Presentation on WordPress security, which looks at why WordPress sites get hacked, how they get hacked, what to do to reduce your risk and how to recover your site after it has been hacked, or infected with malware.
2. Outline
WordPress Statistics
How Do WordPress Sites Get Hacked?
Why Hackers May Be Interested In Your Site?
How Websites Get Hacked
10 Practical Solutions
How to Remove Malware (Malicious Software)
Conclusion
Sources
Contact Us
3. WordPress Statistics
As of February 2014 there was
approximately 74.6 million sites using
WordPress, that accounts for 18.9% of all
hosted websites.
WordPress is the most used content
management system due in main to its ease
of use and flexibility. This makes WordPress
a prime target for hackers/security attacks.
(ManageWP Blog (2014))
5. Why Hackers May Be Interested In
Your Site?
Reasons for Attacking Small to Medium Size Sites:
A. "Free" & Anonymous Computing Power
B. Spam
C. Deploying Viruses – i.e “ransomware”, adverts,
botnets, log clicks and key-presses
Botnet - numerous of Internet-connected computers communicating with
other similar machines in an effort to complete repetitive tasks and
objectives. This can be as ordinary as keeping control of an Internet
Relay Chat (IRC) channel, or it could be used to send spam email or
participate in a distributed denial-of-service attack. (Wikipedia,
2008)
6. How Websites Get Hacked
When sites are hacked, it is generally due to an automated
programme taking advantage of a security weakness.
These weaknesses can be extensive or individual to your site.
Possibly, the most high profile WordPress security vulnerability
in recent years was TimThumb, where an image-resizing
library was used within numerous premium themes and
exploited to gain control of websites.
Hackers can also use automated bot nets to scour the web in
search of websites that are vulnerable to “brute force attacks"
eg, where the login details are clear enough to enable a hacker
to gain entry by attempting several logins.
7. 10 Practical Solutions – Part 1
1. Backup – Take regular backups
2. Update Everything
1. WordPress Core
2. All themes (include deactivated themes)
3. All plugins (include deactivated plugins)
3. Clean House – Remove all plugins/themes
no longer required – As a rule of thumb, If
don’t need remove.
8. 10 Practical Solutions – Part 2
4. Manage Profiles
1. Remove redundant users
2. Transfer ownership of posts to other users
3. Demote unsuitable roles for users
4. Delete all admin accounts
5. Change Password – Change all passwords
to protect your accounts
9. 10 Practical Solutions – Part 3
5. Change Password – Change all passwords to protect your accounts
– Some examples of account passwords to change:
1. All WordPress profiles
2. Your hosting account
3. FTP password
4. Your email account
5. Your social media accounts
6. Your PayPal accounts
7. Your Amazon accounts
Make use of online password generators -
https://strongpasswordgenerator.com/
Use alphanumeric combinations with special characters ($) for strong
passwords
2 Factor Authentication - Plugin
11. 10 Practical Solutions – Part 5
6. Swap FTP for SFTP - FTP is very insecure and
can be intercepted. Disable your FTP account and
enable SFTP (SSH File Transfer Protocol
7. Hosting Solution – Make sure the following security
features are in place:
1. ModSecurity – Firewall
2. SFTP support
3. 24/7 support
4. Jail hosted websites – Prevents infected sites spreading
5. Daily backups – Server and offsite backups
6. Disable php error messages
12. 10 Practical Solutions – Part 6
8. Security Plugins Solutions – Although popular, the previous 7 steps
will make the biggest difference.
Recommended Security Plugins:
1. All in One WP Security & Firewall - https://wordpress.org/plugins/all-in-
one-wp-security-and-firewall/
2. Better WP Security - http://wordpress.org/extend/plugins/better-wp-
security/
3. BulletProof Security - http://wordpress.org/extend/plugins/bulletproof-
security/
4. Wordfence Security - http://wordpress.org/extend/plugins/wordfence/
13. 10 Practical Solutions – Part 7
8. Security Plugins Solutions
Hidden Login Example – Default is wp-login.php
14. 10 Practical Solutions – Part 8
8. Security Plugins Solutions
Hidden Error Message Example
16. 10 Practical Solutions – Part 10
9. Subscribe to a website security scanning
cleanup service:
1. Sucuri - $18 per month
2. VaultPress - $9 per month
3. StopTheHacker - $8 per month
4. All in One WP & Firewall plugin service - $5 per
month
17. 10 Practical Solutions – Part 11
10. Ensure Your Computer is Secure – Things to
consider:
1. Ensuring your OS and all software is updated regularly
2. Delete anything that you don’t need
3. Create strong unique passwords
4. Use a trusted and effective antivirus software solution
5. Have a strong firewall setup between your computer (i.e.
software & hardware – router)
18. How to Remove Malware (Malicious
Software) – Part 1
If you have been unfortunate to find yourself with a
site that has been hacked and injected with
Malware then these are the steps you need to
enact to get your site back up and running.
1. Take site off-line
2. Backup your website
3. Perform a damage assessment
A. Were they after sensitive information
B. Did they want to control your site for other purposes?
19. How to Remove Malware (Malicious
Software) – Part 2
3. Perform a damage assessment
A. Were they after sensitive information
B. Did they want to control your site for other purposes?
C. Look for recently modified/created files that you don’t recognise
D. Check the .htaccess file within WP directory for compromises -
https://www.stopthehacker.com/2012/02/14/experts-explain-
htaccess-attacks/
E. Check if your database has been compromised with malicious
scripts and iframes
F. Check for any suspicious activity from within your web hosting
control panel, i.e. newly created email accounts, FTP accounts,
etc
G. Determine the scope of the hack – are there other affected sites
20. How to Remove Malware (Malicious
Software) – Part 3
Recovery:
1. Download latest version of WP and update install
2. After re-installation, use latest WP backup
3. Make sure all plugins are from a reputable source and have the
latest installation installed (ThemeForest, WP.ORG Directory)
4. Change all passwords – FTP, web hosting control panel
(cpanel/plesk/hepsia) WP password in the wp-config.php file
5. Monitor site after back online, as hacker/s may try again
6. Request removal from reported phishing sites -
http://www.google.com/safebrowsing/report_error/?tpl
=mozilla
7. Request removal from list of reported malware sites -
http://www.stopbadware.org/home/reviewinfo
21. Conclusion
There is no such thing as a 100% secure site.
You can end up doing every possible practical thing
to secure your site, but at the end of it all, there
comes a point where you must decide that your site
is safe enough.
The ten outlined steps should be enough to secure
your site against the vast majority of attacks and the
recovery process should help you get your site
backup and running after an attack.