SlideShare a Scribd company logo
1 of 37
Higher Order WP Security
 Hacks, attacks, and getting
       your site back




Dougal Campbell
HACKERS!
HACKERS!


CRACKERS!
HACKERS!
Everybody says “hackers” anyways.
WordPress Hacks
Warning! Massive Number of GoDaddy WordPress Blogs
Hacked!

DreamHost: One Million Domains Hacked; WordPress Blogs
Infected

WordPress Sites on GoDaddy, Bluehost Hacked

Reuters Hacked Again, Outdated WordPress Blog At Fault?

InMotion Hosting Servers Hacked, Thousands of Web Sites
Affected
WordPress Hacks


History shows there have been very few “WordPress Hacks”

“ In the vast majority of cases I see, attackers get in some other way,
and then once already in the system, they go looking for WordPress
installs.” -- Mark Jaquith
If WordPress isn’t the weak
      point, what is?
WordPress Hacks
Most hacks that affect WordPress actually originate outside
of WordPress Core.

  TimThumb (PHP library, many themes/plugins)

  Uploadify (jQuery plugin, many themes/plugins)

  Adserve (plugin)

  WassUp (plugin)

  Is Human (plugin)
We need to look at the
   bigger picture
The LAMP Stack
Other Services and Apps

SMTP (email)

FTP

DNS

Other web sites and utilities?

  Drupal, Joomla, forums

  PHPMyAdmin
Shared Hosting

Shared hosting? Shared security!

Other users on the same server as you can become a security
risk that affects you

What about your own users? Can you trust everyone who has
a login for your site? Really trust them?

  “Nobody cares as much about the survival of your business
  as yourself.” -- Ron Cain, business owner
How do hackers get in?
Known exploits in vulnerable software

Brute-force password hacking

Network scanners

  Firesheep

  Wifi vulnerabilities (WEP/WPA)

Automated tools

Rootkits
Staying Safe
Three Words
Three Words


Update
Three Words


Update

Update
Three Words


Update

Update

Update
Three Words


Update Core

Update Plugins

Update Themes
What Else?

Hotfix Plugin

WP Security Scanner

Login Lockdown

BulletProof Security

Sucuri.net
What Else?

Not using a plugin
anymore?

  Deactivate

  DELETE!

  The same goes for
  themes
HACKED!
Now What?

You can no longer trust any code files

Nuke the site, start from trusted, fresh copies

  Save wp-config.php and wp-content/uploads

Reinstall data from backups
Now What?

You can no longer trust any code files

Nuke the site, start from trusted, fresh copies

  Save wp-config.php and wp-content/uploads

Reinstall data from backups

You do have backups, right?
Now What?

You can no longer trust any code files

Nuke the site, start from trusted, fresh copies

  Save wp-config.php and wp-content/uploads

Reinstall data from backups

You do have backups, right?

Right?
What do I back up?

Database

Uploaded media (wp-content/uploads)

Custom themes and plugins

wp-config.php

Keep a list of your installed third-party plugins
How do I back up?


Backup Buddy

VaultPress

WordPress Backup to Dropbox
It can happen to you

It can happen to me

It can happen to everyone, eventually

 -- Yes, It Can Happen, 90125
A Little Healthy Paranoia
Healthy Paranoia!
Use strong passwords

Two-factor authentication -- Google Authenticator plugin

Use separate WordPress logins for publishing day-to-day
content and for site administration

Limit who can login to your site, and what permissions they
have

  Create temporary accounts for developers, if necessary
Healthy Paranoia!

 Use secure protocols: SFTP, SCP, SSH -- not FTP

 If possible, enforce SSL on WordPress logins and dashboard
 access

 Ensure MySQL server is not accessible to other hosts

 Same goes for memcache (or any other data store)
What? I don’t know how!
Getting help
Security is part of the cost of doing business, like insurance

If you don’t know how to do all this, retain the services of
someone who does

Managed hosting:

  Page.ly

  WordPress.com

  WP Engine

  Zippykid
Security for Developers
Settings API, nonces, validation handlers

Data escaping functions: esc_*()

  esc_html()

  esc_attr()

  esc_sql()

  esc_url() & esc_url_raw()

  esc_js
Now, SECURE ALL THE
      THINGS!
Thanks!
Dougal Campbell
@dougal
dougal.gunters.org

