wordpress security - wordpress meetup copenhagen 2013

38
WordPress Security Copenhagen September 2013 Thor Kristiansen @ThorK108

Upload: thor-kristiansen

Post on 08-May-2015

1.495 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: WordPress Security - WordPress Meetup Copenhagen 2013

WordPress SecurityCopenhagen September 2013

Thor Kristiansen@ThorK108

Page 2: WordPress Security - WordPress Meetup Copenhagen 2013

ABOUT THE SPEAKER

• Thor Kristiansen– Self-employed WP-Developer and Business

Consultant– Long time meditator

• First WP Blog: The Pure View: http://pureview.dk– 200-400 visitors a day, 90% traffic is US, non-profit

– Former Sr. Business Analyst & QA Mgr. at Dell

– Portfolio website: http://shivaweb.dk

Thor Kristiansen@ThorK108

Page 3: WordPress Security - WordPress Meetup Copenhagen 2013

TODAY’S TOPICS

• Security Stats• Example Hack• Top Security Tips• Recommended Plugins & Services• Resources

Thor Kristiansen@ThorK108

Page 4: WordPress Security - WordPress Meetup Copenhagen 2013

Security Stats

Thor Kristiansen@ThorK108

Page 5: WordPress Security - WordPress Meetup Copenhagen 2013

SECURITY STATS

700+ million websites May 2012 (Netcraft)

300 million websites in 2011 (Pingdom)

10+ billion indexed pages (WorldWebSize)

Projected:• 1 Billion websites by 2013• 2 Billion websites by 2015

2011 2012 2013 20150

500

1000

1500

2000

2500

Websites

Websites

Thor Kristiansen@ThorK108

Page 6: WordPress Security - WordPress Meetup Copenhagen 2013

SECURITY STATS

WordPress Stats• 73+ Million WordPress powered websites• 18.9% of all websites are running WordPress• 22 out of every 100 new domains in the U.S.

launches with WordPress• Projected 300-500 Million WordPress sites by

2015

Thor Kristiansen@ThorK108

Page 7: WordPress Security - WordPress Meetup Copenhagen 2013

SECURITY STATS

Web Malware Stats• 403 Million unique variants of malware in 2011 (Symantec)

• 140% growth since 2010

• 81% increase in malicious web-based attacks between 2010 - 2011

Thor Kristiansen@ThorK108

Page 8: WordPress Security - WordPress Meetup Copenhagen 2013

SECURITY STATS

In Summary – Be Scared!

Thor Kristiansen@ThorK108

Page 9: WordPress Security - WordPress Meetup Copenhagen 2013

SECURITY STATS

Hack Example

Thor Kristiansen@ThorK108

Page 10: WordPress Security - WordPress Meetup Copenhagen 2013

HACK EXAMPLE

Link InjectionHacker bots look for known exploits (SQL Injection, folder

permissions, etc)This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.

Thor Kristiansen@ThorK108

Page 11: WordPress Security - WordPress Meetup Copenhagen 2013

HACK EXAMPLE

Link Injection375 spam links per page, only shown to search engines

Thor Kristiansen@ThorK108

Page 12: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

Securing WordPress

Thor Kristiansen@ThorK108

Page 13: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

1 Update Update UpdateKeep WordPress Updated!

Minor WordPress versions ( ie 3.5.x ) do NOT add new features. They contain bug fixes and security patches

Thor Kristiansen@ThorK108

Page 14: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

1 Update Update UpdateUpdate Those Plugins!

The plugin Changelog tab makes it very easy to view what has changed in a new plugin version

Thor Kristiansen@ThorK108

Page 15: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

1. Update Update Update

NO EXCUSES! UPDATE!

Thor Kristiansen@ThorK108

Page 16: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

2.Do you login with username admin?

Thor Kristiansen@ThorK108

Page 17: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

Thor Kristiansen@ThorK108

Page 18: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

3. Delete the Admin user account

UPDATE wp_users SET user_login=‘Thor' WHERE user_login='admin';

Change the admin username in MySQL:

Or create a new account with administrator privileges.

1. Create a new account. Make the username very unique2. Set account to Administrator role3. Log out and log back in with new account4. Delete admin account

WordPress will allow you to reassign all content written by admin to an account of your choice.

Thor Kristiansen@ThorK108

Page 19: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

3. Delete the Admin user account

WordPress lets you setthe username during the

installation process!

DON'T USE ADMIN!

Thor Kristiansen@ThorK108

Page 20: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

3. Delete the Admin user account

Thor Kristiansen@ThorK108

Knowing your username is half

the battle.

Don't make it easy on the

hackers.

Page 21: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

4. File and Folder PermissionsWhat folder permissions should you use?

Good Rule of Thumb:

• Files should be set to 644• Folders should be set to 755

Start with the default settings above

If your host requires 777…SWITCH HOSTS!

