wordcamp mid-atlantic wordpress security

67
Props @tweetsfromchris

Upload: brad-williams

Post on 29-Jan-2015

111 views

Category:

Technology


1 download

DESCRIPTION

My WordPress Security presentation given at WordCamp Mid-Atlantic 2010.

TRANSCRIPT

Page 1: WordCamp Mid-Atlantic WordPress Security

Props @tweetsfromchris

Page 2: WordCamp Mid-Atlantic WordPress Security

Brad WilliamsCo-Founder of WebDevStudios.com

Organizer NJ/Philly WordPress Meetup

Co-Host SitePoint Podcast

Co-Author of Professional WordPress (http://bit.ly/pro-wp)

Who Am I?

Page 3: WordCamp Mid-Atlantic WordPress Security

The Goal of this Presentation…

Page 4: WordCamp Mid-Atlantic WordPress Security

The Goal of this Presentation…

…Is to scare the crap out of you!

Page 5: WordCamp Mid-Atlantic WordPress Security

The Goal of this Presentation…

…and then make everything better

with the best security tips!

Page 6: WordCamp Mid-Atlantic WordPress Security

Example WordPress Hacks

Securing Your WordPress Website

How to Clean Up a Hacked Site

Hosting Considerations

Recommended Plugins

Topics

Page 7: WordCamp Mid-Atlantic WordPress Security

Who Do Hackers Target?

Page 8: WordCamp Mid-Atlantic WordPress Security

Who Do Hackers Target?

YOU

Page 9: WordCamp Mid-Atlantic WordPress Security

Who Is Safe?

Page 10: WordCamp Mid-Atlantic WordPress Security

Who Is Safe?

NO ONE

Page 11: WordCamp Mid-Atlantic WordPress Security

Scared Yet?

Page 12: WordCamp Mid-Atlantic WordPress Security

Example

WordPress

Hacker bot finds a security hole on your website

Page 13: WordCamp Mid-Atlantic WordPress Security

Example

Hacker bot hides a file in your WordPress installation

WordPress

Akismet.cache.php is NOT an Akismet file

Page 14: WordCamp Mid-Atlantic WordPress Security

Example

WordPress Hacker Bot

Hacker bot can now trigger this file/code remotely

Page 15: WordCamp Mid-Atlantic WordPress Security

Example

WordPress Hacker Bot

Common Hacker bot script jobs

• Add spam content and links to your websites theme files

• Create posts and pages with spam content and links

• Delete posts/pages/settings wreaking havoc on your site

• etc, etc, bad stuff, etc, etc

Page 16: WordCamp Mid-Atlantic WordPress Security

<b style=“display:none”>Any text you want to hide</b>

CSS Hides the Spam

Page 17: WordCamp Mid-Atlantic WordPress Security

Hidden Spam Links

Page 18: WordCamp Mid-Atlantic WordPress Security

Only Noobs Get Hacked

Page 19: WordCamp Mid-Atlantic WordPress Security

Only Noobs Get Hacked

WRONG!

Page 20: WordCamp Mid-Atlantic WordPress Security

Scobleizer.com: HACKED

Page 21: WordCamp Mid-Atlantic WordPress Security

Scobleizer.com: HACKED

Page 22: WordCamp Mid-Atlantic WordPress Security

Scobleizer.com: HACKED

Page 23: WordCamp Mid-Atlantic WordPress Security

Pearsonified.com: HACKED

Page 24: WordCamp Mid-Atlantic WordPress Security

FeaturedContentGallery.com: HACKED

Page 25: WordCamp Mid-Atlantic WordPress Security

Make it Stop!

Page 26: WordCamp Mid-Atlantic WordPress Security

Palette Cleanser

Page 27: WordCamp Mid-Atlantic WordPress Security

Securing WordPress

Page 28: WordCamp Mid-Atlantic WordPress Security

Don‟t use the admin account

UPDATE wp_users SET user_login='newuser' WHERE user_login='admin';

If you are using the admin account you are wrong!

Either change the username in MySQL:

Or create a new/unique account with administrator privileges.

