WordPress Security Presentation


Published on

Presentation slides used for Arizona WordPress Group meetup about WordPress security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security Presentation

  1. 1. WordPress Security<br />Understand and prevent security issues on your WP install.<br />
  2. 2. WordPress Security Meetup Topics<br />Why do hackers do what they do?<br />What are the effects of a hack? <br />How can a hack affect you? <br />Hacks are confusing events.<br />Securing WordPress: Prevent your install from being hacked.<br />
  3. 3. Why Do Hackers Do What They Do?<br />Money from affiliate links they inject into site<br />Push link juice to their own sites<br />Challenge / conquest<br />Because they can….<br />To send spam email from server<br />
  4. 4. What Are the Effects of a Hack?<br />Insertion of links into pages and posts. <br />Links are often hidden so you do not see them or cloaked so that only search engine spiders / googlebots see them.<br />Redirection of posts and pages <br />Example: Latest Media Temple Update: http://weblog.mediatemple.net/weblog/2010/07/16/1404-wordpress-redirect-exploit-2/<br />
  5. 5. How Can a Hack Affect You? <br />Loss of rankings, ban by search engines<br />Destruction of your online presence > Loss of credibility<br />Loss of revenue from online sales<br />Financial and time cost of fixing hack<br />
  6. 6. Hacks Are Confusing Events<br />Since there are many factors involved in how a hacker or exploit can gain entry, there is often confusion / misinformation about how hacks occur. <br />It is not uncommon for hosts to blame WordPress when in fact the host is to blame for a security issue<br />Pharma hack: Only search bots are served hacked pages, so hacked pages are cloaked, so you will not see your pages showing any signs of issues. Only after you notice a loss of rankings will the issue be brought to the surface, weeks or months after the initial hack. <br />
  7. 7. Securing WordPress: Prevention<br />1) Keep install, plugins, themes and scripts up to date<br />New 3.0 Update Feature makes updating easier than ever<br />2) Use caution when choosing plugins to use: Mo plugins, mo problems!<br />Poorly written plugins can pose security risks<br />Old Plugins may not be updated regularly, check to make sure that plugin is updated on a regular basis<br />
  8. 8. Securing WordPress: Prevention<br />3) Maintain regular backups of root folder <br />Via FTP: Free FTP client http://filezilla-project.org/<br />Create cron jobs to automate backing up folders: <br />You can choose backup schedule, what to backup and where to bakcup<br />http://wpmu.org/new-years-resolution-automate-wordpress-wpmu-backups-check/<br />
  9. 9. Securing WordPress: Prevention<br />4) Maintain regular backups of database<br />WP-DBManager: http://wordpress.org/extend/plugins/wp-dbmanager/<br />Enables you to automate backups and optimizations and restore directly from dashboard, bypassing PHPMyAdmin<br />5) Use correct file permissions<br />Use FTP client or cpanel file manager<br />WordPress defaults to 644 for files and 755 permissions for folders<br />
  10. 10. Securing WordPress: Prevention<br />6) Choose the right host<br />Godaddy and other large hosts are bigger targets for hackers and don’t have the best record of being pro-active when they have been compromised<br />7) Use strong passwords and change regularly<br />8) Remove unused plugins and themes<br />9) Use file monitor to be notified of file changes: http://wordpress.org/extend/plugins/wordpress-file-monitor/<br />
  11. 11. Typical Hack Repair Steps: (PharmaHack example) <br />Locate and remove hacked 404.php file<br />Locate and remove hacked content from database<br />Replace entire set of salt keys<br />Upload new WordPress files<br />Restore previous versions of other files<br />Restore database to previous version<br />
  12. 12. Source Articles / Add. Resources<br />WordPress Security Resources<br />My site was hacked: WordPress Codex<br />WordPress Security Lockdown<br />Learn about backdoors<br />Monitor files changes <br />How to Fix Hacked Install / Remove Malware<br />Removing Malware From a WordPress Blog<br />Doncha's guide to dealing with a hacked website<br />How To Clean a Hacked Install<br />