WordPress Security WordCamp OC 2013


Published on

Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security WordCamp OC 2013

  1. 1. WORDPRESS SECURITYBY  BRAD  WILLIAMS  Brad Williams@williamsba
  2. 2. WHO IS BRAD?Brad Williams@williamsbaBrad  Williams    Co-­‐Founder  WebDevStudios.com  Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development  Co-­‐Organizer  WordCamp  Philly  Co-­‐Host  DradCast  
  3. 3. TODAY’S TOPICSBrad Williams@williamsba  • Security  Stats  • Example  Hack  • Top  Security  Tips  • Recommended  Plugins  &  Services  • Resources  
  4. 4. SECURITY STATSFOR  WORDPRESS  Brad Williams@williamsbaSecurity  Stats  
  5. 5. SECURITY STATSBrad Williams@williamsba700+  million  websites  May  2012  (NetcraU)  300  million  websites  in  2011  (Pingdom)  10+  billion  indexed  pages  (WorldWebSize)    Projected:  •  1  Billion  websites  by  2013  •  2  Billion  websites  by  2015  0  500  1000  1500  2000  2500  2011   2012   2013   2015  Websites  Websites  
  6. 6. SECURITY STATSBrad Williams@williamsbaWordPress  Stats    •  73+  Million  WordPress  powered  websites  •  18%  of  all  websites  are  running  WordPress  •  22  out  of  every  100  new  domains  in  the  U.S.  launches  with  WordPress  •  Projected  300-­‐500  Million  WordPress  sites  by  2015  
  7. 7. SECURITY STATSBrad Williams@williamsbaWeb  Malware  Stats  •  403  Million  unique  variants  of  malware  in  2011  (Symantec)  •  140%  growth  since  2010  •  81%  increase  in  malicious  web-­‐based  a`acks  between  2010  -­‐  2011  
  8. 8. SECURITY STATSBrad Williams@williamsbaIn  Summary  –  Be  Scared!    
  9. 9. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    Hacker  bots  look  for  known  exploits  (SQL  Injeccon,  folder  permissions,  etc)  This  allows  them  to  insert  spam  files/links  into    your  WordPress  Themes,  plugins,  and  core  files.    
  10. 10. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    Hoscng  account  contained  two  separate  websites    WordPress  WordPress  Mulcsite  
  11. 11. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulcsite  install    WordPress  WordPress  Mulcsite  
  12. 12. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    WordPress  Mulcsite  starts  hacking  WordPress  install  Insercng  spam  links  into  the  theme,  plugins,  and  core  files    WordPress  WordPress  Mulcsite  
  13. 13. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    WP  Mulcsite  contains  no  spam  links  Acts  as  a  carrier  to  spread  the  contaminacon              Cleaning  up  the  WordPress  website  only  resulted  in  more  spam  links  a  few  days  later    WordPress  WordPress  Mulcsite  
  14. 14. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    WP  Mulcsite  contains  no  spam  links  Acts  as  a  carrier  to  spread  the  contaminacon              Cleaning  up  the  WordPress  website  only  resulted  in  more  spam  links  a  few  days  later    WordPress  WordPress  Mulcsite  
  15. 15. HACK EXAMPLEBrad Williams@williamsbaLink  Injeccon    375  spam  links  per  page,  only  shown  to  search  engines    
  16. 16. THIS IS A SAMPLE TITLETHIS  IS  THE  SUBTITLE  Brad Williams@williamsbaDefault  text  box  Scared  Yet?  
  17. 17. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsbaThat’s  It!    Good  luck!  
  18. 18. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsbaSecuring  WordPress  
  19. 19. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba1  Update  Update  Update  Keep  WordPress  Updated!  Minor  WordPress  versions  (  ie  3.5.x  )  do  NOT  add  new  features.    They  contain  bug  fixes  and  security  patches  
  20. 20. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba1  Update  Update  Update  Update  Those  Plugins!  The  plugin  Changelog  tab  makes  it  very  easy  to  view  what  has  changed  in  a  new  plugin  version  
  21. 21. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba1.  Update  Update  Update  NO  EXCUSES!    UPDATE!  