1. Create a new account. Make the username very unique

2. Assign account to Administrator role

3. Log out and log back in with new account

4. Delete admin account

Make it hard on the hacker! If they already know your username that‟s half the battle

Page 29: WordCamp Mid-Atlantic WordPress Security
Page 30: WordCamp Mid-Atlantic WordPress Security

Don‟t use the admin account

WordPress 3.0 lets you set

the administrator username

during the installation

process!

Page 31: WordCamp Mid-Atlantic WordPress Security

The Great Permission Debate

What folder permissions should you use?

Good Rule of Thumb:

• Files should be set to 644

• Folders should be set to 755

Start with the default settings above

If your host requires 777…SWITCH HOSTS!

Permission levels vary depending on server configuration

Page 32: WordCamp Mid-Atlantic WordPress Security

The Great Permission Debate

Permissions can be set via FTP

find [your path here] -type d -exec chmod 755 {} \;

find [your path here] -type f -exec chmod 644 {} \;

Or via SSH with the following commands

Page 33: WordCamp Mid-Atlantic WordPress Security

Move the wp-config.php file

WordPress 2.6 added the ability to move the wp-config.php

file one directory above your WordPress root

This makes it nearly impossible for anyone to access your wp-config.php

file as it now resides outside of your website‟s root directory

You can move your wp-config.php file to here

WordPress automatically checks the parent directory if a

wp-config.php file is not found in your root directory

public_html/wordpress/wp-config.php

If WordPress is located here:

public_html/wp-config.php

Page 34: WordCamp Mid-Atlantic WordPress Security

Move the wp-content Directory

WordPress 2.6 added the ability to move the wp-content directory

1. Move your wp-content directory

2. Make two additions to wp-config.php

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );

define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );

define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');

If you have compatibility issues with plugins there are two optional settings

If hackers can‟t find your wp-content folder, they can‟t hack it!

Page 35: WordCamp Mid-Atlantic WordPress Security

Stay Current on UpdatesKeep WordPress core, plugins, and theme files up to date

The plugin Changelog tab

makes it very easy to view

what has changed in a new

plugin version

Recent WordPress hack only affected outdated WordPress installs

Page 36: WordCamp Mid-Atlantic WordPress Security

Use Secure PasswordsUse strong passwords to protect your website from dictionary attacks

Not just for WordPress, but also FTP, MySQL, etc

BAD PASSWORD: bradrocks

Great resource:

toughpassword.com

Creates random passwords

GOOD PASSWORD: S-gnop2D[6@8

WordPress will tell you

when you have it right

Page 37: WordCamp Mid-Atlantic WordPress Security

Use Secret Keys

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

1. Edit wp-config.php

A secret key is a hashing salt which makes your site harder to

hack by adding random elements to the password.

2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt

BEFORE

define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD');

define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');

define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+');

define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H');

define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');

define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-');

define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');

define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');

AFTER

You can add/change secret keys at anytime.

This will invalidate all existing cookies and require your users to login again

Page 38: WordCamp Mid-Atlantic WordPress Security

Change WordPress Table Prefix

/**

* WordPress Database Table prefix.

*

* You can have multiple installations in one database if you give each a unique

* prefix. Only numbers, letters, and underscores please!

*/

$table_prefix = „wtf_';

1. Edit wp-config.php before installing WordPress

All database tables will now have a unique prefix (ie wtf_posts)

2. Change the prefix wp_ to something unique:

Page 39: WordCamp Mid-Atlantic WordPress Security

Force SSL Login and Admin Access

define('FORCE_SSL_LOGIN', true);

Set the below option in wp-config.php to force SSL (https) on login

Set the below option in wp-config.php to force SSL (https) on all admin pages

define('FORCE_SSL_ADMIN', true);

Page 40: WordCamp Mid-Atlantic WordPress Security

.htaccess lockdown

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "Access Control"

AuthType Basic

order deny,allow

deny from all

#IP address to Whitelist

allow from 67.123.83.59

allow from 123.123.123.123

1. Create a .htaccess file in your wp-admin directory

Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin

2. Add the following lines of code:

Page 41: WordCamp Mid-Atlantic WordPress Security

Hosting Considerations

Page 42: WordCamp Mid-Atlantic WordPress Security

You Get What You Pay For

Page 43: WordCamp Mid-Atlantic WordPress Security

Shared Hosting

Shared Hosting Server

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Page 44: WordCamp Mid-Atlantic WordPress Security

Shared Hosting

Shared Hosting Server

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

What‟s

wrong with

that guy?