More Related Content

What's hot

WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
WordPress plugin development
WordPress plugin developmentWordPress plugin development
WordPress plugin developmentLuc De Brouwer
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itOnni Hakala
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Getting Started With WordPress Plugin Development
Getting Started With WordPress Plugin DevelopmentGetting Started With WordPress Plugin Development
Getting Started With WordPress Plugin DevelopmentThomas Vitale
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress developmentSteve Mortiboy
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
How I Learned to Stop Worrying and Backup WordPress
How I Learned to Stop Worrying and Backup WordPressHow I Learned to Stop Worrying and Backup WordPress
How I Learned to Stop Worrying and Backup WordPressChris Jean
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 

What's hot (20)

WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
WordPress plugin development
WordPress plugin developmentWordPress plugin development
WordPress plugin development
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do it
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
Website security
Website securityWebsite security
Website security
 
Getting Started With WordPress Plugin Development
Getting Started With WordPress Plugin DevelopmentGetting Started With WordPress Plugin Development
Getting Started With WordPress Plugin Development
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress development
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPress
 
How I Learned to Stop Worrying and Backup WordPress
How I Learned to Stop Worrying and Backup WordPressHow I Learned to Stop Worrying and Backup WordPress
How I Learned to Stop Worrying and Backup WordPress
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPress
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 

Similar to Higher Order WordPress Security

WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
Is your Wordpress safe enough?
Is your Wordpress safe enough? Is your Wordpress safe enough?
Is your Wordpress safe enough? saidmurat
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityAidanChard
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1WPWhiteBoard
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press BlogChetan Gole
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 

Similar to Higher Order WordPress Security (20)

WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
 
Is your Wordpress safe enough?
Is your Wordpress safe enough? Is your Wordpress safe enough?
Is your Wordpress safe enough?
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress Security
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 

Higher Order WordPress Security

  • 1. Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell
  • 5. WordPress Hacks Warning! Massive Number of GoDaddy WordPress Blogs Hacked! DreamHost: One Million Domains Hacked; WordPress Blogs Infected WordPress Sites on GoDaddy, Bluehost Hacked Reuters Hacked Again, Outdated WordPress Blog At Fault? InMotion Hosting Servers Hacked, Thousands of Web Sites Affected
  • 6. WordPress Hacks History shows there have been very few “WordPress Hacks” “ In the vast majority of cases I see, attackers get in some other way, and then once already in the system, they go looking for WordPress installs.” -- Mark Jaquith
  • 7. If WordPress isn’t the weak point, what is?
  • 8. WordPress Hacks Most hacks that affect WordPress actually originate outside of WordPress Core. TimThumb (PHP library, many themes/plugins) Uploadify (jQuery plugin, many themes/plugins) Adserve (plugin) WassUp (plugin) Is Human (plugin)
  • 9. We need to look at the bigger picture
  • 11. Other Services and Apps SMTP (email) FTP DNS Other web sites and utilities? Drupal, Joomla, forums PHPMyAdmin
  • 12. Shared Hosting Shared hosting? Shared security! Other users on the same server as you can become a security risk that affects you What about your own users? Can you trust everyone who has a login for your site? Really trust them? “Nobody cares as much about the survival of your business as yourself.” -- Ron Cain, business owner
  • 13. How do hackers get in? Known exploits in vulnerable software Brute-force password hacking Network scanners Firesheep Wifi vulnerabilities (WEP/WPA) Automated tools Rootkits
  • 19. Three Words Update Core Update Plugins Update Themes
  • 20. What Else? Hotfix Plugin WP Security Scanner Login Lockdown BulletProof Security Sucuri.net
  • 21. What Else? Not using a plugin anymore? Deactivate DELETE! The same goes for themes
  • 23. Now What? You can no longer trust any code files Nuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploads Reinstall data from backups
  • 24. Now What? You can no longer trust any code files Nuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploads Reinstall data from backups You do have backups, right?
  • 25. Now What? You can no longer trust any code files Nuke the site, start from trusted, fresh copies Save wp-config.php and wp-content/uploads Reinstall data from backups You do have backups, right? Right?
  • 26. What do I back up? Database Uploaded media (wp-content/uploads) Custom themes and plugins wp-config.php Keep a list of your installed third-party plugins
  • 27. How do I back up? Backup Buddy VaultPress WordPress Backup to Dropbox
  • 28. It can happen to you It can happen to me It can happen to everyone, eventually -- Yes, It Can Happen, 90125
  • 29. A Little Healthy Paranoia
  • 30.
  • 31. Healthy Paranoia! Use strong passwords Two-factor authentication -- Google Authenticator plugin Use separate WordPress logins for publishing day-to-day content and for site administration Limit who can login to your site, and what permissions they have Create temporary accounts for developers, if necessary
  • 32. Healthy Paranoia! Use secure protocols: SFTP, SCP, SSH -- not FTP If possible, enforce SSL on WordPress logins and dashboard access Ensure MySQL server is not accessible to other hosts Same goes for memcache (or any other data store)
  • 33. What? I don’t know how!
  • 34. Getting help Security is part of the cost of doing business, like insurance If you don’t know how to do all this, retain the services of someone who does Managed hosting: Page.ly WordPress.com WP Engine Zippykid
  • 35. Security for Developers Settings API, nonces, validation handlers Data escaping functions: esc_*() esc_html() esc_attr() esc_sql() esc_url() & esc_url_raw() esc_js
  • 36. Now, SECURE ALL THE THINGS!