  22. 22. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba2.  Use  Secret  Keys  Some  secrets  should  remain  secrets  
  23. 23. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba2.  Use  Secret  Keys  define(AUTH_KEY,                  put  your  unique  phrase  here);  define(SECURE_AUTH_KEY,    put  your  unique  phrase  here);  define(LOGGED_IN_KEY,        put  your  unique  phrase  here);  define(NONCE_KEY,                put  your  unique  phrase  here);  define(AUTH_SALT,                put  your  unique  phrase  here);  define(SECURE_AUTH_SALT,  put  your  unique  phrase  here);  define(LOGGED_IN_SALT,      put  your  unique  phrase  here);  define(NONCE_SALT,              put  your  unique  phrase  here);  1.  Edit  wp-­‐config.php  A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random  elements  to  the  password.  2.  Visit  this  URL  to  get  your  secret  keys:  h`ps://api.wordpress.org/secret-­‐key/1.1/salt  BEFORE  define(AUTH_KEY,                  *8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD);  define(SECURE_AUTH_KEY,    q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1);  define(LOGGED_IN_KEY,        D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+);  define(NONCE_KEY,                oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H);  define(AUTH_SALT,                r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt);  define(SECURE_AUTH_SALT,  3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐);  define(LOGGED_IN_SALT,      `@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*);  define(NONCE_SALT,              O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6);  AFTER  
  24. 24. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsbaDo  you  login  with  username  admin?  
  25. 25. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba
  26. 26. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba3.  Delete  the  Admin  user  account  UPDATE wp_users SET user_login=hulkster WHERE user_login=admin;Change  the  admin  username  in  MySQL:  Or  create  a  new  account  with  administrator  privileges.    1.   Create  a  new  account.    Make  the  username  very  unique  2.   Set  account  to  Administrator  role  3.   Log  out  and  log  back  in  with  new  account  4.   Delete  admin  account  WordPress  will  allow  you  to  reassign  all  content  wri`en  by  admin  to  an  account  of  your  choice.    
  27. 27. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba3.  Delete  the  Admin  user  account  WordPress  lets  you  set  the  username  during  the  installacon  process!  DONT  USE  ADMIN!  
  28. 28. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba3.  Delete  the  Admin  user  account  Knowing  your  username  is  half  the  ba`le.        Dont  make  it  easy  on  the  hackers.  
  29. 29. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba4.  File  and  Folder  Permissions  What  folder  permissions  should  you  use?  Good  Rule  of  Thumb:  •   Files  should  be  set  to  644  •   Folders  should  be  set  to  755  Start  with  the  default  se„ngs  above    If  your  host  requires  777…SWITCH  HOSTS!  
  30. 30. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba4.  File  and  Folder  Permissions  find [your path here] -type d -exec chmod 755 {} ;find [your path here] -type f -exec chmod 644 {} ;Or  via  SSH  with  the  following  commands  
  31. 31. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba5.  Move  wp-­‐config.php  WordPress  features  the  ability  to  move  the  wp-­‐config.php  file  one  directory  above  your  WordPress  root  This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php    file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory  You  can  move  your  wp-­‐config.php  file  to  here    WordPress  automaccally  checks  the  parent  directory  if  a    wp-­‐config.php  file  is  not  found  in  your  root  directory  public_html/wordpress/wp-config.phpIf  WordPress  is  located  here:  public_html/wp-config.php
  32. 32. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba6.  Lock  Down  WP  Login  and  WP  Admin  
  33. 33. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba6.  Lock  Down  WP  Login  and  WP  Admin  define(FORCE_SSL_LOGIN,  true);  Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (h`ps)  on  login  Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (h`ps)  on  all  admin  pages  define(FORCE_SSL_ADMIN,  true);  Using  SSL  (h`ps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data  transmi`ed  with  the  same  encrypcon  as  online  shopping  
  34. 34. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba6.  Lock  Down  WP  Login  and  WP  Admin  AuthUserFile  /dev/null  AuthGroupFile  /dev/null  AuthName  "Access  Control"  AuthType  Basic  order  deny,allow  deny  from  all  #IP  address  to  Whitelist  allow  from  allow  from  123.123.123.*  1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory  Only  a  user  with  the  IP  or  123.123.123.*  can  access  wp-­‐admin  2.  Add  the  following  lines  of  code:  
  35. 35. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba7.  Use  Trusted  Sources  for  Themes  &  Plugins  WPMU.org  reviewed  the  top  10  results  for  “free  wordpress  themes”  on  Google.        Out  of  the  ten  sites  reviewed    1.   Safe:  1  2.   Iffy:  1  3.   Avoid:  8  Source:  h`p://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/  
  36. 36. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba7.  Use  Trusted  Sources  for  Themes  &  Plugins  Source:  h`p://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/  The  only  safe  site  reviewed  was  WordPress.org  Most  themes  included  base64()  encoded  text  links  to  promote  various  servies  
  37. 37. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba8.  Be  Secure  Locally    Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or  king.  Your  kingdom  must  be  protected!    Keep  your  computer  up  to  date  •   Ensure  you’re  patching  or  installing  updates  ASAP  •   Automacc  updates  rock!  Install  an  anO-­‐virus  soluOon    •   Ensure  you’re  keeping  definicons  current  •   Automacc  updates  aren’t  a  bad  idea  here  either!  Yes,  personal  firewalls  sOll  apply!        
