Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security from WordCamp NYC 2012


Published on

My WordPress Security presentation from WordCamp NYC 2012

Published in: Technology, Business

WordPress Security from WordCamp NYC 2012

  1. 1. WORDPRESS SECURITY BY  BRAD  WILLIAMS   Brad Williams @williamsba
  2. 2. WHO IS BRAD?Brad  Williams    Co-­‐Founder  Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development  Co-­‐Organizer  WordCamp  Philly  Co-­‐Host  WP  Late  Night   Brad Williams @williamsba
  3. 3. HAPPY BIRTHDAY TO BRAD …and  it’s  my  Birthday  today!     Brad Williams @williamsba
  4. 4. TODAY’S TOPICS  • Security  Stats  • Example  Hack  • Top  Security  Tips  • Recommended  Plugins  &  Services  • Resources   Brad Williams @williamsba
  5. 5. SECURITY STATS FOR  WORDPRESS  Security  Stats   Brad Williams @williamsba
  6. 6. SECURITY STATS Brad Williams @williamsba
  7. 7. SECURITY STATS Websites   2500  700+  million  websites  May  2012  (NetcraX)   2000  300  million  websites  in  2011  (Pingdom)  10+  billion  indexed  pages  (WorldWebSize)   1500    Projected:   Websites   1000  •  1  Billion  websites  by  2013  •  2  Billion  websites  by  2015   500   0   2011   2012   2013   2015   Brad Williams @williamsba
  8. 8. SECURITY STATSWordPress  Stats    •  73+  Million  WordPress  powered  websites  •  16%  of  all  websites  are  running  WordPress  •  22  out  of  every  100  new  domains  in  the  U.S.   launches  with  WordPress  •  Projected  300-­‐500  Million  WordPress  sites  by   2015   Brad Williams @williamsba
  9. 9. SECURITY STATSWeb  Malware  Stats  •  403  Million  unique  variants  of  malware  in  2011  (Symantec)   •  140%  growth  since  2010  •  81%  increase  in  malicious  web-­‐based  adacks  between  2010  -­‐   2011   Brad Williams @williamsba
  10. 10. SECURITY STATSIn  Summary  –  Be  Scared!     Brad Williams @williamsba
  11. 11. HACK EXAMPLE Link  Injecfon    Hacker  bots  look  for  known  exploits  (SQL  Injecfon,  folder   permissions,  etc)   This  allows  them  to  insert  spam  files/links  into     your  WordPress  Themes,  plugins,  and  core  files.     Brad Williams @williamsba
  12. 12. HACK EXAMPLE Link  Injecfon    Hosfng  account  contained  two  separate  websites     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
  13. 13. HACK EXAMPLE Link  Injecfon    Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulfsite  install     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
  14. 14. HACK EXAMPLE Link  Injecfon     WordPress  Mulfsite  starts  hacking  WordPress  install  Inserfng  spam  links  into  the  theme,  plugins,  and  core  files     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
  15. 15. HACK EXAMPLE Link  Injecfon     WP  Mulfsite  contains  no  spam  links  Acts  as  a  carrier  to  spread  the  contaminafon         WordPress   WordPress     Mulfsite       Cleaning  up  the  WordPress  website  only  resulted  in  more  spam  links  a  few  days  later     Brad Williams @williamsba
  16. 16. HACK EXAMPLE Link  Injecfon     WP  Mulfsite  contains  no  spam  links  Acts  as  a  carrier  to  spread  the  contaminafon         WordPress   WordPress     Mulfsite       Cleaning  up  the  WordPress  website  only  resulted  in  more  spam  links  a  few  days  later     Brad Williams @williamsba
  17. 17. HACK EXAMPLE Link  Injecfon    375  spam  links  per  page,  only  shown  to  search  engines     Brad Williams @williamsba
  18. 18. THIS IS A SAMPLE TITLE THIS  IS  THE  SUBTITLE   Default  text  box  Scared  Yet?   Brad Williams @williamsba
  19. 19. TOP SECURITY TIPS FOR  WORDPRESS  That’s  It!    Good  luck!   Brad Williams @williamsba
