SlideShare a Scribd company logo

Now That's What I Call WordPress Security 2010

Download as PPT, PDF
Brad Williams
Brad Williams

My WordCamp Chicago 2010 WordPress Security presentation

TechnologyBusiness
1 of 61
Props @tweetsfromchris
Brad Williams Co-Founder of WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp) Who Am I?
The Goal of this Presentation…
The Goal of this Presentation… …Is to scare the crap out of you!
The Goal of this Presentation… …and then make everything better with the best security tips!
 Example WordPress Hacks  Securing Your WordPress Website  How to Clean Up a Hacked Site  Recommended Plugins Topics
Who Do Hackers Target?
Who Do Hackers Target? YOU
Who Is Safe?
Who Is Safe? NO ONE
Scared Yet?
ExampleExample WordPress Hacker bot finds a security hole on your website
ExampleExample Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file
ExampleExample WordPress Hacker Bot Hacker bot can now trigger this file/code remotely
ExampleExample WordPress Hacker Bot Common Hacker bot script jobs • Add spam content and links to your websites theme files • Create posts and pages with spam content and links • Delete posts/pages/settings wreaking havoc on your site • etc, etc, bad stuff, etc, etc
<b style=“display:none”>Any text you want to hide</b> CSS Hides the SpamCSS Hides the Spam
Hidden Spam LinksHidden Spam Links
Only Noobs Get HackedOnly Noobs Get Hacked
WRONG!
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Pearsonified.com: HACKED
FeaturedContentGallery.com: HACKED
Make it Stop!
Palette Cleanser
Securing WordPress
Don’t use the admin account UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL: Or create a new/unique account with administrator privileges. 1.Create a new account. Make the username very unique 2.Assign account to Administrator role 3.Log out and log back in with new account 4.Delete admin account Make it hard on the hacker! If they already know your username that’s half the battle
Don’t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!
The Great Permission Debate What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!
Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name="generator" content="WordPress 2.9.2" /> <!-- leave this for stats --> To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');
Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Recent WordPress hack only affected outdated WordPress installs
Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: toughpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘drupal_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie drupal_posts) 2. Change the prefix wp_ to something unique:
Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
.htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 1. Create a .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin 2. Add the following lines of code:
Clean Up a Hacked Site
Step 1: Delete Everything and Start Over!
OR
Step 1: Do a Fresh Install of WordPress • Delete, don’t overwrite, all original WordPress files • Upload fresh copies of all WordPress core files Be sure to backup your theme, plugins, media, etc
Step 2: Re-install All Plugins • Install fresh copies of all WP plugins need • DON’T use the same plugin files from the hacked site
Step 3: Re-install Your Theme • If possible install a fresh copy of your theme • If using the old theme be sure to inspect every file for hack code
Step 4: Change all Passwords and Keys • Change your passwords: WordPress, FTP, MySQL • Verify the hacker didn’t create another user, if so delete it • Update your secret keys in wp-config.php (as shown earlier)
Step 5: Scan Database for Malicious Code • Look for common hack keywords: • eval, base64, strrev, iframe, noscript, display • Use WordPress Exploit Scanner plugin (discussed later) Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
Step 6: Verify folder/file permissions • Check all folder and file permissions are correct • Reset to 755 on folders and 644 on files if needed
Step 7: Pray
Recommended Security Plugins
WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
WP-MalWatch http://wordpress.org/extend/plugins/wp-malwatch/ • Nightly security scan • Detects files based on configurable file patterns • Detects hidden files •
ServerBuddy http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
WordPress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/
WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/
Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
 Security Related Codex Articles › http://codex.wordpress.org/Hardening_WordPress › http://codex.wordpress.org/Changing_File_Permissions › http://codex.wordpress.org/Editing_wp-config.php › http://codex.wordpress.org/htaccess_for_subdirectories  Blog Security Articles › http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress- admin-area/ › http://www.growmap.com/wordpress-exploits/ › http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress- blog/ › http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ › http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress- blog/ › http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog  Clean A Hacked Site › http://codex.wordpress.org/FAQ_My_site_was_hacked › http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/ › http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ › http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked- wordpress-installation/ › http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html WordPress Security Resources
Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba Contact
Tweet: @williamsba WordPress Security Rocks! #wcchicago Win a copy of Professional WordPress!