Page 45: WordCamp Mid-Atlantic WordPress Security

Shared Hosting

Shared Hosting Server

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Oh frack!

Page 46: WordCamp Mid-Atlantic WordPress Security

Shared Hosting

Shared Hosting Server

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

Website

braaaaains

Page 47: WordCamp Mid-Atlantic WordPress Security

#protip

Page 48: WordCamp Mid-Atlantic WordPress Security

Invest In Your Website

Go VPS or Dedicated

Page 49: WordCamp Mid-Atlantic WordPress Security

Clean Up a Hacked Site

Page 50: WordCamp Mid-Atlantic WordPress Security

Step 1: Delete Everything and Start Over!

Page 51: WordCamp Mid-Atlantic WordPress Security

OR

Page 52: WordCamp Mid-Atlantic WordPress Security

Step 1: Do a Fresh Install of WordPress

• Delete, don‟t overwrite, all original WordPress files

• Upload fresh copies of all WordPress core files

Be sure to backup your theme, plugins, media, etc

Page 53: WordCamp Mid-Atlantic WordPress Security

Step 2: Re-install All Plugins

• Install fresh copies of all WP plugins need

• DON‟T use the same plugin files from the hacked site

Page 54: WordCamp Mid-Atlantic WordPress Security

Step 3: Re-install Your Theme

• If possible install a fresh copy of your theme

• If using the old theme be sure to inspect every file for hack code

Page 55: WordCamp Mid-Atlantic WordPress Security

Step 4: Change all Passwords and Keys

• Change your passwords: WordPress, FTP, MySQL

• Verify the hacker didn‟t create another user, if so delete it

• Update your secret keys in wp-config.php (as shown earlier)

Page 56: WordCamp Mid-Atlantic WordPress Security

Step 5: Scan Database for Malicious Code

• Look for common hack keywords:

• eval, base64, strrev, iframe, noscript, display

• Use WordPress Exploit Scanner plugin (discussed later)

Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'

Page 57: WordCamp Mid-Atlantic WordPress Security

Step 6: Verify folder/file permissions

• Check all folder and file permissions are correct

• Reset to 755 on folders and 644 on files if needed

Page 58: WordCamp Mid-Atlantic WordPress Security

Step 7: Pray

Page 59: WordCamp Mid-Atlantic WordPress Security

Recommended Security Plugins

Page 60: WordCamp Mid-Atlantic WordPress Security

WP Security Scan

http://wordpress.org/extend/plugins/wp-security-scan/

Page 61: WordCamp Mid-Atlantic WordPress Security

ServerBuddy

http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/

Page 62: WordCamp Mid-Atlantic WordPress Security

WordPress Exploit Scanner

http://wordpress.org/extend/plugins/exploit-scanner/

Page 63: WordCamp Mid-Atlantic WordPress Security

WordPress File Monitor

http://wordpress.org/extend/plugins/wordpress-file-monitor/

Page 64: WordCamp Mid-Atlantic WordPress Security

Login Lockdown

http://wordpress.org/extend/plugins/login-lockdown/

Page 65: WordCamp Mid-Atlantic WordPress Security

Security Related Codex Articles› http://codex.wordpress.org/Hardening_WordPress

› http://codex.wordpress.org/Changing_File_Permissions

› http://codex.wordpress.org/Editing_wp-config.php

› http://codex.wordpress.org/htaccess_for_subdirectories

Blog Security Articles› http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-

wordpress-admin-area/

› http://www.growmap.com/wordpress-exploits/

› http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/

› http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/

› http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/

› http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog

Clean A Hacked Site› http://codex.wordpress.org/FAQ_My_site_was_hacked

› http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

› http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

› http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

› http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html

WordPress Security Resources

Page 66: WordCamp Mid-Atlantic WordPress Security

Brad [email protected]

Blog: strangework.com

Twitter: @williamsba

IRC: WDS-Brad

http://www.slideshare.net/williamsba

Contact

Page 67: WordCamp Mid-Atlantic WordPress Security

Tweet: @williamsba WordPress Security Rocks! #wcma

Win a copy of Professional WordPress!