Download - Protect Your WordPress From The Inside Out
WORDPRESS SECURITYBY BRAD WILLIAMS & BRIAN MESSENLEHNER
Brad Williams
@williamsba
Brian Messenlehner
@bmess
WHO ARE THESE GUYS?
Brad Williams
@williamsba
Brad Williams
Co-Founder WebDevStudios.comCo-Author Professional WordPress
& Professional WordPress
Plugin DevelopmentCo-Organizer WordCamp PhillyCo-Host DradCast
Brian Messenlehner
Co-Founder WebDevStudios.comCo-Author Building Web Apps with WordPress Co-Organizer New Jersey WordPress Meetup
Brian Messenlehner
@bmess
TODAY’S TOPICS
• Security Stats• Example Hack• Top Security Tips• Recommended Plugins & Services• Resources
Brad Williams
@williamsba
Brian Messenlehner
@bmess
SECURITY STATSFOR WORDPRESS
Security Stats
Brad Williams
@williamsba
Brian Messenlehner
@bmess
SECURITY STATS
700+ million websites May 2012 (Netcraft)
300 million websites in 2011 (Pingdom)
10+ billion indexed pages (WorldWebSize)
Projected:• 1 Billion websites by 2013• 2 Billion websites by 2015
2011 2012 2013 20150
500
1000
1500
2000
2500
Websites
Websites
Brad Williams
@williamsba
Brian Messenlehner
@bmess
SECURITY STATS
WordPress Stats• 73+ Million WordPress powered websites• 18.9% of all websites are running WordPress• 22 out of every 100 new domains in the U.S.
launches with WordPress• Projected 300-500 Million WordPress sites by
2015
Brad Williams
@williamsba
Brian Messenlehner
@bmess
SECURITY STATS
Web Malware Stats• 403 Million unique variants of malware in 2011 (Symantec)
• 140% growth since 2010
• 81% increase in malicious web-based attacks between 2010 - 2011
Brad Williams
@williamsba
Brian Messenlehner
@bmess
SECURITY STATS
In Summary – Be Scared!
Brad Williams
@williamsba
Brian Messenlehner
@bmess
SECURITY STATSFOR WORDPRESS
Hack Example
Brad Williams
@williamsba
Brian Messenlehner
@bmess
HACK EXAMPLE
Link InjectionHacker bots look for known exploits (SQL Injection, folder
permissions, etc)This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.
Brad Williams
@williamsba
Brian Messenlehner
@bmess
HACK EXAMPLE
Link InjectionHosting account contained two separate websites
WordPress WordPress Multisite
Brad Williams
@williamsba
Brian Messenlehner
@bmess
HACK EXAMPLE
Link InjectionHacker bot dropped a malicious file on a WP Multisite install
WordPress WordPressMultisite
Brad Williams
@williamsba
Brian Messenlehner
@bmess
HACK EXAMPLE
Link InjectionWordPress Multisite starts hacking WordPress install
Inserting spam links into the theme, plugins, and core files
WordPress WordPressMultisite
Brad Williams
@williamsba
Brian Messenlehner
@bmess
HACK EXAMPLE
Link InjectionWP Multisite contains no spam links
Acts as a carrier to spread the contamination
Cleaning up the WordPress website onlyresulted in more spam links a few days later
WordPress WordPressMultisite
Brad Williams
@williamsba
Brian Messenlehner
@bmess
HACK EXAMPLE
Link Injection375 spam links per page, only shown to search engines
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
Securing WordPress
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
1 Update Update UpdateKeep WordPress Updated!
Minor WordPress versions ( ie 3.5.x ) do NOT add new features. They contain bug fixes and security patches
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
1 Update Update UpdateUpdate Those Plugins!
The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
1. Update Update Update
NO EXCUSES! UPDATE!
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
2. Use Secret Keys
Some secrets should remain secrets
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
2. Use Secret Keys
define('AUTH_KEY', 'put your unique phrase here');define('SECURE_AUTH_KEY', 'put your unique phrase here');define('LOGGED_IN_KEY', 'put your unique phrase here');define('NONCE_KEY', 'put your unique phrase here');define('AUTH_SALT', 'put your unique phrase here');define('SECURE_AUTH_SALT', 'put your unique phrase here');define('LOGGED_IN_SALT', 'put your unique phrase here');define('NONCE_SALT', 'put your unique phrase here');
1. Edit wp-config.php
A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password.
2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt
BEFOREdefine('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD');define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+');define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H');define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-');define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
AFTER
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
Do you login with username admin?
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
3. Delete the Admin user account
UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';
Change the admin username in MySQL:
Or create a new account with administrator privileges.
1. Create a new account. Make the username very unique2. Set account to Administrator role3. Log out and log back in with new account4. Delete admin account
WordPress will allow you to reassign all content written by admin to an account of your choice.
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
3. Delete the Admin user account
WordPress lets you setthe username during the
installation process!
DON'T USE ADMIN!
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
3. Delete the Admin user accountKnowing your
username is half the battle.
Don't make it easy on the
hackers.
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
4. File and Folder PermissionsWhat folder permissions should you use?
Good Rule of Thumb:
• Files should be set to 644• Folders should be set to 755
Start with the default settings above
If your host requires 777…SWITCH HOSTS!
