2. About me
• Hi! My name is Angela Bowman @askwpgirl
• WordPress Instructor at Boulder Digital Arts
• Started using WordPress in 2007
• Used to think: “After I build a site, my job is done.”
• Now take a common sense approach to security that isn’t
overwhelming or super technical
3. Why do we need to have this talk?
• PHP and MySQL are inherently vulnerable
• MySQL: A database where all your content is stored
• PHP: The scripting language used by WordPress, themes and
plugins use to access your data and display it in the browser
window.
• Hackers exploit poor PHP coding (and other vulnerabilities)
to inject content into your database and files via the browser
URL and interface
4. Why are you vulnerable?
• Because your site is on the
Internet
• Because it’s easy to exploit
known vulnerabilities
• Because we are human NOT
Vulcan
•We live by our beliefs rather
than logic
10. THE MYTHS WE LIVE BY
Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-
myths/ by Anders Vinther of The WordPress Security Checklist.
11. Myth #1
“WordPress is (is not) secure.”
Truth
• Both things are true!
Old versions of WordPress are NOT secure
Current WordPress version is secure
12. Myth #2
Myth #2 my site isn’t launched yet, so it can’t be hacked
“My site isn’t launched, so it can’t be hacked.”
Truth
• You have an Internet presence even if the pages of your
site aren’t indexed by Google yet
• You need to protect ALL installations of WordPress on
your hosting account even if you don’t use them
• Hackers will attempt to exploit things that aren’t even on
your site, such as plugins you don’t even have installed
13. Myth #3
“I only use plugins and themes from WordPress.org,
so I am safe!”
Truth
• Plugins and themes are the #1
way hackers gain access to your site
• Why? From ProBlogger.com:
“Experience and programming skills
vary greatly, and so does the quality of
their work. Even the best programmers
make mistakes and all software contains
bugs.”
14. Myth #4
“Updating my themes and plugins
whenever I login is good enough.”
Truth
• Exploits are published IMMEDIATELY to the web.
• Outdated version of WordPress, themes, and plugins are
immediately vulnerable to attack.
• Timthumb script exploit was discovered and exploited
on a mass number of blogs within DAYS and is still
exploited!
15. Myth #5
“My site is small. It’s not worth hacking.”
Truth
“… Although I had
updated the majority of
sites and had notified
former clients, I still hadn’t
gotten to some of the
smaller sites yet – like my
girlfriend’s food blog.
“And, word to the wise, your
girlfriend’s food blog should
always be a top priority.”
http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
16. Myth # 6
“If I de-activate a theme or plugin, there is no risk.”
Truth
• De-activated themes and plugins are just as risky if they
have vulnerable code.
• Because even files of deactivated plugins and themes
can be access via the Internet
17. Myth # 7
“If my site is compromised, I’ll find out right away!”
Truth
• Only if you use a site monitoring service or plugin (maybe)
• Your site can be compromised months before you find out
• Many hacks are invisible to visitors to the site and only visible to
bots, so you may not know you’ve been hacked until your site is
blacklisted
• Some hacks redirect search engine traffic, so you won’t notice if
you just go to a specific URL
!
http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
18. Myth #8
“I can use a security plugin and that will cover me.”
Truth
• Some security plugins can provide a layer of protection
• Security plugins won’t help much if a hacker gains access
to your online session, passwords, or sensitive files
• Security plugins won’t help if the web hosting server is
compromised
19. Truth
“Only purely random
passwords, generated by
special purpose
generator tokens,
drawing from the largest
ASCII character sets
available can keep a step
ahead of cracking
programs.”
Myth # 9
“My passwords are good enough.”
http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
20. Myth #10
“If my site is hacked,
my web host can restore it for me.”
Truth
• If you discover the hack quickly enough, your web host may
have a backup of the site made before the hack
• Most hosts store one day backup and one weekly backup
• Your host may not be able to help you discover why you
were hacked in the first place. You’ll end up restoring
hackable files.
22. Options
• Set up an altar to the WordPress Gods
and do daily puja and offerings
• Throw up your hands and cry
• Drink another beer and try to forget
• Delegate to Tony (Sucuri.net)
• DIY using the following steps
23. 1 – Secure Your Own Computer
• Why bother securing WordPress if you give the keys away?
• Run anti-virus software regularly
• Don’t login via insecure or public
WIFI networks
• Use a Virtual Private Network when
traveling (such as Astrill)
• Secure your home WIFI network
• Be careful of sites you click on. More than 55,000 malicious web
domains existed in 2011.
24. 2 – Update to Current Versions
• Backup database and files
• Delete unused plugins
and themes
• Update plugins first
(check compatibility)
• Update theme (might be tricky)
• Update WordPress
• Rename plugins folder if site crashes
25. 3 – Protect Login
• If “admin” is the Administrative username, create a new
admin user, log out, login as new user, delete old the
“admin” user and assign posts/pages to new admin
• Use strong passwords on WordPress, FTP, hosting, and
email:
• Online Generator:
http://www.pctools.com/guides/password/
• Track Passwords:
http://agilebits.com/products/1Password
26. 3 – Protect Login, continued
• Enable two-way authentication: Using
Google Authenticator:
http://wordpress.org/extend/plugins/google-authenticator/
http://askwpgirl.com/secure-wordpress-two-step-authentication/
• Login using https:// (will need dedicated
SSL certificate for domain, which is free
with Business level web hosting at
Host Gator)
27. 4 – Backup Database and Uploads
• Use backup plugin or service:
• Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php
• BackWPUp: https://wordpress.org/plugins/backwpup/
• VaultPress.com – Backup, one-click restore, and site monitoring
• Backup database (daily or weekly)
and full site (weekly or monthly)
• Store backups on remote server
(eg Amazon S3)
• Must backup database and wp-content folder
29. 6 – Create a Maintenance Plan
• Update sites frequently (as updates available)
• Use Infinite WP to manage multiple sites from a single
control panel: http://infinitewp.com/
30. 7 – Best Practices
• Don’t allow users to register (Settings > General)
• Always hold comments for moderation and use spam
filtering (aka Akismet)
• Don’t use your username
as your Display Name
• Use SFTP for file transfers
and secure SMTP for
email (ask web host)
31. 7 – Best Practices, continued
• Turn off pingbacks/trackbacks (Settings > Discussion)
• Host site with good web host
• Use plugins and themes with caution - recently
updated, going concern. Delete unused ones. but keep
one TwentySomething theme installed as a default.
• Submit sites to Google Webmaster Tools.
Turn ON email notifications:
http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
32. Summary
• Update, update, update!
• Use caution w/ plugins and themes, delete unused
• Strong usernames and passwords
• Backup! Today!
• Be a smart web user
33. If you get hacked…
• Contact your web host and see if they can restore
the site from a backup (don’t rely on this)
• Contact sucuri.net to scan and clean the hack
• Change all passwords, reset wp-config.php
encryption salts
• Check blacklisting status, request review
34. Resources
•Hacked: http://wordpress.org/tags/hacked
•Malware: http://wordpress.org/tags/malware
•http://codex.wordpress.org/Hardening_WordPres
•http://codex.wordpress.org/WordPress_Backups
•http://codex.wordpress.org/FAQ_My_site_was_hacked
•wpsecuritylock.com - resources and services for securing sites
•sucuri.net - free scan, hack recovering, site monitoring
•Wpsecuritychecklist.com – off-site monitoring