Administrator work(like setting up a new user). Use Editor, Author, Contributor andSubscriber for their appropriate tasks.4. Remove themes and plugins that are not being used.Monday, June 17, 13
  11. 11. The Installation:Lock Your Doors and Windows2. Do you know where your backup is? Can you restore from it?1. Confirm the correct folder permissions:Folder permissions: 755File permissions: 644index.php: 666wp-config.php: 6003. Consider a sandbox site and test your backup and restoreprocedure -- more than once. Then delete the website before youforget about it.Monday, June 17, 13
  12. 12. Appendix•Before You Install•Recommended Hosts•Advanced Security Techniques•How Can I Tell I’ve Been Hacked?•Cleaning and Remediation•Miscellaneous HelpMonday, June 17, 13
  13. 13. Setup Google Webmaster Tools:Google Webmaster tools are an important resource for manyreasons. But for site security, one of their best features is theiremail notifications of malware when it’s found on your site. Asthe verified site owner, you’ll be notified by email if malware isdetected.http://www.wpreads.com/2013/03/protecting-wp-config-and-htaccess-files-for-wordpress.htmlhttps://www.google.com/webmasters/tools/home?hl=enhttp://codex.wordpress.org/Hardening_WordPressBEFORE YOU INSTALLMonday, June 17, 13
  14. 14. http://wpengine.com/http://websynthesis.com(Yoast hosts here.)http://page.lyRecommended Managed WP HostsConsider using a “Managed” WordPress host with malwarescanning in place. These include curated plugins.Monday, June 17, 13
  15. 15. Advanced Security:WP-app firewallThere are many security modifications you can make to your .htaccess file.http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676The .htaccess filehttp://wordpress.org/extend/plugins/ose-firewall/NOTE: .htaccess files (distributed configuration files) are processed firstbefore any other code on your website.http://wordpress.org/extend/plugins/bulletproof-security/http://wordpress.org/extend/plugins/wordfence/Multiple locks + burglar bars + alarm system + guard dogMonday, June 17, 13
  16. 16. http://www.wpbeginner.com/plugins/improve-wordpress-security-with-google-authenticator/Setting up 2-step authentication for Wordpress.orghttp://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editorhttp://codex.wordpress.org/Editing_wp-config.phphttp://yoast.com/wordpress-ssl-setup/SSL setup info and tips from YoastModifying the wp-config.fileAdvanced Security:Multiple locks + burglar bars + alarm system + guard dogMonday, June 17, 13
  17. 17. How Can I Tell I’ve Been Hacked?http://aw-snap.info/file-viewer/Allows you to scan from different User Agents:Use http://sitecheck.sucuri.net to run a scan to findmalware and blacklist info.http://wordpress.org/extend/plugins/sucuri-scanner/http://wordpress.org/extend/plugins/gotmls/http://wordpress.org/extend/plugins/wordfence/WordPress PluginsDo some scanning:Monday, June 17, 13
  18. 18. • Displaying popups that you didnt implement.• Displaying odd text in your footer or in the "View Source."• Links to other sites or auto-linking of keywords that you didnt create links for.• Seeing obfuscated / encoded text in plugins.• Website redirecting (immediately or after a short length of time) to another URL.• A friend calls/texts/emails you that your site is directing users to Dr. Dre’sHeadphones, or “performance enhancing” or pain medication drugs etc.• Style sheet formatting has disappeared.• You can’t login to your wp-admin.• New files appearing in themes folder or anywhere else (look for a recent oratypical date via FTP; when you open these pages, they may appear to containbinary code.)Uh oh. I think it’s too late.How Can I Tell I’ve Been Hacked?Monday, June 17, 13
  19. 19. 1. Stay calm. You could make it worse by anxiously jumping in and tryingto fix the problem.2. Scan your local machine / hard drive.3. Scan your site. There are many good tools and WordPress plugins tohelp with this. This will help identify the infected files and folder etc.4. Check with your hosting provider. Call them. You can call them, yes?5. You’ve already updated, changed all passwords?6. Add new salts or “secret keys.”7. Check your files. Start with your .htaccess file to being looking formalicious code.WordPress (with some help) suggests:Cleaning & Remediation:Have SSH root access?http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/Monday, June 17, 13
  20. 20. 1. Can you identify the type of hack? This may make the cleanup easier.2. Run a fresh backup and then . . .3. Backup from an older backup that you believe predates the hack.4. No backup? Hmm. Seriously consider taking down and trashing the site.5. Restored from backup? Change passwords again.6. Secure your site with recommended security measures.7. Do a post-mortem. How did this happen?8. Compare your WordPress files to those in a clean install. Open up files.Do you see something that refers to base64_decode? That’s at least one ofthe hack.9. Can’t find the malware? Disable your plugins (rename the directory). Ifthe infection is in a plugin, the scan will show as clean.Cleaning & Remediation:Monday, June 17, 13
  21. 21. http://codex.wordpress.org/FAQ_My_site_was_hackedhttp://www.unmaskparasites.com/http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.htmlSuggestions from Sucuri http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.htmlKnow command line and have SSH access?Cleaning up your site at Google http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked-wordpress-website-via-ssh/Cleaning & Remediation:Monday, June 17, 13
  22. 22. Cleaning & Remediation:http://www.stopthehacker.comhttp://www.sucuri.nethttp://www.sparktrust.comIf all else fails (and before you torch the site):Hire someone:Monday, June 17, 13
  23. 23. http://www.unmaskparasites.com/malware-warning-guide/#requestCleaning & Remediation: Toolshttp://www.stopbadware.org/request-reviewStopBadware performs independent reviews of websites that areblacklisted for badware by our data providers.http://wordpress.org/extend/plugins/wordfence/http://blog.aw-snap.info/2012/07/malware-removal-vendors.htmlWordfence Security is a free enterprise class security plugin thatincludes a firewall, anti-virus scanning, malicious URL scanning andlive traffic including crawlers. Wordfence is the only WordPress securityplugin that can verify and repair your core, theme and plugin files, evenif you dont have backups.Wordfence is now Multi-Site compatible.Monday, June 17, 13
  24. 24. Miscellaneous Helphttp://blog.page.lyhttp://wp.smashingmagazine.comhttp://tonyonsecurity.com/Excellent forum on malware:https://www.badwarebusters.org/http://aw-snap.info/Tony Perez’s blog COO/CFO SucuriSmashing Magazine WordPress siteExcellent hacked info and toolshttps://www.udemy.com/how-to-secure-wordpress-blog-or-website-for-beginners/?http://labs.sucuri.net/?malwareSee what Sucuri picks up in its malware scans.Monday, June 17, 13
  25. 25. Safe travels and happy trails with WordPress!Judy Wilsonwww.Site-Shack.comNashville, TNfrom site-shackMonday, June 17, 13