wordcamp mid-atlantic wordpress security

Props @tweetsfromchris

Brad WilliamsCo-Founder of WebDevStudios.com

Organizer NJ/Philly WordPress Meetup

Co-Host SitePoint Podcast

Co-Author of Professional WordPress (http://bit.ly/pro-wp)

Who Am I?

The Goal of this Presentation…

…Is to scare the crap out of you!

The Goal of this Presentation…

…and then make everything better

with the best security tips!

Example WordPress Hacks

Securing Your WordPress Website

How to Clean Up a Hacked Site

Hosting Considerations

Recommended Plugins

Topics

Who Do Hackers Target?

Who Is Safe?

NO ONE

Scared Yet?

Example

WordPress

Hacker bot finds a security hole on your website

Example

Hacker bot hides a file in your WordPress installation

WordPress

Akismet.cache.php is NOT an Akismet file

Example

WordPress Hacker Bot

Hacker bot can now trigger this file/code remotely

Example

WordPress Hacker Bot

Common Hacker bot script jobs

• Add spam content and links to your websites theme files

• Create posts and pages with spam content and links

• Delete posts/pages/settings wreaking havoc on your site

• etc, etc, bad stuff, etc, etc

CSS Hides the Spam

Hidden Spam Links

Only Noobs Get Hacked

WRONG!

Scobleizer.com: HACKED

Pearsonified.com: HACKED

FeaturedContentGallery.com: HACKED

Make it Stop!

Palette Cleanser

Securing WordPress

Don‟t use the admin account

UPDATE wp_users SET user_login='newuser' WHERE user_login='admin';

If you are using the admin account you are wrong!

Either change the username in MySQL:

Or create a new/unique account with administrator privileges.

1. Create a new account. Make the username very unique

2. Assign account to Administrator role

3. Log out and log back in with new account

4. Delete admin account

Make it hard on the hacker! If they already know your username that‟s half the battle

Don‟t use the admin account

WordPress 3.0 lets you set

the administrator username

during the installation

process!

The Great Permission Debate

What folder permissions should you use?

Good Rule of Thumb:

• Files should be set to 644

• Folders should be set to 755

Start with the default settings above

If your host requires 777…SWITCH HOSTS!

Permission levels vary depending on server configuration

The Great Permission Debate

Permissions can be set via FTP

find [your path here] -type d -exec chmod 755 {} \;

find [your path here] -type f -exec chmod 644 {} \;

Or via SSH with the following commands

Move the wp-config.php file

WordPress 2.6 added the ability to move the wp-config.php

file one directory above your WordPress root

This makes it nearly impossible for anyone to access your wp-config.php

file as it now resides outside of your website‟s root directory

You can move your wp-config.php file to here

WordPress automatically checks the parent directory if a

wp-config.php file is not found in your root directory

public_html/wordpress/wp-config.php

If WordPress is located here:

public_html/wp-config.php

Move the wp-content Directory

WordPress 2.6 added the ability to move the wp-content directory

1. Move your wp-content directory

2. Make two additions to wp-config.php

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );

define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );

define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');

If you have compatibility issues with plugins there are two optional settings

If hackers can‟t find your wp-content folder, they can‟t hack it!

Stay Current on UpdatesKeep WordPress core, plugins, and theme files up to date

The plugin Changelog tab

makes it very easy to view

what has changed in a new

plugin version

Recent WordPress hack only affected outdated WordPress installs

Use Secure PasswordsUse strong passwords to protect your website from dictionary attacks

Not just for WordPress, but also FTP, MySQL, etc

BAD PASSWORD: bradrocks

Great resource:

toughpassword.com

Creates random passwords

GOOD PASSWORD: S-gnop2D[6@8

WordPress will tell you

when you have it right

Use Secret Keys

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

1. Edit wp-config.php

A secret key is a hashing salt which makes your site harder to

hack by adding random elements to the password.

2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt

BEFORE

define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD');

define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');

define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+');

define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H');

define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');

define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-');

define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');

define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');

You can add/change secret keys at anytime.

This will invalidate all existing cookies and require your users to login again

Change WordPress Table Prefix

* WordPress Database Table prefix.

* You can have multiple installations in one database if you give each a unique

* prefix. Only numbers, letters, and underscores please!