Thor Kristiansen@ThorK108

Page 22: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

4. File and Folder Permissions

find [your path here] -type d -exec chmod 755 {} \;find [your path here] -type f -exec chmod 644 {} \;

Or via SSH with the following commands

Thor Kristiansen@ThorK108

Page 23: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

5. Move wp-config.phpWordPress features the ability to move the wp-config.php

file one directory above your WordPress root

This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory

You can move your wp-config.php file to here

WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory

public_html/wordpress/wp-config.php

If WordPress is located here:

public_html/wp-config.php

Thor Kristiansen@ThorK108

Page 24: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

6. Lock Down WP Login and WP Admin

Thor Kristiansen@ThorK108

Page 25: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

6. Lock Down WP Login and WP Admin

define('FORCE_SSL_LOGIN', true);

Add the code below to wp-config.php to force SSL (https) on login

Add the code below to wp-config.php to force SSL (https) on all admin pages

define('FORCE_SSL_ADMIN', true);

Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping

Thor Kristiansen@ThorK108

Page 26: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

6. Lock Down WP Login and WP Admin

AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName "Access Control"AuthType Basicorder deny,allowdeny from all#IP address to Whitelistallow from 67.123.83.59allow from 123.123.123.*

1. Create an .htaccess file in your wp-admin directory

Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-admin

2. Add the following lines of code:

Thor Kristiansen@ThorK108

Page 27: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

7. Use Trusted Sources for Themes & Plugins

WPMU.org reviewed the top 10 results for “free wordpress themes” on Google.

Out of the ten sites reviewed

1. Safe: 12. Iffy: 13. Avoid: 8

Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

Thor Kristiansen@ThorK108

Page 28: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

7. Use Trusted Sources for Themes & Plugins

Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

The only safe site reviewed was WordPress.org

Most themes included base64() encoded text links to promote various servies

Thor Kristiansen@ThorK108

Page 29: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

8. Be Secure LocallyThink of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected!

Keep your computer up to date• Ensure you’re patching or installing updates ASAP

• Automatic updates rock!

Install an anti-virus solution • Ensure you’re keeping definitions current

• Automatic updates aren’t a bad idea here either!

Yes, personal firewalls still apply!

Thor Kristiansen@ThorK108

Page 30: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

8. Be Secure LocallyIt’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks?

Your Internet ConnectionUse SSL whenever possible, especially on an unverified connection.

• HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind.

Connecting To Your Site(s)Consider using sFTP or SSH vs. FTP

• Still widely marketed, but did you know your credentials are passed unencrypted when using FTP?

• If unavoidable, do not allow anonymous logins, limit connections, practice least privilege.

• Don’t store your credentials in your FTP client.

Thor Kristiansen@ThorK108

Page 31: WordPress Security - WordPress Meetup Copenhagen 2013

TOP SECURITY TIPS

9. Use Common Sense• Use a strong password

• BAD: bradisawesome• GOOD: SCrEE79joLly$• A=@, E=3, S=$, O=0 (This is not unique, they know this)

• Update passwords regularly (Monthly, make a schedule)• Know your admins, limit number of accounts (WP, FTP, Hosting, etc)• Backup, Backup, Backup (Use BackupBuddy for scheduled backups)

• http://strongpasswordgenerator.com/

Thor Kristiansen@ThorK108

Page 32: WordPress Security - WordPress Meetup Copenhagen 2013

PLUGINS & SERVICES

Plugins & Services

Thor Kristiansen@ThorK108

Page 33: WordPress Security - WordPress Meetup Copenhagen 2013

PLUGINS & SERVICES

Login Lockdown

http://wordpress.org/extend/plugins/login-lockdown/

Thor Kristiansen@ThorK108

Page 34: WordPress Security - WordPress Meetup Copenhagen 2013

PLUGINS & SERVICES

Sucuri SecuritySiteCheck MalwareScanner

http://wordpress.org/plugins/sucuri-scanner/

• Scan your site for malware, SPAM injections, errors, and more

• Hardening of key WordPress directories

• Verify core WordPress files have not been modified

Thor Kristiansen@ThorK108

Page 35: WordPress Security - WordPress Meetup Copenhagen 2013

PLUGINS & SERVICES

Exploit Scanner

http://wordpress.org/extend/plugins/exploit-scanner/

• Scans your files and database for potentially malicious code

• Does not remove code, only detects it

Thor Kristiansen@ThorK108

Page 36: WordPress Security - WordPress Meetup Copenhagen 2013

PLUGINS & SERVICES

• Free Website Malware Scanner: http://sitecheck.sucuri.net/scanner/• Website monitoring• Hack cleanup services• Sucuri Security Plugin

• Free to clients• Web Application Firewall• Integrity Monitoring• Auditing• Hardening

http://Sucuri.net

Thor Kristiansen@ThorK108

Page 37: WordPress Security - WordPress Meetup Copenhagen 2013

RESOURCES

• Security Related Articles• http://codex.wordpress.org/Hardening_WordPress• http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html• http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is-

locked.html• http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web-

malware-company.html

• Clean a Hacked Site• http://codex.wordpress.org/FAQ_My_site_was_hacked• http://www.marketingtechblog.com/wordpress-hacked/

• Support Forums• Hacked: http://wordpress.org/tags/hacked• Malware: http://wordpress.org/tags/malware

Thor Kristiansen@ThorK108

Page 38: WordPress Security - WordPress Meetup Copenhagen 2013

CONTACT THOR KRISTIANSEN

Thor Kristiansen@ThorK108

• Mail: [email protected]• Twitter: @ThorK108• Linkedin: in/ThorKristiansen• Web: Shivaweb.dk

• Facebook: Wordpress Fan