Editor's Notes

  1. I totally stole that image from another site. Sorry.\n\n
  2. Everybody know what a ‘hacker’ is, right? The bad guys. The people who want to break your site, or sneak nasty links into it, or use your site to infect others with viruses. \n
  3. But most programmers, especially old-school ones like myself, call themselves “hackers”. It’s sort of a Light Side vs Dark Side thing. Or “white hat” vs “black hat”, as you’ll sometimes see. There was an effort to differentiate the more generic term “hackers” from the more insidious “crackers”, as a term more specific to the bad kind of hacking.\n
  4. Buuuut... Everybody still says “hackers” anyways. Think of it like the slang words “bad” or “wicked”, which were repurposed to mean the same thing as “cool”. Which often meant the same thing as “hot”. Language is fluid, roll with it. During this presentation, I’ll *mostly* be using “hackers” as a synonym for “crackers”.\n
  5. You’ve probably seen headlines like these over the past several years. Reports of thousands or even millions of web sites hacked, with WordPress mentioned prominently. Boy, WordPress must be an insecure mess, huh?\n
  6. Truth is, WordPress has hardly ever been the weak point in these hacks. It was a symptom, not a cause. A runny nose doesn’t cause your cold, it’s a symptom. Likewise, a hacked WordPress site does not mean that WordPress caused a site to get hacked. The “infection” often starts somewhere else.\n
  7. \n
  8. Often, the weak points are third-party plugins and themes for WordPress.\n\nThe TimThumb library is a famous recent example. This library is very popular for allowing you to manipulate images (crop, rotate, resize, etc) right in the browser. Many WordPress themes and plugins integrated this library. When it turned out that TimThumb had a security weakness, MANY WordPress sites were affected, and were in fact hacked. WordPress itself was not the problem. Sites which did not have plugins or themes that used TimThumb remained safe, because WP Core was not the weak point.\n\nTimThumb has since been fixed, but it suffered a major black eye due to how many sites wound up being affected.\n\nLikewise, Uploadify is a jQuery plugin which had a security weakness affecting some plugins and themes. Adserve, WassUp, and Is Human are WordPress plugins that all had some sort of security weakness that was discovered and used by hackers to attack sites.\n\n
  9. But even if your plugins and themes are safe, or even if you don’t run any extra plugins, that doesn’t automatically make you safe. You need to expand your security awareness beyond WordPress Core, beyond themes, and beyond plugins.\n
  10. WordPress is an application that sits on top of what we most often call “The LAMP Stack”. LAMP stands for “Linux, Apache, MySQL, and PHP”, a very common web server setup. Some sites might use something other than Linux as their operating system (FreeBSD, SunOS, etc). Or they might use Nginx instead of Apache for the web server. But in any case, there will still be these basic elements: an operating system, a web service, a database, and a programming language, with a web application like WordPress sitting on top of them.\n\nANY of these pieces could potentially have security flaws in them that could allow an attacker to compromise your web site. If you look up the history of software releases for each of these things, you might be surprised at how often releases contain fixes for security-related bugs. Most of the nasty ones were shaken out a long time ago. We hope. But were talking about very complicated systems with many thousands, or even millions, of lines of code. Sometimes a small oversight can be turned into a crack in the armor by a clever hacker.\n
  11. In addition to WordPress, there maybe be other network services running. SMTP for receiving email on the server; FTP for file transfers; most people don’t run their own DNS service, but some do; and you or others on the same server as you might run other web apps like Drupal or Joomla, forums like bbPress, phpBB, or Vanilla, or a database management utility like PHPMyAdmin.\n\nAny one of these things on your server could contain some security flaw that an attacker could leverage to gain access to other parts of the server.\n \n
  12. Many people have their sites on shared hosting. If you aren’t on a “dedicated server” or VPS (virtual private server), then you are almost certainly on shared hosting. That means that there are other users running web sites and other services on the same server as you. They are normally segregated out so that users can’t “see” each other (usually through “jailed” or “chroot” environments) that offer some protection, but ultimately, these users are all sharing some resources at the operating system level.\n\nBut even if you are using a totally dedicate server, where nobody else has access to the operating system, what about other WordPress users? If you have a multi-author site -- really any situation where other users login to WordPress and see the Dashboard -- you have to know how much you can trust them with your site.