Recommended

WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 

Recommended

WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
Chetan Soni
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and Tricks
Brad Williams
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
Brad Williams
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
Vladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 

More Related Content

What's hot

WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 

What's hot (20)

WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and Tricks
 
Website security
Website securityWebsite security
Website security
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 

Viewers also liked

(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
Amazon Web Services
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 

Viewers also liked (7)

WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
 
Using python to analyze spatial data
Using python to analyze spatial dataUsing python to analyze spatial data
Using python to analyze spatial data
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
Architecting an Highly Available and Scalable WordPress Site in AWS
Architecting an Highly Available and Scalable WordPress Site in AWS Architecting an Highly Available and Scalable WordPress Site in AWS
Architecting an Highly Available and Scalable WordPress Site in AWS
 

Similar to Now That's What I Call WordPress Security 2010

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 

Similar to Now That's What I Call WordPress Security 2010 (20)

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress development
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right Way
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
WordPress
WordPressWordPress
WordPress
 
WordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media InstituteWordPress 2.5 Overview - Rich Media Institute
WordPress 2.5 Overview - Rich Media Institute
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, LeedsWordPress Optimization & Security - ThinkVisibility 2012, Leeds
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
Complete WordPress Setup (Description about Themes & Plugins Added)
Complete WordPress Setup (Description about Themes & Plugins Added)Complete WordPress Setup (Description about Themes & Plugins Added)
Complete WordPress Setup (Description about Themes & Plugins Added)
 
The Way to Theme Enlightenment
The Way to Theme EnlightenmentThe Way to Theme Enlightenment
The Way to Theme Enlightenment
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
The Way to Theme Enlightenment 2017
The Way to Theme Enlightenment 2017The Way to Theme Enlightenment 2017
The Way to Theme Enlightenment 2017
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 

More from Brad Williams

More from Brad Williams (13)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Now That's What I Call WordPress Security 2010