  38. 38. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba8.  Be  Secure  Locally    It’s  your  informacon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at  home,  but  what  happens  at  Starbucks?    Your  Internet  ConnecOon  Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.  •   HTTPS  is  a  great  way  to  ensure  your  transaccons  &  traffic  are  traveling  with  security  in  mind.    ConnecOng  To  Your  Site(s)  Consider  using  sFTP  or  SSH  vs.  FTP  • Scll  widely  marketed,  but  did  you  know  your  credencals  are  passed  unencrypted  when  using  FTP?  • If  unavoidable,  do  not  allow  anonymous  logins,  limit  conneccons,  praccce  least  privilege.  • Don’t  store  your  credencals  in  your  FTP  client.  
  39. 39. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba9.  Use  a  Trusted  Host  You  get  what  you  pay  for…  
  40. 40. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba9.  Use  a  Trusted  Host  "At the end of the day, hosting providers market the world. You in turn, shouldhave opportunity to know how they’re going to protect you."""""Your Lovely Host!"• Cheap doesn’t always mean best, orsafe!!• How many sites on their network areblacklisted for malware reasons?"• What version of software do they run andhow often do they update?"• How are account credentials stored &who has access?""
  41. 41. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba9.  Use  a  Trusted  Host  "Only use a trusted host that clearly states their security policies. "Bonus points if they specialize in WordPress specific hosting!"
  42. 42. TOP SECURITY TIPSFOR  WORDPRESS  Brad Williams@williamsba10.  Use  Common  Sense  •  Use a strong password"•  BAD: bradisawesome"•  GOOD: SCrEE79joLly$"•  A=@, E=3, S=$, O=0 (This is not unique, they know this)"•  Update passwords regularly (Monthly, make a schedule)"•  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)"•  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"
  43. 43. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbaPlugins  &  Services  
  44. 44. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbaLogin  Lockdown  http://wordpress.org/extend/plugins/login-lockdown/
  45. 45. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbaBulletProof  Security  http://wordpress.org/extend/plugins/bulletproof-security/•  .htaccess  lockdown  rules  for  various  directories  (root,  wp-­‐admin,  etc)  •  Security  status  scanner  for  folder/file  permissions  and  file  checks  •  Very  well  documented  
  46. 46. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbaSecure  WordPress  http://wordpress.org/extend/plugins/secure-wordpress/•  Hides  login  error  messages  •  Adds  index.php  to  /themes  and  /plugins  to  prevent  directory  liscng  •  Removes  WP,  plugin,  and  theme  update  nocces  for  non-­‐admins  •  and  more!  
  47. 47. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbaExploit  Scanner  http://wordpress.org/extend/plugins/exploit-scanner/•  Scans  your  files  and  database  for  potencally  malicious  code  •  Does  not  remove  code,  only  detects  it  
  48. 48. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbahttp://Sucuri.net•  Free  Website  Malware  Scanner:  h`p://sitecheck.sucuri.net/scanner/  •  Website  monitoring  •  Hack  cleanup  services  •  Sucuri  Security  Plugin  •  Free  to  clients  •  Web  Applicacon  Firewall  •  Integrity  Monitoring  •  Audicng  •  Hardening  h`p://Sucuri.net  
  49. 49. PLUGINS & SERVICESFOR  WORDPRESS  Brad Williams@williamsbahttp://maintainn.com
  50. 50. RESOURCESFOR  WORDPRESS  Brad Williams@williamsba•  Security  Related  Arccles  •  h`p://codex.wordpress.org/Hardening_WordPress  •  h`p://blog.sucuri.net/2012/04/lockdown-­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html  •  h`p://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐locked.html  •  h`p://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐malware-­‐company.html    •  Clean  a  Hacked  Site  •  h`p://codex.wordpress.org/FAQ_My_site_was_hacked  •  h`p://www.markecngtechblog.com/wordpress-­‐hacked/  •  Support  Forums  •  Hacked:  h`p://wordpress.org/tags/hacked  •  Malware:  h`p://wordpress.org/tags/malware  
  51. 51. DRADCAST PLUGBrad Williams@williamsbaListen  to  the  DradCast  WordPress  Podcast                                            LIVE  every  Wednesday  @  8pm  EDT    DradCast.com  
  52. 52. CONTACT BRADBrad Williams@williamsbaBrad  Williams  brad@webdevstudios.com    Blog:    strangework.com  Twi`er:  @williamsba  IRC:  WDS-­‐Brad      Professional  WordPress  Second  Edicon  is  OUT!  h`p://bit.ly/prowp2