  20. 20. TOP SECURITY TIPS FOR  WORDPRESS  Securing  WordPress   Brad Williams @williamsba
  21. 21. TOP SECURITY TIPS FOR  WORDPRESS  1  Update  Update  Update   Keep  WordPress  Updated!   Minor  WordPress  versions  (  ie  3.3.x  )  do  NOT  add  new  features.     They  contain  bug  fixes  and  security  patches   Brad Williams @williamsba
  22. 22. TOP SECURITY TIPS FOR  WORDPRESS  1  Update  Update  Update   Update  Those  Plugins!   The  plugin  Changelog  tab   makes  it  very  easy  to  view  what   has  changed  in  a  new  plugin   version   Brad Williams @williamsba
  23. 23. TOP SECURITY TIPS FOR  WORDPRESS  1.  Update  Update  Update   NO  EXCUSES!    UPDATE!   Brad Williams @williamsba
  24. 24. TOP SECURITY TIPS FOR  WORDPRESS  2.  Use  Secret  Keys   Some  secrets  should  remain  secrets   Brad Williams @williamsba
  25. 25. TOP SECURITY TIPS FOR  WORDPRESS   2.  Use  Secret  Keys   A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random   elements  to  the  password.  1.  Edit  wp-­‐config.php   BEFORE   AFTER   define(AUTH_KEY,                  put  your  unique  phrase  here);   define(AUTH_KEY,                  *8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD);   define(SECURE_AUTH_KEY,    put  your  unique  phrase  here);   define(SECURE_AUTH_KEY,    q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1);   define(LOGGED_IN_KEY,        put  your  unique  phrase  here);   define(LOGGED_IN_KEY,        D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+);   define(NONCE_KEY,                put  your  unique  phrase  here);   define(NONCE_KEY,                oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H);   define(AUTH_SALT,                put  your  unique  phrase  here);   define(AUTH_SALT,                r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt);   define(SECURE_AUTH_SALT,  put  your  unique  phrase  here);   define(SECURE_AUTH_SALT,  3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐);   define(LOGGED_IN_SALT,      put  your  unique  phrase  here);   define(LOGGED_IN_SALT,      `@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*);   define(NONCE_SALT,              put  your  unique  phrase  here);   define(NONCE_SALT,              O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6);  2.  Visit  this  URL  to  get  your  secret  keys:  hdps://­‐key/1.1/salt   Brad Williams @williamsba
  26. 26. TOP SECURITY TIPS FOR  WORDPRESS  Do  you  login  with  username  admin?   Brad Williams @williamsba
  27. 27. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba
  28. 28. TOP SECURITY TIPS FOR  WORDPRESS  3.  Delete  the  Admin  user  account   Change  the  admin  username  in  MySQL:   UPDATE wp_users SET user_login=hulkster WHERE user_login=admin; Or  create  a  new  account  with  administrator  privileges.     1.   Create  a  new  account.    Make  the  username  very  unique   2.   Set  account  to  Administrator  role   3.   Log  out  and  log  back  in  with  new  account   4.   Delete  admin  account   WordPress  will  allow  you  to   reassign  all  content  wriden  by   admin  to  an  account  of  your   choice.     Brad Williams @williamsba
  29. 29. TOP SECURITY TIPS FOR  WORDPRESS  3.  Delete  the  Admin  user  account   WordPress  lets  you  set   the  username  during  the   installafon  process!  DONT  USE  ADMIN!   Brad Williams @williamsba
  30. 30. TOP SECURITY TIPS FOR  WORDPRESS  3.  Delete  the  Admin  user  account   Knowing  your   username  is  half   the  badle.         Dont  make  it   easy  on  the   hackers.   Brad Williams @williamsba