\n\nMy wife’s parents own a small business. Over the years, when they have hired part-time employees to help out, one problem they’ve had is that some people just didn’t follow through with all the things they were supposed to do. You might tell them that during slow times, they are not supposed to use the Point of Sale computers for surfing web sites, but when the owners are away, and they aren’t taking care of customers, that’s what some employees would do. And while they aren’t trying to be problematic, they also aren’t the ones who will have to deal with the cleanup if those computers became infected with a virus. Because they are not the ones who invested their savings into the business, they will probably never care as much about the business and its assets as the owners do.\n\nIt’s the same with your website. Whether you use your site for e-commerce, or as a “brochure” business site, or just for a hobby, it’s unlikely that any other user of your site is going to care as much about it as you. \n
  13. Hackers often share their knowledge of security holes with other hackers. In those circles, there are big “bragging rights” for being the first to discover such a hole in a piece of software. In InfoSec circles, there are “white hat” and “black hat” hackers. The white hats discover security holes either as part of their jobs as security consultants, or as a hobby. But when they find something, they typically send a security report to the owners of the software, and give them a window of time to create and release a fix before making the knowledge of the hole public. The black hats, on the other hand, just start using the security hole to break into systems. And at some point, they share information about the holes with others. Once a new exploit becomes known, there is usually a spurt of activity as more and more hackers begin testing the hack against servers.\n\nOne common target once a hacker gets into a system is to obtain access to account passwords. In most cases (with a few lamentable exceptions), passwords are encrypted, or “hashed”, to protect the passwords from this type of unauthorized access. You might type in your password as “syncronicity” (don’t use that), but in the password database, it will be encrypted and stored as something like “93fd5f81657c05b5a6e485ae216313e3e092f44c”. To match this up with the original password, a hacker can run a program that will try every combination of letters, numbers, and symbols, encrypting each combination, looking for a match. A word like “syncronicity” is EASY to crack, because it appears in the dictionary. Password crackers keep lists words like that, pre-encrypted with a variety of password hashing algorithms, and can find matches for them EXTREMELY quickly. More on password security later...\n\nNetwork scanners will monitor network activity, and can nab unencrypted passwords right out of the network packets. Firesheep was an extension created for the Firefox web browser to demonstrate just how easy this could be in some cases. It would monitor the network you were connected to, watching for others to login insecurely (without SSL/https) to services like Facebook, Twitter, and the like. It would then present you with a button in your browser that would let you simply click to login as that other person. It was scary how well it worked. Since that time, Facebook, Twitter, and most other services started enforcing SSL for all logins, which makes this sort of network sniffing impractical.\n\nIn many cases, WiFi networks protect themselves by turning on network-level encryption like WEP or WPA. These provide protection from the ability of outsiders to inspect the data that travels between your computer and the wireless internet router. However, there turned out to be weaknesses in the WEP encryption which were discovered through complex mathematical analysis. Using these weaknesses can allow a hacker to break the WEP protection after just a few minutes, or even seconds of network monitoring. WPA and WPA2 offer stronger protection. WPA has also been cracked, and can be broken with about 10-15 minutes of monitoring. To the best of my knowledge, WPA2 is still safe. If your WiFi router and client devices support it, I recommend that you use that.\n\nThere are other automated tools, often associated with a lower grade of hackers known as “script kiddies”. These tools essentially keep a database of known vulnerabilities and systematically try to apply them against a site or a list of many sites. If you see a long series of strange entries in your web server error logs and access logs trying to reach pages like “/foosoft/admin.aspx?action=list&file=../config.ini&userid=0” that don’t even exist on your site, it is almost certain that one of these scanners is looking for a hole in your server. They don’t care that your server doesn’t run the .NET platform. They just blindly try every trick they know, hoping that one of them will match up with what you are running.\n\nLastly, in many cases, if a hacker *does* find a way into your server, they will sometimes install a “rootkit”. These tools attempt to leverage some lower level of access on a system, exploit other vulnerabilities to gain higher levels of access, and then *hide* their presence on your server. They will use all sorts of tricks to hide their activity -- hidden directories and files, filenames with strange binary characters, modifying system commands so that others do not see their processes running, etc. Rootkits can be quite sophisticated, and hackers using them can go undetected for months, all the while using your system as a cog in a network of machines turned to their own purposes.\n\n
