SlideShare a Scribd company logo

WordPress Security Essentials WordCamp Denver 2012

Angela Bowman
Angela Bowman

Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say: 1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder. 2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates. 3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server. 4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking. 5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely. 6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security. 7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc. If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!

Technology
1 of 34
Download to read offline
WORDPRESS SECURITY ESSENTIALS Presented at WordCamp Denver 2012 By Angela Bowman aka Ask WP Girl
ABOUT ME „  Hi! My name is Angela Bowman @askwpgirl „  WordPress Instructor at Boulder Digital Arts „  Started working with WordPress in 2007 – Eating fufu is fun! self taught, very painful „  Used to hold the myth of “After I build a site, my job is done.” „  Common sense approach to security that isn’t overwhelming or super technical
WHY DO WE NEED TO HAVE THIS TALK? „ PHP and MySQL are inherently vulnerable – this is the stuff WordPress is made of. „ What is MySQL? The database where all your content and settings are stored. „ What is PHP? The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window. „ Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
WHY ARE YOU VULNERABLE? „ Because your site is on the Internet „ Because it’s easy to exploit known vulnerabilities „ Because we are human NOT Vulcan „ We live by our beliefs rather than logic (or don’t know what we don’t know) „ We are going to talk about common mythology (beliefs) and counteract those with logic and a rational approach to security
THE MYTHS WE LIVE BY Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress- security-myths/ by Anders Vinther of The WordPress Security Checklist.
MYTH #1 WORDPRESS IS NOT SECURE „ WordPress is not secure, so you should stay away from it! „ WordPress is totally secure, so you don’t have to worry about it. REALITY „ Both things are true! „ Old versions of WordPress are NOT secure „ Current WordPress version is secure
MYTH #2 MY SITE ISN’T LAUNCHED YET, SO IT CAN’T BE HACKED „ Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed „ If you have a website on public web host, you have an Internet presence even if the pages of your site aren’t indexed by Google „ You need to protect ALL installations of WordPress on your hosting account even if you don’t use them
MYTH #3 I ONLY USE PLUGINS & THEMES FROM WORDPRESS.ORG, SO I’M SAFE „ Plugins and themes are the #1 way hackers gain access to your site „ While WordPress CURRENT CORE is secure, plugins and themes are not. WordPress.org is safer but not sure bet. „ Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
MYTH #4 UPDATING MY THEMES AND PLUGINS WHENEVER I LOG IN IS GOOD ENOUGH „ Exploits are published IMMEDIATELY to the web. „ If you are running an outdated version of WordPress, theme, or plugin, you are immediately vulnerable to attack. „ Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS! „ If you don’t update your site’s code ASAP, you will be SOL.
MYTH #5 MY SITE IS SMALL, SO IT’S NOT WORTH HACKING „ From Devin’s WP Theming blog regarding TimThumb Hack: “… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the “And, word to the wise, smaller sites yet – like my your girlfriend’s food blog girlfriend’s food blog. should always be a top priority.” http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
MYTH # 6 IF I DE-ACTIVATE A THEME OR PLUGIN, THERE IS NO RISK „ De-activated themes and plugins are just as risky if they have vulnerable code. „ Because even files of deactivated plugins and themes can be access via the Internet
MYTH # 7 IF MY SITE IS COMPROMISED, I’LL FIND OUT RIGHT AWAY! „ Only if you use a site monitoring service or plugin (maybe) „ Your site can be compromised months before you find out „ Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted „ Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
MYTH # 8 I CAN USE A SECURITY PLUGIN AND THAT WILL COVER ME „ Some security plugins can provide a layer of protection: Firewall 2, WordPress File Monitor, and Limit Login Attempts (as well as others) „ Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files „ Security plugins won’t help if the web hosting server is compromised
MYTH # 9 MY PASSWORDS ARE GOOD ENOUGH „ A “sniffed” password 8 characters or less can be decoded instantaneously „ “Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.” http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
MYTH #10 IF MY SITE IS HACKED, MY WEB HOST CAN RESTORE IT FOR ME „ If you discover the hack quickly enough, your web host may have a backup of the site made before the hack „ Most hosts store one day backup and one weekly backup „ Your host may not be able to help you discover why you were hacked in the first place.You’ll end up restoring hackable files.
WHAT CAN YOU DO TO PROTECT YOUR SITE?
SOME OPTIONS „  Set up an altar to the WordPress Gods and do daily puja and offerings „  Throw up your hands and cry „  Drink another beer and try to forget „  Delegate (hire a service to maintain your site) Regina Smola „  DIY using the following steps WPSecurityLock.com
1 – SECURE YOUR OWN COMPUTER „ Why bother securing WordPress if you give the keys away? „ Run anti-virus software regularly „ Don’t login via insecure or public WIFI networks „ Use a Virtual Private Network when traveling „ Secure your home WIFI network „ Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
2 – UPDATE TO CURRENT VERSIONS „ Run a full backup using BackupBuddy OR wp-db-backup plugin plus manual FTP backup of all files OR site snapshot (including database) at web host „ If your site hasn’t been updated in a LOOOOONG time: „  Check plugins for compatibility „  Check server PHP and MySQL versions „  If you’re using WP version less than 3.2, you might be on MySQL 4. You will need to export this database and import it into a new MySQL 5 database. http://www.realestatebloglab.com/restore-your-wordpress-database-from-mysql-4-to-mysql-5/