  31. 31. TOP SECURITY TIPS FOR  WORDPRESS  4.  File  and  Folder  Permissions   What  folder  permissions  should  you  use?   Good  Rule  of  Thumb:   •   Files  should  be  set  to  644   •   Folders  should  be  set  to  755   Start  with  the  default  se…ngs  above     If  your  host  requires  777…SWITCH  HOSTS!   Brad Williams @williamsba
  32. 32. TOP SECURITY TIPS FOR  WORDPRESS  4.  File  and  Folder  Permissions   Or  via  SSH  with  the  following  commands   find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Brad Williams @williamsba
  33. 33. TOP SECURITY TIPS FOR  WORDPRESS  5.  Move  wp-­‐config.php   WordPress  features  the  ability  to  move  the  wp-­‐config.php   file  one  directory  above  your  WordPress  root   If  WordPress  is  located  here:   public_html/wordpress/wp-config.php You  can  move  your  wp-­‐config.php  file  to  here     public_html/wp-config.php WordPress  automafcally  checks  the  parent  directory  if  a     wp-­‐config.php  file  is  not  found  in  your  root  directory   This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php     file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory   Brad Williams @williamsba
  34. 34. TOP SECURITY TIPS FOR  WORDPRESS  6.  Lock  Down  WP  Login  and  WP  Admin   Brad Williams @williamsba
  35. 35. TOP SECURITY TIPS FOR  WORDPRESS  6.  Lock  Down  WP  Login  and  WP  Admin  Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  login   define(FORCE_SSL_LOGIN,  true);   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  all  admin  pages   define(FORCE_SSL_ADMIN,  true);   Using  SSL  (hdps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data   transmided  with  the  same  encrypfon  as  online  shopping   Brad Williams @williamsba
  36. 36. TOP SECURITY TIPS FOR  WORDPRESS  6.  Lock  Down  WP  Login  and  WP  Admin   1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory   2.  Add  the  following  lines  of  code:   AuthUserFile  /dev/null   AuthGroupFile  /dev/null   AuthName  "Access  Control"   AuthType  Basic   order  deny,allow   deny  from  all   #IP  address  to  Whitelist   allow  from   allow  from  123.123.123.*   Only  a  user  with  the  IP  or  123.123.123.*  can  access  wp-­‐admin   Brad Williams @williamsba
  37. 37. TOP SECURITY TIPS FOR  WORDPRESS  7.  Use  Trusted  Sources  for  Themes  &  Plugins  reviewed  the  top   10  results  for  “free   wordpress  themes”  on   Google.         Out  of  the  ten  sites  reviewed     1.   Safe:  1   2.   Iffy:  1   3.   Avoid:  8  Source:  hdp://­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   Brad Williams @williamsba
  38. 38. TOP SECURITY TIPS FOR  WORDPRESS   7.  Use  Trusted  Sources  for  Themes  &   Plugins  The  only  safe  site  reviewed  was   Most  themes  included  base64()  encoded  text  links  to  promote  various  servies   Source:  hdp://­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   Brad Williams @williamsba
  39. 39. TOP SECURITY TIPS FOR  WORDPRESS  8.  Be  Secure  Locally     Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or   king.  Your  kingdom  must  be  protected!     Keep  your  computer  up  to  date   •   Ensure  you’re  patching  or  installing  updates  ASAP   •   Automafc  updates  rock!   Install  an  anO-­‐virus  soluOon     •   Ensure  you’re  keeping  definifons  current   •   Automafc  updates  aren’t  a  bad  idea  here  either!   Yes,  personal  firewalls  sOll  apply!         Brad Williams @williamsba