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
4. File and Folder Permissions
find [your path here] -type d -exec chmod 755 {} \;find [your path here] -type f -exec chmod 644 {} \;
Or via SSH with the following commands
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
5. Move wp-config.phpWordPress features the ability to move the wp-config.php
file one directory above your WordPress root
This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory
You can move your wp-config.php file to here
WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
6. Lock Down WP Login and WP Admin
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
6. Lock Down WP Login and WP Admin
define('FORCE_SSL_LOGIN', true);
Add the code below to wp-config.php to force SSL (https) on login
Add the code below to wp-config.php to force SSL (https) on all admin pages
define('FORCE_SSL_ADMIN', true);
Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
6. Lock Down WP Login and WP Admin
AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName "Access Control"AuthType Basicorder deny,allowdeny from all#IP address to Whitelistallow from 67.123.83.59allow from 123.123.123.*
1. Create an .htaccess file in your wp-admin directory
Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-admin
2. Add the following lines of code:
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
7. Use Trusted Sources for Themes & Plugins
WPMU.org reviewed the top 10 results for “free wordpress themes” on Google.
Out of the ten sites reviewed
1. Safe: 12. Iffy: 13. Avoid: 8
Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
7. Use Trusted Sources for Themes & Plugins
Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
The only safe site reviewed was WordPress.org
Most themes included base64() encoded text links to promote various servies
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
8. Be Secure LocallyThink of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected!
Keep your computer up to date• Ensure you’re patching or installing updates ASAP
• Automatic updates rock!
Install an anti-virus solution • Ensure you’re keeping definitions current
• Automatic updates aren’t a bad idea here either!
Yes, personal firewalls still apply!
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
8. Be Secure LocallyIt’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks?
Your Internet ConnectionUse SSL whenever possible, especially on an unverified connection.
• HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind.
Connecting To Your Site(s)Consider using sFTP or SSH vs. FTP
• Still widely marketed, but did you know your credentials are passed unencrypted when using FTP?
• If unavoidable, do not allow anonymous logins, limit connections, practice least privilege.
• Don’t store your credentials in your FTP client.
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
9. Use a Trusted Host
You get what you pay for…
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
9. Use a Trusted HostAt the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you.
Your Lovely Host
• Cheap doesn’t always mean best, or safe!
• How many sites on their network are blacklisted for malware reasons?
• What version of software do they run and how often do they update?
• How are account credentials stored & who has access?
Brad Williams
@williamsba
Brian Messenlehner
@bmess
TOP SECURITY TIPSFOR WORDPRESS
10. Use Common Sense• Use a strong password
• BAD: bradisawesome• GOOD: SCrEE79joLly$• A=@, E=3, S=$, O=0 (This is not unique, they know this)
• Update passwords regularly (Monthly, make a schedule)• Know your admins, limit number of accounts (WP, FTP, Hosting, etc)• Backup, Backup, Backup (Use BackupBuddy for scheduled backups)
Brad Williams
@williamsba
Brian Messenlehner
@bmess
PLUGINS & SERVICESFOR WORDPRESS
Plugins & Services
Brad Williams
@williamsba
Brian Messenlehner
@bmess
PLUGINS & SERVICESFOR WORDPRESS
Login Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
Brad Williams
@williamsba
Brian Messenlehner
@bmess
PLUGINS & SERVICESFOR WORDPRESS
Sucuri SecuritySiteCheck MalwareScanner
http://wordpress.org/plugins/sucuri-scanner/
• Scan your site for malware, SPAM injections, errors, and more
• Hardening of key WordPress directories
• Verify core WordPress files have not been modified
Brad Williams
@williamsba
Brian Messenlehner
@bmess
PLUGINS & SERVICESFOR WORDPRESS
Exploit Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
• Scans your files and database for potentially malicious code
• Does not remove code, only detects it
Brad Williams
@williamsba
Brian Messenlehner
@bmess
PLUGINS & SERVICESFOR WORDPRESS
http://Sucuri.net
• Free Website Malware Scanner: http://sitecheck.sucuri.net/scanner/• Website monitoring• Hack cleanup services• Sucuri Security Plugin
• Free to clients• Web Application Firewall• Integrity Monitoring• Auditing• Hardening
http://Sucuri.net
Brad Williams
@williamsba
Brian Messenlehner
@bmess
RESOURCESFOR WORDPRESS
• Security Related Articles• http://codex.wordpress.org/Hardening_WordPress• http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html• http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is-
locked.html• http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web-
malware-company.html
• Clean a Hacked Site• http://codex.wordpress.org/FAQ_My_site_was_hacked• http://www.marketingtechblog.com/wordpress-hacked/
• Support Forums• Hacked: http://wordpress.org/tags/hacked• Malware: http://wordpress.org/tags/malware
Brad Williams
@williamsba
Brian Messenlehner
@bmess
CONTACT BRAD AND BRIAN
Brad [email protected]
Blog: strangework.comTwitter: @williamsba
http://bit.ly/prowp2
Brian [email protected]
Blog: brian.messenlehner.comTwitter: @bmess
http://bit.ly/prowp2
Brad Williams
@williamsba
Brian Messenlehner
@bmess