  14. Now that I’ve scared the crap out of you about all the ways that bad guys can break into your systems and make your life miserable...\n\nWhat can we do to stop them?\n
  15. \n
  16. \n
  17. \n
  18. Keep your WordPress Core, plugins, and themes up-to-date. When you login to your WordPress administration Dashboard, it will show you when updates are available.\n\nYou will practically never break anything on your site by upgrading WordPress Core between minor versions (e.g., from 3.4.1 to 3.4.2). Minor releases are only for bug fixes, and will never contain any major new features. Major releases, say from 3.4 to 3.5, are the ones that contain new features, and possibly new bugs. Some people like to wait a couple of weeks after a new major release before upgrading, just to allow more adventurous users to find the bugs first. :) (not me, I run many of my sites right out of the development trunk, updating daily).\n\nWhen plugins and themes update, read the release notes and see if you need to upgrade them. In most cases, you will want to. Sometimes you might see something that isn’t crucial to you, like “upgraded translations to add the Estonian language”. In that case, you might be able to just leave it and wait for some future upgrade. Unless you have a lot of Estonian users, of course. \n\n
  19. The Hotfix plugin is maintained by some of the top WordPress developers. It attempts to give you bugfixes that might have been found, but not included in an official release yet. It is always safe to have this plugin active on your sites.\n\nWP Security Scanners (and several others similar to it) will examine your files for certain types of known problems, and give you a report of potential problems.\n\nLogin Lockdown, and other similar plugins like Limit Logins, will watch for brute-force login attempts, and block a client after too many failed login attempts.\n\nBulletProof Security modifies your .htaccess file to block certain types of access attempts at the web server level (Apache), before WordPress can even try to handle the request.\n\nSucuri.net offers security monitoring, auditing and cleanup services, primarily for WordPress.\n
  20. Do you have old plugins or themes that you don’t use any more? You may have installed several themes, looked at them, finally found the one you liked, and just never got rid of the the others you tried. Or you switched from the Awesome Tweets plugin to the Super Awesome Tweets plugin (I made those up), and the old one is still hanging around, deactivated. Or you have a plugin that’s active, but you just never use it. GET RID OF THEM. Even if the plugin is deactivated it could still offer an avenue of attack, if it is written badly. \n\nImagine if you will: http://mysite.com/wp-content/plugins/some-old-plugin/sop-admin.php\n\nIf such a file was written without security in mind, direct access like this could bypass WordPress and what it thinks is active or inactive.\n\n
  21. Oh dears.\n\nWe were too late. We didn’t secure our site, and we’ve been hacked.\n\nNOW WHAT?\n\n
  22. Every PHP file in your site is now suspect. Hackers could have added files that let them control your server in all sorts of ways. They could have hidden evil code in any one of the hundreds of files in WordPress core, your themes, or plugins. This goes for JavaScript, too.\n\nYou need to delete everything except wp-config.php and your wp-content/uploads folder, and reinstall WordPress, themes, and plugins FROM TRUSTED SOURCES. Even your own recent backups should be treated with suspicion. Hopefully you backed up any custom plugins or themes before your site even went public. And if you’re saving your wp-config file, double-check it before you put it back up.\n\n
  23. Every PHP file in your site is now suspect. Hackers could have added files that let them control your server in all sorts of ways. They could have hidden evil code in any one of the hundreds of files in WordPress core, your themes, or plugins. This goes for JavaScript, too.\n\nYou need to delete everything except wp-config.php and your wp-content/uploads folder, and reinstall WordPress, themes, and plugins FROM TRUSTED SOURCES. Even your own recent backups should be treated with suspicion. Hopefully you backed up any custom plugins or themes before your site even went public. And if you’re saving your wp-config file, double-check it before you put it back up.\n\n
  24. Every PHP file in your site is now suspect. Hackers could have added files that let them control your server in all sorts of ways. They could have hidden evil code in any one of the hundreds of files in WordPress core, your themes, or plugins. This goes for JavaScript, too.\n\nYou need to delete everything except wp-config.php and your wp-content/uploads folder, and reinstall WordPress, themes, and plugins FROM TRUSTED SOURCES. Even your own recent backups should be treated with suspicion. Hopefully you backed up any custom plugins or themes before your site even went public. And if you’re saving your wp-config file, double-check it before you put it back up.\n\n
