SlideShare a Scribd company logo
Locking Down the Chastity Belt
on WordPress Security
Brad Williams
WebDevStudios.com
Who Am I?
Brad Williams
CEO & Co-Founder, WebDevStudios.com
Founder of WPClassroom.com
Organizer NJ WordPress Meetup
Co-Host SitePoint Podcast
Co-Author of Professional WordPress (March 2010)
Who Am I?
The Goal of this Presentation…
The Goal of this Presentation…
…Is to scare the crap out of you!
The Goal of this Presentation…
…and then make everything better
with the best security tips!
 Example Link Injection Hack
 Securing your WordPress Website
 Recommended Plugins
Topics
The ScaryThe Scary
Hacker bots look for known exploits (SQL Injection, folder perms, etc).
This allows them to insert spam files/links into
your WordPress Themes, plugins, and core files.
Link InjectionLink Injection
ExampleExample
WordPress WordPress MU
Hosting account contained two separate websites
ExampleExample
WordPress WordPress MU
Bot dropped a hacker file on WPMU install
ExampleExample
WordPress WordPress MU
WPMU starts hacking WordPress install
Inserting spam links into the theme, plugins, and core files
ExampleExample
WordPress WordPress MU
WPMU contains no spam links
Acts as a carrier to spread the contamination
Cleaning up the WordPress website only
resulted in more spam links a few days later
375 Spam Links Per Page375 Spam Links Per Page
<b style=“display:none”>Any text you want to hide</b>
CSS Hides the SpamCSS Hides the Spam
• Website was dropped by Google completely
• Pagerank went from 6 to 5
• Hack also infected phpBB forum
• Organic traffic for “viagra” started showing up
AftermathAftermath
Hack happened in April 2009, website just received PR6 back a few weeks ago
Scared Yet?Scared Yet?
How about now?How about now?
Securing WordPress
Don’t use the admin account
update wp_users set user_login='newuser' where user_login='admin';
If you are using the admin account you are wrong!
Either change the username in MySQL:
Or create a new/unique account with administrator privileges.
1.Create a new account. Make the username very unique
2.Assign account to Administrator role
3.Log out and log back in with new account
4.Delete admin account
Make it hard on the hacker! If they already know your username that’s half the battle
The Great Permission Debate
What folder permissions should you use?
Good Rule of Thumb:
• Files should be set to 644
• Folders should be set to 755
Start with the default settings above
if you can’t upload increase privileges (ie 775, 777)
Permission levels vary depending on server configuration
The Great Permission Debate
Permissions can be set via FTP
find [your path here] -type d -exec chmod 755 {} ;
find [your path here] -type f -exec chmod 644 {} ;
Or via shell access with the following commands
Move the wp-config.php file
WordPress 2.6 added the ability to move the wp-config.php
file one directory above your WordPress root
This makes it nearly impossible for anyone to access your wp-config.php
file as it now resides outside of your website’s root directory
You can move your wp-config.php file to here
WordPress automatically checks the parent directory if a
wp-config.php file is not found in your root directory
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php
Move the wp-content Directory
WordPress 2.6 added the ability to move the wp-content directory
1. Move your wp-content directory
2. Make two additions to wp-config.php
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
If you have compatibility issues with plugins there are two optional settings
If hackers can’t find your wp-content folder, they can’t hack it!
Remove WordPress Version from Header
Viewing source on most WP sites will reveal the version they are running
This helps hackers find vulnerable WP blogs running older versions
<meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
To remove find the code below in your header.php file of your theme and remove it
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
<!-- leave this for stats please -->
Themes and plugins might also display
versions in your header.
The wp_head function also includes the WP version in your header
To remove drop this line of code in your themes functions.php file
remove_action('wp_head', 'wp_generator');
Stay Current on Updates
Keep WordPress core, plugins, and theme files up to date
The newly added plugin
Changelog tab makes it very
easy to view what has
changed in a new plugin
version
Expect wider adoption in the
coming months as this was
just added a few weeks ago
Recent WordPress hack only affected outdated WordPress installs
Use Secure Passwords
Use strong passwords to protect your website from dictionary attacks
Not just for WordPress, but also FTP, MySQL, etc
BAD PASSWORD: bradrocks
Great resource:
goodpassword.com
Creates random passwords
GOOD PASSWORD: S-gnop2D[6@8
WordPress will tell you
when you have it right
Use Secret Keys
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
1. Edit wp-config.php
A secret key is a hashing salt which makes your site harder to
hack by adding random elements to the password.
2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1
BEFORE
define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB');
define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB');
define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V');
define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r');
AFTER
You can add/change secret keys at anytime.
This will invalidate all existing cookies and require your users to login again
Change WordPress Table Prefix
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘zztop_';
1. Edit wp-config.php before installing WordPress
All database tables will now have a unique prefix (ie zztop_posts)
2. Change the prefix wp_ to something unique:
Force SSL Login and Admin Access
define('FORCE_SSL_LOGIN', true);
Set the below option in wp-config.php to force SSL (https) on login
Set the below option in wp-config.php to force SSL (https) on all admin pages
define('FORCE_SSL_ADMIN', true);
.htaccess lockdown
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 67.123.83.59
1. Create a .htaccess file in your wp-admin directory
Only a user with the IP 67.123.83.59 can access wp-admin
2. Add the following lines of code:
Recommended Security Plugins
WP Security Scan
http://wordpress.org/extend/plugins/wp-security-scan/
WordPress Exploit Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
WordPress File Monitor
http://wordpress.org/extend/plugins/wordpress-file-monitor/
Login Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
From WPBeginner.com
 Security Related Codex Articles
› http://codex.wordpress.org/Hardening_WordPress
› http://codex.wordpress.org/Changing_File_Permissions
› http://codex.wordpress.org/Editing_wp-config.php
› http://codex.wordpress.org/htaccess_for_subdirectories
 Blog Security Articles
› http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-
admin-area/
› http://www.growmap.com/wordpress-exploits/
› http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-
blog/
› http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/
› http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-
blog/
› http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
› http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
WordPress Security Resources
Brad Williams
brad@webdevstudios.com
Blog: strangework.com
Twitter: @williamsba
IRC: WDS-Brad
Everywhere else: williamsba
Contact