2 – UPDATE CONTINUED „ Update plugins first, delete unused, and de-activate all the plugins (optional) „ Update WordPress, then re-activate plugins one at a time testing site between each activation. „ If site crashes after activating a plugin, rename plugins folder to plugins-old, access dashboard, then delete bad plugin via ftp, and rename folder back to plugins and continue. http://codex.wordpress.org/Updating_WordPress http://codex.wordpress.org/Upgrading_WordPress_Extended
2 – UPDATE CONTINUED „  Check site at sucuri.net „  Read the changelog for your theme to see if security updates made „  Consider new theme if outdated theme that isn’t being maintained. Delete unused themes except TwentyEleven. „  Backup theme before updating „  Update your wp-config.php encryption cookie salts: http://tentblogger.com/salt-keys/
3 – RESET PWDS AND ADMIN NAME „ If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin „ Use password generator to reset passwords for WordPress, FTP, hosting, and email: „  Online Generator: http://www.pctools.com/guides/password/ „  RPG Dashboard Widget for Mac Os: http://www.apple.com/downloads/dashboard/networking_security/ rpgwidgetedition_davidkreindler.html „ Track Passwords: http://agilebits.com/products/1Password
4 – SET UP BACKUP SCHEDULE „ Use backup plugin or service: „  Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php „  WP DB Backup http://wordpress.org/extend/plugins/wp-db-backup/ „  WP Online Backup http://wordpress.org/extend/plugins/wponlinebackup/ „  Back WP Up http://wordpress.org/extend/plugins/backwpup/ „  VautPress.com – Backup, one-click restore, and site monitoring „ Backup as often as you don’t want to loose data: „  Database – daily or weekly „  Full Site – weekly or monthly „ Store backups on remote server (eg Amazon S3 account)
5 – INSTALL SECURITY PLUGINS „ Firewall 2 – http://wordpress.org/extend/plugins/wordpress-firewall-2/ AND WordPress Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/ OR Bulletproof Security – http://wordpress.org/extend/plugins/bulletproof-security/ „ Limit Login Attempts -– http://wordpress.org/extend/plugins/limit-login-attempts/ „ WordPress File Monitor – http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/ Use caution installing plugins. They don’t all play well with others.
6 – CREATE A MAINTENANCE PLAN „ Plan to login to all your sites at least once a month and update WordPress, plugins and themes „ Consider using Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/ „ Follow @wpsecuritylock and @sucuri_security to stay current on latest security threats „ Update passwords and wp-config.php salts regularly
7 – BEST PRACTICES „ Don’t allow users to register (Settings > General) „ Always hold comments for moderation and use spam filtering (aka Akismet) „ Don’t use your username as your Display Name „ SFTP for file transfers and secure SMTP for email (ask web host) „ Rename the database table prefix when you first install WordPress or later using plugin - http://www.seoegghead.com/software/wordpress-table-rename.seo
7 – BEST PRACTICES CONTINUED „ Host site with good web host who keeps software updated and doesn’t thwart your automatic backups „ Use plugins with caution - recently updated, going concern. „ Use themes with caution - Have a “relationship” with your theme developer so you know when he/she makes security updates „ Submit sites to Google Webmaster Tools. In preferences, turn ON email notifications: http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
8 – HARNESS POWER OF .HTACCESS „ .htaccess is an invisible configuration file for Apache web servers „ .htaccess can protect specific files and folders „ Use caution! You can totally jack up your site with edits made to .htaccess http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips- to-boost-your-wordpress-sites-security-1676
8 - .HTACCESS TRICKS In root .htaccess, add: Limit access to WordPress Dashboard: In the wp-admin folder, add an .htaccess file # Prevent directory browsing with the following where the number below Options All –Indexes is your IP address. (Test to make sure doesn’t interfere with any other plugins or # protect wpconfig.php Ajax functionality.) <Files wp-config.php> order allow,deny order deny,allow deny from all allow from 99.999.999.999 </Files> deny from all Tip:You can also move the wp-config.php file up one level (just above the public_html folder). Be sure your backup plugin still runs okay after doing this.
RESOURCES „ WordPress.org „  Hacked: http://wordpress.org/tags/hacked „  Malware: http://wordpress.org/tags/malware „  http://codex.wordpress.org/Hardening_WordPres „  http://codex.wordpress.org/WordPress_Backups „  http://codex.wordpress.org/FAQ_My_site_was_hacked „ wpsecuritylock.com - resources and services for securing sites „ sucuri.net - Free site scanning, reasonable rates for monitoring and fixing your sites „ Wpsecuritychecklist.com – off-site monitoring
EXPLOIT INFORMATION „ Badwarebusters.org „ wpsecure.net - Updated lists of vulnerable WordPress plugins „ spotthevuln.com - Helping developers understand security - examples of bad coding „ Security/Exploit Databases: „  http://securityreason.com/exploit_alert/ „  http://secunia.com/advisories/search/?search=wordpress „  http://exploit-db.com
OTHER PRESENTATIONS „  Awesome slideshow and great video on how to hack a site in 2.5 minutes: http://perezbox.com/2012/06/wordcamp-orange-county-2012-wordpress-security- presentation/ „  Great presentation on using proper WordPress API usage for plugin and theme development (very technical): http://weblogtoolscollection.com/archives/2011/03/01/mark-jaquith-on-wordpress- themeandplugin-security/ „  WordPress Security Webinar: http://blog.sucuri.net/2012/04/lockdown-wordpresssecurity-webinar-with-dre- armeda.html „  How to Stop the Hacker: http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-thehacker-and-ensure-your-site-is- locked.html
ONLINE TOOLS „  http://www.botsvsbrowsers.com/SimulateUserAgnet.asp „  http://www.tareeinternet.com/scripts/base.html „  http://www.tareeinternet.com/scripts/decrypt.php
CONTACT „  Angela Bowman askwpgirl.com moongoosedesigns.com „  303.931.8191 angela@askwpgirl.com twitter.com/askwpgirl facebook.com/askwpgirl.com

