SlideShare a Scribd company logo

Word camp2011 introwordpresssecurity

David Wilemski
David Wilemski

The document is an introduction to WordPress security presented at WordCamp Detroit on November 12-13, 2011. It discusses raising the security bar of WordPress sites by changing database prefixes, deleting the default admin user, using SSL for wp-admin, setting proper file permissions, and limiting login attempts. It also stresses the importance of regular backups and having disaster recovery plans, including restoring from backups if the site becomes compromised. Various security plugins are presented that can help harden WordPress sites, and paid services like VaultPress are introduced that can make security management easier. The overall message is that sites can be better protected with minimal effort, especially regular backups.

TechnologyBusiness
1 of 29
Download to read offline
An Introduction to WordPress Security WordCamp Detroit November 12th - 13th, 2011
David Wilemski @davidwilemski davidwilemski.com github.com/davidwilemski
The Goal: Staying Afloat photo by Flickr user davidesimonetti
WordPress Security ● Raise the security bar ● Plugins and services ● Disaster recovery
Vulnerabilities photo by Flickr user misterbisson
Drive by exploits ● Most attacks aren't targeted ● Little time per site ● Known exploits
timthumb.php exploit ● Common image library used in WP themes ● Exploited poor error checking ● Arbitrary code execution http://markmaunder.com/2011/08/01/zero-day-vulnerability-in- many-wordpress-themes/
Password Brute-forcing ● Automated attack on a user account ● Takes time, will show up in logs ● Some evidence of scripts that are distributed across multiple nodes http://isc.sans.edu/diary.html?storyid=7663
Raising The Bar photo by Flickr user Mike_tn
Change Database Table Prefix ● Defaults to "wp_" ● Use anything else ● Makes SQL injection a little more difficult
Delete 'admin' user ● In WP Dashboard create a new administrative user ● Log in as the new user, delete the original user ● Some scripts are programmed to target 'admin'
Use SSL (HTTPS) in wp-admin ● Encrypts traffic to your site ● Stops attackers from reading your traffic or stealing your login cookies ● Check with your hosting provider to see if you have support ● Can be a self-signed certificate if you are the only one using wp-admin
File Permissions ● Only as loose as required, NOT more ● Recommended 755 for directories and 644 for files http://codex.wordpress.org/Hardening_WordPress#File_Permissions
Change wp-config.php secrets ● Security keys used for setting various cookies and internal crypto properties ● Changing them will just cause any logged in user to need to re-authenticate ● Use the generator: https://api.wordpress.org/secret-key/1.1/salt/
● Bonus: IP restrict wp-admin ● Use .htaccess to restrict access to the dashboard ● If your public IP address changes you will get locked out of WP and need to edit the .htaccess via FTP or shell access http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
Unlimited Power photo by Flickr user Frank.Li
Limit Login Attempts ● Rate limits failed login attempts ● Can hinder brute force attacks ● Notifies in case of too many failures http://wordpress.org/extend/plugins/limit-login-attempts/
Duo WordPress ● Two-factor authentication for your WordPress site ● ● Protects from account take over
Duo Push Notification http://wordpress.org/extend/plugins/duo-wordpress/
Emergency Preparedness photo by Flickr user doisespressos
Backups! ● Backup your WP database regularly (and the site files)! ● Do them, test them! ● Plugins: WP-DB-Backup or PressBackup http://wordpress.org/extend/plugins/pressbackup/ http://wordpress.org/extend/plugins/wp-db-backup/
Disaster Recovery photo by Flickr user born1945
Restore your site ● Don't just try to clean the site ● You could miss hidden backdoors ● Backup the infected site for later analysis ● Restore from a known good backup
Protect your online identity ● Change your passwords to your database and WP user accounts ● Check your computer for malware ● Update your site and plugins
Investigate the attack ● Consider checking up the backed up copy of your site ● If the attack is made via a flaw in WP, file a bug or inform the mailing list http://ottopress.com/2011/how-to-cope-with-a-hacked-site/ http://codex.wordpress.org/FAQ_My_site_was_hacked
Overwhelmed yet? photo by Flickr user andresthor
VaultPress ● Paid service offered by Automattic to backup, scan, and protect your WordPress website ● Makes it easy to restore site backups ● Worth it if you don't have the time or want to manage things yourself
Once more ● Your site can be better protected with just a little effort ● It's all about raising the bar! ● Backups, backups, backups!
Thank You! Questions? David Wilemski @davidwilemski