$table_prefix = „wtf_';

1. Edit wp-config.php before installing WordPress

All database tables will now have a unique prefix (ie wtf_posts)

2. Change the prefix wp_ to something unique:

Force SSL Login and Admin Access

define('FORCE_SSL_LOGIN', true);

Set the below option in wp-config.php to force SSL (https) on login

Set the below option in wp-config.php to force SSL (https) on all admin pages

define('FORCE_SSL_ADMIN', true);

.htaccess lockdown

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "Access Control"

AuthType Basic

order deny,allow

deny from all

#IP address to Whitelist

allow from 67.123.83.59

allow from 123.123.123.123

1. Create a .htaccess file in your wp-admin directory

Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin

2. Add the following lines of code:

Hosting Considerations

You Get What You Pay For

Shared Hosting

Shared Hosting Server

Website

Shared Hosting

Website

What‟s

wrong with

that guy?

Shared Hosting

Website

Oh frack!

Shared Hosting

Website

braaaaains

#protip

Invest In Your Website

Go VPS or Dedicated

Clean Up a Hacked Site

Step 1: Delete Everything and Start Over!

Step 1: Do a Fresh Install of WordPress

• Delete, don‟t overwrite, all original WordPress files

• Upload fresh copies of all WordPress core files

Be sure to backup your theme, plugins, media, etc

Step 2: Re-install All Plugins

• Install fresh copies of all WP plugins need

• DON‟T use the same plugin files from the hacked site

Step 3: Re-install Your Theme

• If possible install a fresh copy of your theme

• If using the old theme be sure to inspect every file for hack code

Step 4: Change all Passwords and Keys

• Change your passwords: WordPress, FTP, MySQL

• Verify the hacker didn‟t create another user, if so delete it

• Update your secret keys in wp-config.php (as shown earlier)

Step 5: Scan Database for Malicious Code

• Look for common hack keywords:

• eval, base64, strrev, iframe, noscript, display

• Use WordPress Exploit Scanner plugin (discussed later)

Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'

Step 6: Verify folder/file permissions

• Check all folder and file permissions are correct

• Reset to 755 on folders and 644 on files if needed

Step 7: Pray

Recommended Security Plugins

WP Security Scan

http://wordpress.org/extend/plugins/wp-security-scan/

ServerBuddy

http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/

WordPress Exploit Scanner

http://wordpress.org/extend/plugins/exploit-scanner/

WordPress File Monitor

http://wordpress.org/extend/plugins/wordpress-file-monitor/

Login Lockdown

http://wordpress.org/extend/plugins/login-lockdown/

Security Related Codex Articles› http://codex.wordpress.org/Hardening_WordPress

› http://codex.wordpress.org/Changing_File_Permissions

› http://codex.wordpress.org/Editing_wp-config.php

› http://codex.wordpress.org/htaccess_for_subdirectories

Blog Security Articles› http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-

wordpress-admin-area/

› http://www.growmap.com/wordpress-exploits/

› http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/

› http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/

› http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/

› http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog

Clean A Hacked Site› http://codex.wordpress.org/FAQ_My_site_was_hacked

› http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

› http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

› http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

› http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html

WordPress Security Resources

Brad Williamsbrad@webdevstudios.com

Blog: strangework.com

Twitter: @williamsba

IRC: WDS-Brad

http://www.slideshare.net/williamsba

Contact

Tweet: @williamsba WordPress Security Rocks! #wcma

Win a copy of Professional WordPress!

wordcamp mid-atlantic wordpress security

wordpress rootif wordpress

wpcontent directory

file wordpress

wordpress website

securing wordpress

wordpress core

wordpress hacker bot

wpcontent folder

Technology

wordpress security - wordcamp nyc 2009

wordpress seo strategy wordcamp raleigh

wordcamp wilmington wordpress 101

wordpress security - wordcamp boston 2010

wordpress accessibility - wordcamp buffalo 2016

wordcamp toronto - wordpress in the cloud

wordpress seo - wordcamp seattle #wcsea

creating wordpress childthemes - wordcamp nyc 2012

wordpress 2025 (wordcamp frankfurt 2016)

optimizing wordpress (wordcamp philly 2011)

wordcamp nashville: clean code for wordpress

wordpress accessibility: wordcamp chicago

wordcamp north canton - wordpress & podcasting

wordcamp finland wordpress seo workshop

psd to wordpress (wordcamp la)

workflow wordpress + javascript - wordcamp rio

wordcamp osaka 2012: wordpress 対談

wordpress & user experience - wordcamp london

wordpress seo - wordcamp 2015

speed up wordpress wordcamp pdx 2009