Recommended

WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkAngela Bowman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
Really Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutReally Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutAngela Bowman
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Michele Butcher-Jones
 
Are You Safe From Hackers
Are You Safe From HackersAre You Safe From Hackers
Are You Safe From HackersMichele Butcher-Jones
 

Recommended

WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkAngela Bowman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
Really Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutReally Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutAngela Bowman
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Michele Butcher-Jones
 
Are You Safe From Hackers
Are You Safe From HackersAre You Safe From Hackers
Are You Safe From HackersMichele Butcher-Jones
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionOtto Kekäläinen
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101Shady A. Sharaf
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Website security
Website securityWebsite security
Website securityAkhilesh Kant
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCMichele Butcher-Jones
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-securityDigamber Pradhan
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
Introduction to WordPress Class 6
Introduction to WordPress Class 6Introduction to WordPress Class 6
Introduction to WordPress Class 6Adrian Mikeliunas
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 

More Related Content

What's hot

Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionOtto Kekäläinen
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCMichele Butcher-Jones
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013Bastian Grimm
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-securityDigamber Pradhan
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
Introduction to WordPress Class 6
Introduction to WordPress Class 6Introduction to WordPress Class 6
Introduction to WordPress Class 6Adrian Mikeliunas
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri
 

What's hot (20)

Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 edition
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Website security
Website securityWebsite security
Website security
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALC
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Introduction to WordPress Class 6
Introduction to WordPress Class 6Introduction to WordPress Class 6
Introduction to WordPress Class 6
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
 

Similar to WordPress Security Essentials WordCamp Denver 2012

WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press BlogChetan Gole
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1WPWhiteBoard
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 