Recommended

WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16tshellberg
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Building a community of Open Source intranet users
Building a community of Open Source intranet usersBuilding a community of Open Source intranet users
Building a community of Open Source intranet usersLuke Oatham
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIryanduff
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 

Recommended

WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16tshellberg
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Building a community of Open Source intranet users
Building a community of Open Source intranet usersBuilding a community of Open Source intranet users
Building a community of Open Source intranet usersLuke Oatham
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIryanduff
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Cliff Seal
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleKayleigh Thorpe
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Securityn|u - The Open Security Community
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!stk_jj
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Installing and Setting Up WordPress
Installing and Setting Up WordPressInstalling and Setting Up WordPress
Installing and Setting Up WordPressZero Point Development
 
Extending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIExtending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIryanduff
 
WordPress development checklist
WordPress development checklistWordPress development checklist
WordPress development checklistBinh Quan Duc
 
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014ryanduff
 
Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPRupesh Kumar
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
wp cli- don’t fear the command line
wp cli- don’t fear the command linewp cli- don’t fear the command line
wp cli- don’t fear the command lineDwayne McDaniel
 
Get Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentGet Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentCliff Seal
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.WP Engine
 

More Related Content

What's hot

Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Cliff Seal
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleKayleigh Thorpe
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!stk_jj
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Extending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIExtending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIryanduff
 
WordPress development checklist
WordPress development checklistWordPress development checklist
WordPress development checklistBinh Quan Duc
 
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014ryanduff
 
Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPRupesh Kumar
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
wp cli- don’t fear the command line
wp cli- don’t fear the command linewp cli- don’t fear the command line
wp cli- don’t fear the command lineDwayne McDaniel
 
Get Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentGet Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentCliff Seal
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 

What's hot (20)

Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
Introducing WordPress Multitenancy (Wordcamp Vegas/Orlando 2015/WPCampus)
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Installing and Setting Up WordPress
Installing and Setting Up WordPressInstalling and Setting Up WordPress
Installing and Setting Up WordPress
 
Extending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLIExtending Your WordPress Toolbelt with WP-CLI
Extending Your WordPress Toolbelt with WP-CLI
 
WordPress development checklist
WordPress development checklistWordPress development checklist
WordPress development checklist
 
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
Extending your WordPress Toolbelt with WP-CLI - WordCamp Austin 2014
 
Install WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHPInstall WordPress Blogging Software with EasyPHP
Install WordPress Blogging Software with EasyPHP
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
 
wp cli- don’t fear the command line
wp cli- don’t fear the command linewp cli- don’t fear the command line
wp cli- don’t fear the command line
 
Get Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & DevelopmentGet Started in Professional WordPress Design & Development
Get Started in Professional WordPress Design & Development
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 

Similar to Word camp2011 introwordpresssecurity

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup marchFadi Nicolas Zahhar
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.WP Engine
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Trivandrum
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 

Similar to Word camp2011 introwordpresssecurity (20)

Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
 
The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.The WP Engine Developer Experience. Increased agility, improved efficiency.
The WP Engine Developer Experience. Increased agility, improved efficiency.
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress Installation
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 