  40. 40. TOP SECURITY TIPS FOR  WORDPRESS  8.  Be  Secure  Locally     It’s  your  informafon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at   home,  but  what  happens  at  Starbucks?     Your  Internet  ConnecOon   Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.   •   HTTPS  is  a  great  way  to  ensure  your  transacfons  &  traffic  are  traveling  with  security  in  mind.     ConnecOng  To  Your  Site(s)   Consider  using  sFTP  or  SSH  vs.  FTP   • Sfll  widely  marketed,  but  did  you  know  your  credenfals  are  passed  unencrypted  when  using  FTP?   • If  unavoidable,  do  not  allow  anonymous  logins,  limit  connecfons,  pracfce  least  privilege.   • Don’t  store  your  credenfals  in  your  FTP  client.   Brad Williams @williamsba
  41. 41. TOP SECURITY TIPS FOR  WORDPRESS  9.  Use  a  Trusted  Host  You  get  what  you  pay  for…   Brad Williams @williamsba
  42. 42. TOP SECURITY TIPS FOR  WORDPRESS  9.  Use  a  Trusted  Host   " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " Your Lovely Host! " " •  Cheap doesn’t always mean best, or " safe!! •  How many sites on their network are blacklisted for malware reasons?" •  What version of software do they run and how often do they update?" •  How are account credentials stored & who has access?" " Brad Williams @williamsba
  43. 43. TOP SECURITY TIPS FOR  WORDPRESS  9.  Use  a  Trusted  Host   " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress specific hosting!" Brad Williams @williamsba
  44. 44. TOP SECURITY TIPS FOR  WORDPRESS  10.  Use  Common  Sense   •  Use a strong password" •  BAD: bradisawesome" •  GOOD: SCrEE79joLly$" •  A=@, E=3, S=$, O=0 (This is not unique, they know this)" •  Update passwords regularly (Monthly, make a schedule)" •  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" •  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)" Brad Williams @williamsba
  45. 45. PLUGINS & SERVICES FOR  WORDPRESS  Plugins  &  Services   Brad Williams @williamsba
  46. 46. PLUGINS & SERVICES FOR  WORDPRESS  Login  Lockdown Brad Williams @williamsba
  47. 47. PLUGINS & SERVICES FOR  WORDPRESS  BulletProof  Security   •  .htaccess  lockdown  rules  for   various  directories  (root,  wp-­‐ admin,  etc)   •  Security  status  scanner  for   folder/file  permissions  and   file  checks   •  Very  well  documented Brad Williams @williamsba
  48. 48. PLUGINS & SERVICES FOR  WORDPRESS   Secure  WordPress  •  Hides  login  error   messages  •  Adds  index.php  to  / themes  and  /plugins  to   prevent  directory  lisfng  •  Removes  WP,  plugin,   and  theme  update   nofces  for  non-­‐admins  •  and  more! Brad Williams @williamsba
  49. 49. PLUGINS & SERVICES FOR  WORDPRESS   Exploit  Scanner  •  Scans  your  files  and   database  for  potenfally   malicious  code  •  Does  not  remove  code,   only  detects  it Brad Williams @williamsba
  50. 50. PLUGINS & SERVICES FOR  WORDPRESS   hdp://  •  Free  Website  Malware  Scanner:  hdp://  •  Website  monitoring  •  Hack  cleanup  services  •  Sucuri  Security  Plugin   •  Free  to  clients   •  Web  Applicafon  Firewall   •  Integrity  Monitoring   •  Audifng   •  Hardening Brad Williams @williamsba
  51. 51. RESOURCES FOR  WORDPRESS  •  Security  Related  Arfcles   •  hdp://   •  hdp://­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html   •  hdp://­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐ locked.html   •  hdp://­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐ malware-­‐company.html    •  Clean  a  Hacked  Site   •  hdp://   •  hdp://­‐hacked/  •  Support  Forums   •  Hacked:  hdp://   •  Malware:  hdp://   Brad Williams @williamsba
  52. 52. CONTACT BRADBrad  Williams    Blog:  Twider:  @williamsba  IRC:  WDS-­‐Brad      Professional  WordPress  Second  Edifon    coming  December  2012!   Brad Williams @williamsba