WordPress Security from WordCamp NYC 2012
9 likes6,004 views
This document provides an overview of WordPress security presented by Brad Williams. It discusses WordPress security statistics showing the rapid growth of websites and malware variants. An example hack is described where a WordPress multisite installation was compromised and used to spread spam links across other sites on the hosting account. Top security tips are given, with the first being to always keep WordPress core, themes, and plugins fully updated. Recommended security plugins and services are also mentioned along with additional resources.
![TOP SECURITY TIPS
FOR
WORDPRESS
2.
Use
Secret
Keys
A
secret
key
is
a
hashing
salt
which
makes
your
site
harder
to
hack
by
adding
random
elements
to
the
password.
1.
Edit
wp-‐config.php
BEFORE
AFTER
define('AUTH_KEY',
'put
your
unique
phrase
here');
define('AUTH_KEY',
'*8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD');
define('SECURE_AUTH_KEY',
'put
your
unique
phrase
here');
define('SECURE_AUTH_KEY',
'q+i-‐|3S~d?];6$[$!ZOXbw6c]0
!k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');
define('LOGGED_IN_KEY',
'put
your
unique
phrase
here');
define('LOGGED_IN_KEY',
'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+');
define('NONCE_KEY',
'put
your
unique
phrase
here');
define('NONCE_KEY',
'oJo8C&sc+
C7Yc,W1v
o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H');
define('AUTH_SALT',
'put
your
unique
phrase
here');
define('AUTH_SALT',
'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');
define('SECURE_AUTH_SALT',
'put
your
unique
phrase
here');
define('SECURE_AUTH_SALT',
'3s1|cIj
d7y<?]Z1n#
i1^FQ
*L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐');
define('LOGGED_IN_SALT',
'put
your
unique
phrase
here');
define('LOGGED_IN_SALT',
'`@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');
define('NONCE_SALT',
'put
your
unique
phrase
here');
define('NONCE_SALT',
'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
2.
Visit
this
URL
to
get
your
secret
keys:
hdps://api.wordpress.org/secret-‐key/1.1/salt
Brad Williams
@williamsba](https://image.slidesharecdn.com/wordpress-security-120609093443-phpapp01/85/WordPress-Security-from-WordCamp-NYC-2012-25-320.jpg)
![TOP SECURITY TIPS
FOR
WORDPRESS
4.
File
and
Folder
Permissions
Or
via
SSH
with
the
following
commands
find [your path here] -type d -exec chmod 755 {} ;
find [your path here] -type f -exec chmod 644 {} ;
Brad Williams
@williamsba](https://image.slidesharecdn.com/wordpress-security-120609093443-phpapp01/85/WordPress-Security-from-WordCamp-NYC-2012-32-320.jpg)
WordPress Security from WordCamp NYC 2012
- 1. WORDPRESS SECURITY BY BRAD WILLIAMS Brad Williams @williamsba
- 2. WHO IS BRAD? Brad Williams Co-‐Founder WebDevStudios.com Co-‐Author Professional WordPress & Professional WordPress Plugin Development Co-‐Organizer WordCamp Philly Co-‐Host WP Late Night Brad Williams @williamsba
- 3. HAPPY BIRTHDAY TO BRAD …and it’s my Birthday today! Brad Williams @williamsba
- 4. TODAY’S TOPICS • Security Stats • Example Hack • Top Security Tips • Recommended Plugins & Services • Resources Brad Williams @williamsba
- 5. SECURITY STATS FOR WORDPRESS Security Stats Brad Williams @williamsba
- 6. SECURITY STATS Brad Williams @williamsba
- 7. SECURITY STATS Websites 2500 700+ million websites May 2012 (NetcraX) 2000 300 million websites in 2011 (Pingdom) 10+ billion indexed pages (WorldWebSize) 1500 Projected: Websites 1000 • 1 Billion websites by 2013 • 2 Billion websites by 2015 500 0 2011 2012 2013 2015 Brad Williams @williamsba
- 8. SECURITY STATS WordPress Stats • 73+ Million WordPress powered websites • 16% of all websites are running WordPress • 22 out of every 100 new domains in the U.S. launches with WordPress • Projected 300-‐500 Million WordPress sites by 2015 Brad Williams @williamsba
- 9. SECURITY STATS Web Malware Stats • 403 Million unique variants of malware in 2011 (Symantec) • 140% growth since 2010 • 81% increase in malicious web-‐based adacks between 2010 -‐ 2011 Brad Williams @williamsba
- 10. SECURITY STATS In Summary – Be Scared! Brad Williams @williamsba
- 11. HACK EXAMPLE Link Injecfon Hacker bots look for known exploits (SQL Injecfon, folder permissions, etc) This allows them to insert spam files/links into your WordPress Themes, plugins, and core files. Brad Williams @williamsba