Similar to WordPress Security Essentials WordCamp Denver 2012 (20)

WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 

More from Angela Bowman

Creating a style guide for website using Elementor
Creating a style guide for website using ElementorCreating a style guide for website using Elementor
Creating a style guide for website using ElementorAngela Bowman
 
Using Custom Post Types and Advanced Custom Fields with Elementor
Using Custom Post Types and Advanced Custom Fields with Elementor Using Custom Post Types and Advanced Custom Fields with Elementor
Using Custom Post Types and Advanced Custom Fields with ElementorAngela Bowman
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyAngela Bowman
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
Web designtrends 5-29-2013
Web designtrends 5-29-2013Web designtrends 5-29-2013
Web designtrends 5-29-2013Angela Bowman
 

More from Angela Bowman (6)

Creating a style guide for website using Elementor
Creating a style guide for website using ElementorCreating a style guide for website using Elementor
Creating a style guide for website using Elementor
 
Using Custom Post Types and Advanced Custom Fields with Elementor
Using Custom Post Types and Advanced Custom Fields with Elementor Using Custom Post Types and Advanced Custom Fields with Elementor
Using Custom Post Types and Advanced Custom Fields with Elementor
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core Safely
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
Web designtrends 5-29-2013
Web designtrends 5-29-2013Web designtrends 5-29-2013
Web designtrends 5-29-2013
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