Recently uploaded

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 

Recently uploaded (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 

Word camp2011 introwordpresssecurity

  • 1. An Introduction to WordPress Security WordCamp Detroit November 12th - 13th, 2011
  • 2. David Wilemski @davidwilemski davidwilemski.com github.com/davidwilemski
  • 3. The Goal: Staying Afloat photo by Flickr user davidesimonetti
  • 4. WordPress Security ● Raise the security bar ● Plugins and services ● Disaster recovery
  • 5. Vulnerabilities photo by Flickr user misterbisson
  • 6. Drive by exploits ● Most attacks aren't targeted ● Little time per site ● Known exploits
  • 7. timthumb.php exploit ● Common image library used in WP themes ● Exploited poor error checking ● Arbitrary code execution http://markmaunder.com/2011/08/01/zero-day-vulnerability-in- many-wordpress-themes/
  • 8. Password Brute-forcing ● Automated attack on a user account ● Takes time, will show up in logs ● Some evidence of scripts that are distributed across multiple nodes http://isc.sans.edu/diary.html?storyid=7663
  • 9. Raising The Bar photo by Flickr user Mike_tn
  • 10. Change Database Table Prefix ● Defaults to "wp_" ● Use anything else ● Makes SQL injection a little more difficult
  • 11. Delete 'admin' user ● In WP Dashboard create a new administrative user ● Log in as the new user, delete the original user ● Some scripts are programmed to target 'admin'
  • 12. Use SSL (HTTPS) in wp-admin ● Encrypts traffic to your site ● Stops attackers from reading your traffic or stealing your login cookies ● Check with your hosting provider to see if you have support ● Can be a self-signed certificate if you are the only one using wp-admin
  • 13. File Permissions ● Only as loose as required, NOT more ● Recommended 755 for directories and 644 for files http://codex.wordpress.org/Hardening_WordPress#File_Permissions
  • 14. Change wp-config.php secrets ● Security keys used for setting various cookies and internal crypto properties ● Changing them will just cause any logged in user to need to re-authenticate ● Use the generator: https://api.wordpress.org/secret-key/1.1/salt/
  • 15. ● Bonus: IP restrict wp-admin ● Use .htaccess to restrict access to the dashboard ● If your public IP address changes you will get locked out of WP and need to edit the .htaccess via FTP or shell access http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
  • 16. Unlimited Power photo by Flickr user Frank.Li
  • 17. Limit Login Attempts ● Rate limits failed login attempts ● Can hinder brute force attacks ● Notifies in case of too many failures http://wordpress.org/extend/plugins/limit-login-attempts/
  • 18. Duo WordPress ● Two-factor authentication for your WordPress site ● ● Protects from account take over
  • 20. Emergency Preparedness photo by Flickr user doisespressos
  • 21. Backups! ● Backup your WP database regularly (and the site files)! ● Do them, test them! ● Plugins: WP-DB-Backup or PressBackup http://wordpress.org/extend/plugins/pressbackup/ http://wordpress.org/extend/plugins/wp-db-backup/
  • 22. Disaster Recovery photo by Flickr user born1945
  • 23. Restore your site ● Don't just try to clean the site ● You could miss hidden backdoors ● Backup the infected site for later analysis ● Restore from a known good backup
  • 24. Protect your online identity ● Change your passwords to your database and WP user accounts ● Check your computer for malware ● Update your site and plugins
  • 25. Investigate the attack ● Consider checking up the backed up copy of your site ● If the attack is made via a flaw in WP, file a bug or inform the mailing list http://ottopress.com/2011/how-to-cope-with-a-hacked-site/ http://codex.wordpress.org/FAQ_My_site_was_hacked
  • 26. Overwhelmed yet? photo by Flickr user andresthor
  • 27. VaultPress ● Paid service offered by Automattic to backup, scan, and protect your WordPress website ● Makes it easy to restore site backups ● Worth it if you don't have the time or want to manage things yourself
  • 28. Once more ● Your site can be better protected with just a little effort ● It's all about raising the bar! ● Backups, backups, backups!
  • 29. Thank You! Questions? David Wilemski @davidwilemski