- 12. HACK EXAMPLE Link Injecfon Hosfng account contained two separate websites WordPress WordPress Mulfsite Brad Williams @williamsba
- 13. HACK EXAMPLE Link Injecfon Hacker bot dropped a malicious file on a WP Mulfsite install WordPress WordPress Mulfsite Brad Williams @williamsba
- 14. HACK EXAMPLE Link Injecfon WordPress Mulfsite starts hacking WordPress install Inserfng spam links into the theme, plugins, and core files WordPress WordPress Mulfsite Brad Williams @williamsba
- 15. HACK EXAMPLE Link Injecfon WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon WordPress WordPress Mulfsite Cleaning up the WordPress website only resulted in more spam links a few days later Brad Williams @williamsba
- 16. HACK EXAMPLE Link Injecfon WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon WordPress WordPress Mulfsite Cleaning up the WordPress website only resulted in more spam links a few days later Brad Williams @williamsba
- 17. HACK EXAMPLE Link Injecfon 375 spam links per page, only shown to search engines Brad Williams @williamsba
- 18. THIS IS A SAMPLE TITLE THIS IS THE SUBTITLE Default text box Scared Yet? Brad Williams @williamsba
- 19. TOP SECURITY TIPS FOR WORDPRESS That’s It! Good luck! Brad Williams @williamsba
- 20. TOP SECURITY TIPS FOR WORDPRESS Securing WordPress Brad Williams @williamsba
- 21. TOP SECURITY TIPS FOR WORDPRESS 1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug fixes and security patches Brad Williams @williamsba
- 22. TOP SECURITY TIPS FOR WORDPRESS 1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Brad Williams @williamsba
- 23. TOP SECURITY TIPS FOR WORDPRESS 1. Update Update Update NO EXCUSES! UPDATE! Brad Williams @williamsba
- 24. TOP SECURITY TIPS FOR WORDPRESS 2. Use Secret Keys Some secrets should remain secrets Brad Williams @williamsba
- 25. TOP SECURITY TIPS FOR WORDPRESS 2. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 1. Edit wp-‐config.php BEFORE AFTER define('AUTH_KEY', 'put your unique phrase here'); define('AUTH_KEY', '*8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'q+i-‐|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H'); define('AUTH_SALT', 'put your unique phrase here'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); 2. Visit this URL to get your secret keys: hdps://api.wordpress.org/secret-‐key/1.1/salt Brad Williams @williamsba
- 26. TOP SECURITY TIPS FOR WORDPRESS Do you login with username admin? Brad Williams @williamsba
- 27. TOP SECURITY TIPS FOR WORDPRESS Brad Williams @williamsba
- 28. TOP SECURITY TIPS FOR WORDPRESS 3. Delete the Admin user account Change the admin username in MySQL: UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account WordPress will allow you to reassign all content wriden by admin to an account of your choice. Brad Williams @williamsba
- 29. TOP SECURITY TIPS FOR WORDPRESS 3. Delete the Admin user account WordPress lets you set the username during the installafon process! DON'T USE ADMIN! Brad Williams @williamsba
- 30. TOP SECURITY TIPS FOR WORDPRESS 3. Delete the Admin user account Knowing your username is half the badle. Don't make it easy on the hackers. Brad Williams @williamsba
- 31. TOP SECURITY TIPS FOR WORDPRESS 4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default se…ngs above If your host requires 777…SWITCH HOSTS! Brad Williams @williamsba
- 32. TOP SECURITY TIPS FOR WORDPRESS 4. File and Folder Permissions Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Brad Williams @williamsba
- 33. TOP SECURITY TIPS FOR WORDPRESS 5. Move wp-‐config.php WordPress features the ability to move the wp-‐config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-‐config.php file to here public_html/wp-config.php WordPress automafcally checks the parent directory if a wp-‐config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-‐config.php file from a browser as it now resides outside of your website’s root directory Brad Williams @williamsba
- 34. TOP SECURITY TIPS FOR WORDPRESS 6. Lock Down WP Login and WP Admin Brad Williams @williamsba
- 35. TOP SECURITY TIPS FOR WORDPRESS 6. Lock Down WP Login and WP Admin Add the code below to wp-‐config.php to force SSL (hdps) on login define('FORCE_SSL_LOGIN', true); Add the code below to wp-‐config.php to force SSL (hdps) on all admin pages define('FORCE_SSL_ADMIN', true); Using SSL (hdps) on all admin screens in WordPress will encrypt all data transmided with the same encrypfon as online shopping Brad Williams @williamsba