WordPress Security Essentials WordCamp Denver 2012

  • 1. WORDPRESS SECURITY ESSENTIALS Presented at WordCamp Denver 2012 By Angela Bowman aka Ask WP Girl
  • 2. ABOUT ME „  Hi! My name is Angela Bowman @askwpgirl „  WordPress Instructor at Boulder Digital Arts „  Started working with WordPress in 2007 – Eating fufu is fun! self taught, very painful „  Used to hold the myth of “After I build a site, my job is done.” „  Common sense approach to security that isn’t overwhelming or super technical
  • 3. WHY DO WE NEED TO HAVE THIS TALK? „ PHP and MySQL are inherently vulnerable – this is the stuff WordPress is made of. „ What is MySQL? The database where all your content and settings are stored. „ What is PHP? The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window. „ Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
  • 4. WHY ARE YOU VULNERABLE? „ Because your site is on the Internet „ Because it’s easy to exploit known vulnerabilities „ Because we are human NOT Vulcan „ We live by our beliefs rather than logic (or don’t know what we don’t know) „ We are going to talk about common mythology (beliefs) and counteract those with logic and a rational approach to security
  • 5. THE MYTHS WE LIVE BY Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress- security-myths/ by Anders Vinther of The WordPress Security Checklist.
  • 6. MYTH #1 WORDPRESS IS NOT SECURE „ WordPress is not secure, so you should stay away from it! „ WordPress is totally secure, so you don’t have to worry about it. REALITY „ Both things are true! „ Old versions of WordPress are NOT secure „ Current WordPress version is secure
  • 7. MYTH #2 MY SITE ISN’T LAUNCHED YET, SO IT CAN’T BE HACKED „ Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed „ If you have a website on public web host, you have an Internet presence even if the pages of your site aren’t indexed by Google „ You need to protect ALL installations of WordPress on your hosting account even if you don’t use them
  • 8. MYTH #3 I ONLY USE PLUGINS & THEMES FROM WORDPRESS.ORG, SO I’M SAFE „ Plugins and themes are the #1 way hackers gain access to your site „ While WordPress CURRENT CORE is secure, plugins and themes are not. WordPress.org is safer but not sure bet. „ Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
  • 9. MYTH #4 UPDATING MY THEMES AND PLUGINS WHENEVER I LOG IN IS GOOD ENOUGH „ Exploits are published IMMEDIATELY to the web. „ If you are running an outdated version of WordPress, theme, or plugin, you are immediately vulnerable to attack. „ Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS! „ If you don’t update your site’s code ASAP, you will be SOL.
  • 10. MYTH #5 MY SITE IS SMALL, SO IT’S NOT WORTH HACKING „ From Devin’s WP Theming blog regarding TimThumb Hack: “… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the “And, word to the wise, smaller sites yet – like my your girlfriend’s food blog girlfriend’s food blog. should always be a top priority.” http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
  • 11. MYTH # 6 IF I DE-ACTIVATE A THEME OR PLUGIN, THERE IS NO RISK „ De-activated themes and plugins are just as risky if they have vulnerable code. „ Because even files of deactivated plugins and themes can be access via the Internet
  • 12. MYTH # 7 IF MY SITE IS COMPROMISED, I’LL FIND OUT RIGHT AWAY! „ Only if you use a site monitoring service or plugin (maybe) „ Your site can be compromised months before you find out „ Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted „ Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
  • 13. MYTH # 8 I CAN USE A SECURITY PLUGIN AND THAT WILL COVER ME „ Some security plugins can provide a layer of protection: Firewall 2, WordPress File Monitor, and Limit Login Attempts (as well as others) „ Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files „ Security plugins won’t help if the web hosting server is compromised
  • 14. MYTH # 9 MY PASSWORDS ARE GOOD ENOUGH „ A “sniffed” password 8 characters or less can be decoded instantaneously „ “Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.” http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
  • 15. MYTH #10 IF MY SITE IS HACKED, MY WEB HOST CAN RESTORE IT FOR ME „ If you discover the hack quickly enough, your web host may have a backup of the site made before the hack „ Most hosts store one day backup and one weekly backup „ Your host may not be able to help you discover why you were hacked in the first place.You’ll end up restoring hackable files.
  • 16. WHAT CAN YOU DO TO PROTECT YOUR SITE?
  • 17. SOME OPTIONS „  Set up an altar to the WordPress Gods and do daily puja and offerings „  Throw up your hands and cry „  Drink another beer and try to forget „  Delegate (hire a service to maintain your site) Regina Smola „  DIY using the following steps WPSecurityLock.com
  • 18. 1 – SECURE YOUR OWN COMPUTER „ Why bother securing WordPress if you give the keys away? „ Run anti-virus software regularly „ Don’t login via insecure or public WIFI networks „ Use a Virtual Private Network when traveling „ Secure your home WIFI network „ Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
  • 19. 2 – UPDATE TO CURRENT VERSIONS „ Run a full backup using BackupBuddy OR wp-db-backup plugin plus manual FTP backup of all files OR site snapshot (including database) at web host „ If your site hasn’t been updated in a LOOOOONG time: „  Check plugins for compatibility „  Check server PHP and MySQL versions „  If you’re using WP version less than 3.2, you might be on MySQL 4. You will need to export this database and import it into a new MySQL 5 database. http://www.realestatebloglab.com/restore-your-wordpress-database-from-mysql-4-to-mysql-5/
  • 20. 2 – UPDATE CONTINUED „ Update plugins first, delete unused, and de-activate all the plugins (optional) „ Update WordPress, then re-activate plugins one at a time testing site between each activation. „ If site crashes after activating a plugin, rename plugins folder to plugins-old, access dashboard, then delete bad plugin via ftp, and rename folder back to plugins and continue. http://codex.wordpress.org/Updating_WordPress http://codex.wordpress.org/Upgrading_WordPress_Extended