  25. Every PHP file in your site is now suspect. Hackers could have added files that let them control your server in all sorts of ways. They could have hidden evil code in any one of the hundreds of files in WordPress core, your themes, or plugins. This goes for JavaScript, too.\n\nYou need to delete everything except wp-config.php and your wp-content/uploads folder, and reinstall WordPress, themes, and plugins FROM TRUSTED SOURCES. Even your own recent backups should be treated with suspicion. Hopefully you backed up any custom plugins or themes before your site even went public. And if you’re saving your wp-config file, double-check it before you put it back up.\n\n
  26. Every PHP file in your site is now suspect. Hackers could have added files that let them control your server in all sorts of ways. They could have hidden evil code in any one of the hundreds of files in WordPress core, your themes, or plugins. This goes for JavaScript, too.\n\nYou need to delete everything except wp-config.php and your wp-content/uploads folder, and reinstall WordPress, themes, and plugins FROM TRUSTED SOURCES. Even your own recent backups should be treated with suspicion. Hopefully you backed up any custom plugins or themes before your site even went public. And if you’re saving your wp-config file, double-check it before you put it back up.\n\n
  27. Every PHP file in your site is now suspect. Hackers could have added files that let them control your server in all sorts of ways. They could have hidden evil code in any one of the hundreds of files in WordPress core, your themes, or plugins. This goes for JavaScript, too.\n\nYou need to delete everything except wp-config.php and your wp-content/uploads folder, and reinstall WordPress, themes, and plugins FROM TRUSTED SOURCES. Even your own recent backups should be treated with suspicion. Hopefully you backed up any custom plugins or themes before your site even went public. And if you’re saving your wp-config file, double-check it before you put it back up.\n\n
  28. Your content is your site’s lifeblood. Even if you don’t back up anything else, back up your database. In a worst-case scenario, you could at least get *something* up as a new site. Even if you don’t have the same theme or plugins, you could at least have some sort of basic site back up.\n\nAlso, any uploaded media -- images, audio, videos, screencasts, PDF ebooks that you make available -- make sure you have a backup of the originals. And it’s going to be easiest if you can just back up the entire wp-content/uploads directory as-is, so that you don’t have to re-upload everything from scratch.\n\nDid you create, or hire someone to create, any custom theme or plugin work? Make backups of those as soon as they are created. \n\nYou probably still have access to the information about your database configuration and other settings, but it’s easiest of all if you just have a good backup of your wp-config.php file.\n\nYou don’t have to back up all the files for your plugins. But at the very least, save a list of which plugins you have installed. If nothing else, take a screenshot of your Active Plugins page.\n\nNOTE: Some people have asked if saving a copy of a WordPress export file (the .WXR file created by the export tool) is as good as backing up the database. In a word, no. The export file is great for migrating your content, categories, and tags to a new server. But it is not the same as a full database backup. It *only* contains your content. It does not contain other crucial information like the configuration of your site settings and plugins.\n\n
  29. These are just a few of the options available to help you back your site up.\n\nBackupBuddy will back up your database, themes, plugins, etc. It can store backups in cloud storage like Amazon S3, Rackspace Cloud, and Dropbox, or send the backups to you in email, send them to an FTP server, or let you download them straight to your computer. Commercial, not free, but many people swear by it.\nhttp://ithemes.com/purchase/backupbuddy/\n\nVaultPress is a service by Automattic (monthly subscription, not free) that offers a combination of security monitoring and backup services. Definitely worth a look if your site is your livelyhood.\nhttp://vaultpress.com/\n\nWordPress Backup to Dropbox is a free plugin which will back up your site files and database and save them into your Dropbox account. Dropbox is a cloud storage service, which is also free to sign up for.\nhttp://wpd2b.com/\n\nAgain, there are other backup plugins and services available, these are just some examples.\n\n
  30. Anybody else besides me old enough to remember this song from the 80’s?\n\nIronically, the week before I gave this presentation at the Atlanta WordPress Users meetup, my own site was hacked. I awoke one morning to find 40 new posts on my site, hawking Viagra, Cialis, and the like. How embarassing! I found no other damage, and it appears that they had somehow obtained my password. They probably got my password by cracking it from the stolen database from some other site I used where I shared the same password. Yes, dumb mistake, and I know better.\n\nThe point is, this stuff is not just theoretical, it happens in the real world. What are the chances of it happening to you? Probably the same as the chances for me. And I got hit. What does that tell you?\n\n