More Related Content

What's hot

WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
Chetan Soni
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
Brecht Ryckaert
 

What's hot (20)

WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
Website security
Website securityWebsite security
Website security
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
 

Viewers also liked

WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
Vladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
Amazon Web Services
 
Using python to analyze spatial data
Using python to analyze spatial dataUsing python to analyze spatial data
Using python to analyze spatial data
Kudos S.A.S
 
Tendencias O Innovar
Tendencias O InnovarTendencias O Innovar
Tendencias O Innovar
Silvia Calvet
 
Daily Newsletter: 10th January, 2011
Daily Newsletter: 10th January, 2011Daily Newsletter: 10th January, 2011
Daily Newsletter: 10th January, 2011
Fullerton Securities
 
UX w trudnych warunkach
UX w trudnych warunkachUX w trudnych warunkach
UX w trudnych warunkach
Anna Liszewska
 
prof. in eng. proj. mngt., const. mngt.
prof. in eng. proj. mngt., const. mngt.prof. in eng. proj. mngt., const. mngt.
prof. in eng. proj. mngt., const. mngt.
gulf university (Bahrain) / Al-Isra University (Jordan)
 
Entrepreneurial ecosystem p1 intro
Entrepreneurial ecosystem p1   introEntrepreneurial ecosystem p1   intro
Entrepreneurial ecosystem p1 intro
Michael Burcham
 
Challenges in stereoscopic movie making and cinema
Challenges in stereoscopic movie making and cinemaChallenges in stereoscopic movie making and cinema
Challenges in stereoscopic movie making and cinema
danielbuechele
 
XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)
XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)
XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)
Christophe Lachnitt
 
Biotech guide3rdedition (2)
Biotech guide3rdedition (2)Biotech guide3rdedition (2)
Biotech guide3rdedition (2)
Food Insight
 
Social Media Strategies for Events - Hanzehogeschool Groningen 290312
Social Media Strategies for Events - Hanzehogeschool Groningen 290312Social Media Strategies for Events - Hanzehogeschool Groningen 290312
Social Media Strategies for Events - Hanzehogeschool Groningen 290312
EventsAcademy
 
The Flexible “Motion Offense” as a Core Basketball Strategy
The Flexible “Motion Offense” as a Core Basketball StrategyThe Flexible “Motion Offense” as a Core Basketball Strategy
The Flexible “Motion Offense” as a Core Basketball Strategy
Craig Raucher New York
 
#MayoInOz Opening Keynote
#MayoInOz Opening Keynote#MayoInOz Opening Keynote
#MayoInOz Opening Keynote
Lee Aase
 
Grudging monkeys and microservices
Grudging monkeys and microservicesGrudging monkeys and microservices
Grudging monkeys and microservices
Carlo Sciolla
 

Viewers also liked (16)

WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
 
Using python to analyze spatial data
Using python to analyze spatial dataUsing python to analyze spatial data
Using python to analyze spatial data
 
Tendencias O Innovar
Tendencias O InnovarTendencias O Innovar
Tendencias O Innovar
 
Daily Newsletter: 10th January, 2011
Daily Newsletter: 10th January, 2011Daily Newsletter: 10th January, 2011
Daily Newsletter: 10th January, 2011
 
UX w trudnych warunkach
UX w trudnych warunkachUX w trudnych warunkach
UX w trudnych warunkach
 
prof. in eng. proj. mngt., const. mngt.
prof. in eng. proj. mngt., const. mngt.prof. in eng. proj. mngt., const. mngt.
prof. in eng. proj. mngt., const. mngt.
 
Entrepreneurial ecosystem p1 intro
Entrepreneurial ecosystem p1   introEntrepreneurial ecosystem p1   intro
Entrepreneurial ecosystem p1 intro
 
Challenges in stereoscopic movie making and cinema
Challenges in stereoscopic movie making and cinemaChallenges in stereoscopic movie making and cinema
Challenges in stereoscopic movie making and cinema
 
XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)
XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)
XopheLachnitt - Surinformation et maîtrise de l'information 4/4 (2013)
 
Biotech guide3rdedition (2)
Biotech guide3rdedition (2)Biotech guide3rdedition (2)
Biotech guide3rdedition (2)
 
Social Media Strategies for Events - Hanzehogeschool Groningen 290312
Social Media Strategies for Events - Hanzehogeschool Groningen 290312Social Media Strategies for Events - Hanzehogeschool Groningen 290312
Social Media Strategies for Events - Hanzehogeschool Groningen 290312
 
The Flexible “Motion Offense” as a Core Basketball Strategy
The Flexible “Motion Offense” as a Core Basketball StrategyThe Flexible “Motion Offense” as a Core Basketball Strategy
The Flexible “Motion Offense” as a Core Basketball Strategy
 
#MayoInOz Opening Keynote
#MayoInOz Opening Keynote#MayoInOz Opening Keynote
#MayoInOz Opening Keynote
 
Grudging monkeys and microservices
Grudging monkeys and microservicesGrudging monkeys and microservices
Grudging monkeys and microservices
 

Similar to WordPress Security - WordCamp NYC 2009

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Bastian Grimm
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
Christina Hawkins
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
Brad Williams
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop   WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
Ella J Designs
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute Install
Steve Taylor
 
WordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media InstituteWordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media Institute
Brendan Sera-Shriar
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
Chetan Gole
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
David Parsons
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
Bastian Grimm
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
WP Engine
 

Similar to WordPress Security - WordCamp NYC 2009 (20)

Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop   WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute Install
 
WordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media InstituteWordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media Institute
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 

More from Brad Williams

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
Brad Williams
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
Brad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
Brad Williams
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
Brad Williams
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
Brad Williams
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
Brad Williams
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
Brad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
Brad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Brad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
Brad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
Brad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
Brad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts  for a Successful Online PresenceWebsite Design Dos and Don’ts  for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
Brad Williams
 

More from Brad Williams (14)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts  for a Successful Online PresenceWebsite Design Dos and Don’ts  for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 

Recently uploaded

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 

Recently uploaded (20)

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 

WordPress Security - WordCamp NYC 2009

  • 1. Locking Down the Chastity Belt on WordPress Security Brad Williams WebDevStudios.com
  • 2.
  • 4. Brad Williams CEO & Co-Founder, WebDevStudios.com Founder of WPClassroom.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (March 2010) Who Am I?
  • 5. The Goal of this Presentation…
  • 6. The Goal of this Presentation… …Is to scare the crap out of you!
  • 7. The Goal of this Presentation… …and then make everything better with the best security tips!
  • 8.  Example Link Injection Hack  Securing your WordPress Website  Recommended Plugins Topics
  • 10. Hacker bots look for known exploits (SQL Injection, folder perms, etc). This allows them to insert spam files/links into your WordPress Themes, plugins, and core files. Link InjectionLink Injection
  • 11. ExampleExample WordPress WordPress MU Hosting account contained two separate websites
  • 12. ExampleExample WordPress WordPress MU Bot dropped a hacker file on WPMU install
  • 13. ExampleExample WordPress WordPress MU WPMU starts hacking WordPress install Inserting spam links into the theme, plugins, and core files
  • 14. ExampleExample WordPress WordPress MU WPMU contains no spam links Acts as a carrier to spread the contamination Cleaning up the WordPress website only resulted in more spam links a few days later
  • 15. 375 Spam Links Per Page375 Spam Links Per Page
  • 16. <b style=“display:none”>Any text you want to hide</b> CSS Hides the SpamCSS Hides the Spam
  • 17. • Website was dropped by Google completely • Pagerank went from 6 to 5 • Hack also infected phpBB forum • Organic traffic for “viagra” started showing up AftermathAftermath Hack happened in April 2009, website just received PR6 back a few weeks ago
  • 19. How about now?How about now?
  • 21. Don’t use the admin account update wp_users set user_login='newuser' where user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL: Or create a new/unique account with administrator privileges. 1.Create a new account. Make the username very unique 2.Assign account to Administrator role 3.Log out and log back in with new account 4.Delete admin account Make it hard on the hacker! If they already know your username that’s half the battle
  • 22.
  • 23. The Great Permission Debate What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
  • 24. The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via shell access with the following commands
  • 25. Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
  • 26. Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!
  • 27. Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats --> To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');
  • 28. Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The newly added plugin Changelog tab makes it very easy to view what has changed in a new plugin version Expect wider adoption in the coming months as this was just added a few weeks ago Recent WordPress hack only affected outdated WordPress installs
  • 29. Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: goodpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
  • 30.
  • 31. Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1 BEFORE define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB'); define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB'); define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V'); define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
  • 32. Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘zztop_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie zztop_posts) 2. Change the prefix wp_ to something unique:
  • 33. Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
  • 34. .htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 1. Create a .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 can access wp-admin 2. Add the following lines of code:
  • 40.  Security Related Codex Articles › http://codex.wordpress.org/Hardening_WordPress › http://codex.wordpress.org/Changing_File_Permissions › http://codex.wordpress.org/Editing_wp-config.php › http://codex.wordpress.org/htaccess_for_subdirectories  Blog Security Articles › http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress- admin-area/ › http://www.growmap.com/wordpress-exploits/ › http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress- blog/ › http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ › http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress- blog/ › http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog › http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/ WordPress Security Resources
  • 41. Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad Everywhere else: williamsba Contact