  • 2. Brad Williams Co-Founder of WebDevStudios.com Organizer NJ WordPress Meetup Co-Host SitePoint Podcast Co-Author of Professional WordPress (http://bit.ly/pro-wp) Who Am I?
  • 3. The Goal of this Presentation…
  • 4. The Goal of this Presentation… …Is to scare the crap out of you!
  • 5. The Goal of this Presentation… …and then make everything better with the best security tips!
  • 6.  Example WordPress Hacks  Securing Your WordPress Website  How to Clean Up a Hacked Site  Recommended Plugins Topics
  • 7. Who Do Hackers Target?
  • 8. Who Do Hackers Target? YOU
  • 12. ExampleExample WordPress Hacker bot finds a security hole on your website
  • 13. ExampleExample Hacker bot hides a file in your WordPress installation WordPress Akismet.cache.php is NOT an Akismet file
  • 14. ExampleExample WordPress Hacker Bot Hacker bot can now trigger this file/code remotely
  • 15. ExampleExample WordPress Hacker Bot Common Hacker bot script jobs • Add spam content and links to your websites theme files • Create posts and pages with spam content and links • Delete posts/pages/settings wreaking havoc on your site • etc, etc, bad stuff, etc, etc
  • 16. <b style=“display:none”>Any text you want to hide</b> CSS Hides the SpamCSS Hides the Spam
  • 18. Only Noobs Get HackedOnly Noobs Get Hacked
  • 28. Don’t use the admin account UPDATE wp_users SET user_login='newuser' WHERE user_login='admin'; If you are using the admin account you are wrong! Either change the username in MySQL: Or create a new/unique account with administrator privileges. 1.Create a new account. Make the username very unique 2.Assign account to Administrator role 3.Log out and log back in with new account 4.Delete admin account Make it hard on the hacker! If they already know your username that’s half the battle
  • 29.
  • 30. Don’t use the admin account WordPress 3.0 lets you set the administrator username during the installation process!
  • 31. The Great Permission Debate What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above if you can’t upload increase privileges (ie 775, 777) Permission levels vary depending on server configuration
  • 32. The Great Permission Debate Permissions can be set via FTP find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or via SSH with the following commands
  • 33. Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory You can move your wp-config.php file to here WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory public_html/wordpress/wp-config.php If WordPress is located here: public_html/wp-config.php
  • 34. Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins'); If you have compatibility issues with plugins there are two optional settings If hackers can’t find your wp-content folder, they can’t hack it!
  • 35. Remove WordPress Version from Header Viewing source on most WP sites will reveal the version they are running This helps hackers find vulnerable WP blogs running older versions <meta name="generator" content="WordPress 2.9.2" /> <!-- leave this for stats --> To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please --> Themes and plugins might also display versions in your header. The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator');
  • 36. Stay Current on Updates Keep WordPress core, plugins, and theme files up to date The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Recent WordPress hack only affected outdated WordPress installs
  • 37. Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc BAD PASSWORD: bradrocks Great resource: toughpassword.com Creates random passwords GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
  • 38. Use Secret Keys define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); 1. Edit wp-config.php A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); AFTER You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
  • 39. Change WordPress Table Prefix /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘drupal_'; 1. Edit wp-config.php before installing WordPress All database tables will now have a unique prefix (ie drupal_posts) 2. Change the prefix wp_ to something unique:
  • 40. Force SSL Login and Admin Access define('FORCE_SSL_LOGIN', true); Set the below option in wp-config.php to force SSL (https) on login Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
  • 41. .htaccess lockdown AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 1. Create a .htaccess file in your wp-admin directory Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin 2. Add the following lines of code:
  • 42. Clean Up a Hacked Site
  • 43. Step 1: Delete Everything and Start Over!
  • 44. OR
  • 45. Step 1: Do a Fresh Install of WordPress • Delete, don’t overwrite, all original WordPress files • Upload fresh copies of all WordPress core files Be sure to backup your theme, plugins, media, etc
  • 46. Step 2: Re-install All Plugins • Install fresh copies of all WP plugins need • DON’T use the same plugin files from the hacked site
  • 47. Step 3: Re-install Your Theme • If possible install a fresh copy of your theme • If using the old theme be sure to inspect every file for hack code
  • 48. Step 4: Change all Passwords and Keys • Change your passwords: WordPress, FTP, MySQL • Verify the hacker didn’t create another user, if so delete it • Update your secret keys in wp-config.php (as shown earlier)
  • 49. Step 5: Scan Database for Malicious Code • Look for common hack keywords: • eval, base64, strrev, iframe, noscript, display • Use WordPress Exploit Scanner plugin (discussed later) Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
  • 50. Step 6: Verify folder/file permissions • Check all folder and file permissions are correct • Reset to 755 on folders and 644 on files if needed
  • 54. WP-MalWatch http://wordpress.org/extend/plugins/wp-malwatch/ • Nightly security scan • Detects files based on configurable file patterns • Detects hidden files •
  • 59.  Security Related Codex Articles › http://codex.wordpress.org/Hardening_WordPress › http://codex.wordpress.org/Changing_File_Permissions › http://codex.wordpress.org/Editing_wp-config.php › http://codex.wordpress.org/htaccess_for_subdirectories  Blog Security Articles › http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress- admin-area/ › http://www.growmap.com/wordpress-exploits/ › http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress- blog/ › http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ › http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress- blog/ › http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog  Clean A Hacked Site › http://codex.wordpress.org/FAQ_My_site_was_hacked › http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/ › http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ › http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked- wordpress-installation/ › http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html WordPress Security Resources
  • 60. Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad http://www.slideshare.net/williamsba Contact
  • 61. Tweet: @williamsba WordPress Security Rocks! #wcchicago Win a copy of Professional WordPress!