  31. Are you paranoid yet? You need to be at least a little paranoid if you’re concerned about security.\n
  32. http://xkcd.com/936/\n\nReally good observation about password strength. A hacker could brute-force the ‘Tr0ub4dor&3’ password in 3 days (just by sending login requests to a web site over and over), or less if cracking a known hash (captured from a site password file). “Perceived complexity” of the password matters much less than the *length*. Every bit of entropy doubles the time needed to crack/guess. Exponential progression FTW!\n\nOne of my pet peeves is when a site puts limits on what you can use for your password, in a misguided attempt to force you into creating a “secure” password. How many times have you seen a site that tells you “Passwords must be 6-12 characters in length, must contain both uppercase and lowercase letters, at least one number, and at least one special character”? Every one of those constraints *weakens* the overall strength by *reducing* the total number of possible combinations that could be used. \n\n*Suggesting* those options is a good idea, because passwords like that are at least not trivially guessable. Enforcing the constraints is a bad idea. A password like “correct horse battery staple”, which is 28 characters long (including spaces) and uses only lowercase letters is *much* more secure than “Tr0ub4dor&3”, which uses more types of characters but is only 10 characters long. \n\nIronically, banking sites are notoriously bad about this.\n\nThis is not to say that a password like “Tr0ub4dor&3” is *bad*, it’s not. Well, that particular one is a bad choice ever since xkcd used it as an example... It’s just that what we *think* is a strong password isn’t always as strong as we might think, compared to other options.\n\nIf you want some really strong passwords, consider using something like 1Password:\nhttp://agilebits.com/\nOr LastPass:\nhttps://lastpass.com/\n\nAgain, not the only utilities of that sort. Try searching for “alternatives to 1password”\n\n\n
  33. Strong passwords are one line of defense.\n\nEven stronger are two-factor authentication systems. What is a two-factor system? It is a system that uses two completely separate methods for verifying who you are. Typically, this is through some sort of device that you (and only you) carry with you. For example, I have an “RSA SecureID” fob on my keychain, provided to me by my employer. In order to login to our VPN from home, I have to launch the VPN client, enter a 6-10 digit PIN (which I chose) AND also enter a 6-digit number that appears on the fob. The number on the fob changes once-per-minute. So even if someone guessed my PIN, if they don’t also have my keychain fob, they’d have a snowflakes chance in Hades of guessing the other half of the code in a given 1-minute window. Likewise, even if I lose my keys, if the person who has them doesn’t know my PIN, they won’t be able to log in.\n\nThere are similar two-factor services that work by texting a time-limited code to your cell phone, or by other call-back methods. \n\nThere is a plugin for WordPress called Google Authenticator which implements two-factor authentication via an app on your smartphone (iPhone, Android), and your GMail account.\nhttp://wordpress.org/extend/plugins/google-authenticator\n\nThere is a concept known as “separation of concerns”. Do you use the same WordPress login for posting new content to your site as you do for administrative tasks like managing themes, plugins, and site settings? Why? Convenience, I’m sure. But you don’t *need* all the special administrative privileges for just writing posts and pages. If you use a separate account, set to a lower access level, like the “Editor” or “Author” role, you can limit exposure of the administrative account the outside world. \n\nIf you have other users who login to your site (co-authors, guest bloggers, subscribers who can manage certain account settings, etc), make sure they have the *least* privileges that they actually need. A guest blogger probably only needs to be set to the “Contributor” or “Author” role (“Contributor” lets them draft a post, but they can only be published by an “Editor” or “Administrator”). \n\nIf you hire a designer or developer, don’t give them your own account login information. Create a temporary account which gives them just the amount of access they need. This not only applies to WordPress itself, but more especially to your hosting account. If your hosting service lets you create additional users, do that! A few months down the road, when you’re wondering how some file got changed or deleted, you might have activity logs that can tell you who did it. But if they were logging in as you, it’s going to hard to say if it was really you that made a mistake, or somebody else logged in *as* you.\n\n