  • 21. 2 – UPDATE CONTINUED „  Check site at sucuri.net „  Read the changelog for your theme to see if security updates made „  Consider new theme if outdated theme that isn’t being maintained. Delete unused themes except TwentyEleven. „  Backup theme before updating „  Update your wp-config.php encryption cookie salts: http://tentblogger.com/salt-keys/
  • 22. 3 – RESET PWDS AND ADMIN NAME „ If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin „ Use password generator to reset passwords for WordPress, FTP, hosting, and email: „  Online Generator: http://www.pctools.com/guides/password/ „  RPG Dashboard Widget for Mac Os: http://www.apple.com/downloads/dashboard/networking_security/ rpgwidgetedition_davidkreindler.html „ Track Passwords: http://agilebits.com/products/1Password
  • 23. 4 – SET UP BACKUP SCHEDULE „ Use backup plugin or service: „  Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php „  WP DB Backup http://wordpress.org/extend/plugins/wp-db-backup/ „  WP Online Backup http://wordpress.org/extend/plugins/wponlinebackup/ „  Back WP Up http://wordpress.org/extend/plugins/backwpup/ „  VautPress.com – Backup, one-click restore, and site monitoring „ Backup as often as you don’t want to loose data: „  Database – daily or weekly „  Full Site – weekly or monthly „ Store backups on remote server (eg Amazon S3 account)
  • 24. 5 – INSTALL SECURITY PLUGINS „ Firewall 2 – http://wordpress.org/extend/plugins/wordpress-firewall-2/ AND WordPress Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/ OR Bulletproof Security – http://wordpress.org/extend/plugins/bulletproof-security/ „ Limit Login Attempts -– http://wordpress.org/extend/plugins/limit-login-attempts/ „ WordPress File Monitor – http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/ Use caution installing plugins. They don’t all play well with others.
  • 25. 6 – CREATE A MAINTENANCE PLAN „ Plan to login to all your sites at least once a month and update WordPress, plugins and themes „ Consider using Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/ „ Follow @wpsecuritylock and @sucuri_security to stay current on latest security threats „ Update passwords and wp-config.php salts regularly
  • 26. 7 – BEST PRACTICES „ Don’t allow users to register (Settings > General) „ Always hold comments for moderation and use spam filtering (aka Akismet) „ Don’t use your username as your Display Name „ SFTP for file transfers and secure SMTP for email (ask web host) „ Rename the database table prefix when you first install WordPress or later using plugin - http://www.seoegghead.com/software/wordpress-table-rename.seo
  • 27. 7 – BEST PRACTICES CONTINUED „ Host site with good web host who keeps software updated and doesn’t thwart your automatic backups „ Use plugins with caution - recently updated, going concern. „ Use themes with caution - Have a “relationship” with your theme developer so you know when he/she makes security updates „ Submit sites to Google Webmaster Tools. In preferences, turn ON email notifications: http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
  • 28. 8 – HARNESS POWER OF .HTACCESS „ .htaccess is an invisible configuration file for Apache web servers „ .htaccess can protect specific files and folders „ Use caution! You can totally jack up your site with edits made to .htaccess http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips- to-boost-your-wordpress-sites-security-1676
  • 29. 8 - .HTACCESS TRICKS In root .htaccess, add: Limit access to WordPress Dashboard: In the wp-admin folder, add an .htaccess file # Prevent directory browsing with the following where the number below Options All –Indexes is your IP address. (Test to make sure doesn’t interfere with any other plugins or # protect wpconfig.php Ajax functionality.) <Files wp-config.php> order allow,deny order deny,allow deny from all allow from 99.999.999.999 </Files> deny from all Tip:You can also move the wp-config.php file up one level (just above the public_html folder). Be sure your backup plugin still runs okay after doing this.
  • 30. RESOURCES „ WordPress.org „  Hacked: http://wordpress.org/tags/hacked „  Malware: http://wordpress.org/tags/malware „  http://codex.wordpress.org/Hardening_WordPres „  http://codex.wordpress.org/WordPress_Backups „  http://codex.wordpress.org/FAQ_My_site_was_hacked „ wpsecuritylock.com - resources and services for securing sites „ sucuri.net - Free site scanning, reasonable rates for monitoring and fixing your sites „ Wpsecuritychecklist.com – off-site monitoring
  • 31. EXPLOIT INFORMATION „ Badwarebusters.org „ wpsecure.net - Updated lists of vulnerable WordPress plugins „ spotthevuln.com - Helping developers understand security - examples of bad coding „ Security/Exploit Databases: „  http://securityreason.com/exploit_alert/ „  http://secunia.com/advisories/search/?search=wordpress „  http://exploit-db.com
  • 32. OTHER PRESENTATIONS „  Awesome slideshow and great video on how to hack a site in 2.5 minutes: http://perezbox.com/2012/06/wordcamp-orange-county-2012-wordpress-security- presentation/ „  Great presentation on using proper WordPress API usage for plugin and theme development (very technical): http://weblogtoolscollection.com/archives/2011/03/01/mark-jaquith-on-wordpress- themeandplugin-security/ „  WordPress Security Webinar: http://blog.sucuri.net/2012/04/lockdown-wordpresssecurity-webinar-with-dre- armeda.html „  How to Stop the Hacker: http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-thehacker-and-ensure-your-site-is- locked.html
  • 33. ONLINE TOOLS „  http://www.botsvsbrowsers.com/SimulateUserAgnet.asp „  http://www.tareeinternet.com/scripts/base.html „  http://www.tareeinternet.com/scripts/decrypt.php
  • 34. CONTACT „  Angela Bowman askwpgirl.com moongoosedesigns.com „  303.931.8191 angela@askwpgirl.com twitter.com/askwpgirl facebook.com/askwpgirl.com