  34. If you are using FTP to move files back and forth to your server, please stop. FTP is an old protocol written at a time when network access was very limited, and the ability to sniff passwords off of a network required very special tools and knowledge. That is no longer the case. And FTP sends your password over the network in the clear. Anybody who can sniff the network can snag your password out of an FTP transaction. Do you like to work in a coffee shop, on an un-encrypted WiFi network? Welcome to Paranoialand. That kid sitting at the corner table might not be posting funny cat pictures to Facebook. He might be snickering at how easy it is to steal passwords in a coffee shop.\n\nYour host almost certainly supports SFTP, which is Secure FTP. Use that instead. In some cases, you might have access to SCP (Secure CoPy), or SSH, which is a secure alternative to Telnet, for logging into a terminal session (not all hosts give you that kind of access).\n\nBack in WordPress land, you can enable settings in your wp-config.php file to force all logins or dashboard access to be via SSL (https). This will require you to install an SSL certificate on your web server. You should be able to find instructions about these topics on the WordPress Codex and via your web host’s support. Administrative interfaces like CPanel and Plesk typically make it pretty easy to do this. A *real* SSL certificate, signed by a Certificate Authority, normally costs about $100/year. If you just want to protect your own login info on your site, you can create a self-signed certificate. But with those, your browser will present a warning about the trustworthiness of the certificate, so if you need SSL for something like an e-commerce site, you’ll need to purchase the real thing.\n\nYour MySQL server should be configured to *only* accept connections from your webserver and itself. In most cases, you probably have MySQL and Apache running on the same host, so just limiting connections to “localhost” will do the trick. But if you are one of the rare people (like me) who runs their database on a separate host from your web server, make sure it’s not set to accept connections from any host (designated by “%” in the hostname field of your database permissions). \n\nIf you use memcache for caching, the same advice applies -- configure it to only accept connections from your web server, normally “localhost”.\n\n
  35. That all sounds like great advice, but this technical talk about configuring servers, limiting access, database-this, and certificate-that is like Moon Language to me! How am I going to be able to do all these things? Do I have time for this? Is it worth the trouble?\n
  36. First of all, you should probably be looking at site security as part of the “cost of doing business”. Obviously that particularly applies if your web site *is* a business. If your site goes down, does it mean lost revenue? Then keeping it up is in your best interest!\n\nSecurity is HARD! There are so many pieces to a complex system like a web application. You have the application itself (WordPress, Drupal, Ruby on Rails apps, Django apps, etc), the language platform (PHP, Perl, Python, Ruby, Java, etc), the web server (Apache, Nginx, Tomcat, etc.), the operating system (Linux, FreeBSD, Solaris, etc), and even down to the network itself (internet routers, switches, WiFi connections). I know more than the average bear about some of these things, but I would not claim to be a “Security Expert”.\n\nIf your web site is mission critical, generating your income, and you don’t feel like you know enough to manage security on your own, find somebody to help you. There are companies and individuals who can sell you their services to help with preventative hardening of your server, periodic monitoring, security auditing of code, or even disaster recovery. I mentioned Sucuri.net earlier, they are one such service.\n\nAnother option is to used managed hosting. With a managed host, the hosting company typically takes care of things like backups and upgrades for you (but check their terms to be sure). These are some WordPress-specific hosting options. They all have their pros and cons, which you would need to weigh before deciding who to use. There are also more general managaged hosting offerings, such as from Dreamhost and Rackspace.\n\n
  37. If you yourself are a developer, get familiar with the APIs in WordPress that help you write secure code.\n\nIf you are creating a settings page for a plugin or theme, use the Settings API. It automatically handles several security tasks for you, protecting forms with nonces to prevent certain types of tricks, and letting you hook in a validation function to verify and sanitize all of the data being submitted in your form.\n\nThere are also specialized functions for escaping values in specific security-sensitive areas, including for when you need to hand-craft SQL database queries or pass values from WordPress PHP code into JavaScript in the browser. Familiarize yourself with these helper functions, and when and where to use them.\n\nhttp://codex.wordpress.org/Settings_API\nhttp://codex.wordpress.org/Function_Reference\nhttp://markjaquith.wordpress.com/2009/06/12/escaping-api-updates-for-wordpress-2-8/\n\n
  38. Security isn’t just about good passwords, or protecting your WordPress, or configuring your server, or how much you can trust your users. It’s about ALL of those things.\n\nSECURE ALL THE THINGS!\n\n
  39. I’m also on FaceBook, LinkedIn, and stuff.\n“Just Google for Dougal!”\n\n\n