- 36. TOP SECURITY TIPS FOR WORDPRESS 6. Lock Down WP Login and WP Admin 1. Create an .htaccess file in your wp-‐admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.* Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-‐admin Brad Williams @williamsba
- 37. TOP SECURITY TIPS FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8 Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/ Brad Williams @williamsba
- 38. TOP SECURITY TIPS FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/ Brad Williams @williamsba
- 39. TOP SECURITY TIPS FOR WORDPRESS 8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date • Ensure you’re patching or installing updates ASAP • Automafc updates rock! Install an anO-‐virus soluOon • Ensure you’re keeping definifons current • Automafc updates aren’t a bad idea here either! Yes, personal firewalls sOll apply! Brad Williams @williamsba
- 40. TOP SECURITY TIPS FOR WORDPRESS 8. Be Secure Locally It’s your informafon, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet ConnecOon Use SSL whenever possible, especially on an unverified connecOon. • HTTPS is a great way to ensure your transacfons & traffic are traveling with security in mind. ConnecOng To Your Site(s) Consider using sFTP or SSH vs. FTP • Sfll widely marketed, but did you know your credenfals are passed unencrypted when using FTP? • If unavoidable, do not allow anonymous logins, limit connecfons, pracfce least privilege. • Don’t store your credenfals in your FTP client. Brad Williams @williamsba
- 41. TOP SECURITY TIPS FOR WORDPRESS 9. Use a Trusted Host You get what you pay for… Brad Williams @williamsba
- 42. TOP SECURITY TIPS FOR WORDPRESS 9. Use a Trusted Host " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " Your Lovely Host! " " • Cheap doesn’t always mean best, or " safe!! • How many sites on their network are blacklisted for malware reasons?" • What version of software do they run and how often do they update?" • How are account credentials stored & who has access?" " Brad Williams @williamsba
- 43. TOP SECURITY TIPS FOR WORDPRESS 9. Use a Trusted Host " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress specific hosting!" Brad Williams @williamsba
- 44. TOP SECURITY TIPS FOR WORDPRESS 10. Use Common Sense • Use a strong password" • BAD: bradisawesome" • GOOD: SCrEE79joLly$" • A=@, E=3, S=$, O=0 (This is not unique, they know this)" • Update passwords regularly (Monthly, make a schedule)" • Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" • Backup, Backup, Backup (Use BackupBuddy for scheduled backups)" Brad Williams @williamsba
- 45. PLUGINS & SERVICES FOR WORDPRESS Plugins & Services Brad Williams @williamsba
- 46. PLUGINS & SERVICES FOR WORDPRESS Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/ Brad Williams @williamsba
- 47. PLUGINS & SERVICES FOR WORDPRESS BulletProof Security • .htaccess lockdown rules for various directories (root, wp-‐ admin, etc) • Security status scanner for folder/file permissions and file checks • Very well documented http://wordpress.org/extend/plugins/bulletproof-security/ Brad Williams @williamsba
- 48. PLUGINS & SERVICES FOR WORDPRESS Secure WordPress • Hides login error messages • Adds index.php to / themes and /plugins to prevent directory lisfng • Removes WP, plugin, and theme update nofces for non-‐admins • and more! http://wordpress.org/extend/plugins/secure-wordpress/ Brad Williams @williamsba
- 49. PLUGINS & SERVICES FOR WORDPRESS Exploit Scanner • Scans your files and database for potenfally malicious code • Does not remove code, only detects it http://wordpress.org/extend/plugins/exploit-scanner/ Brad Williams @williamsba
- 50. PLUGINS & SERVICES FOR WORDPRESS hdp://Sucuri.net • Free Website Malware Scanner: hdp://sitecheck.sucuri.net/scanner/ • Website monitoring • Hack cleanup services • Sucuri Security Plugin • Free to clients • Web Applicafon Firewall • Integrity Monitoring • Audifng • Hardening http://Sucuri.net Brad Williams @williamsba
- 51. RESOURCES FOR WORDPRESS • Security Related Arfcles • hdp://codex.wordpress.org/Hardening_WordPress • hdp://blog.sucuri.net/2012/04/lockdown-‐wordpress-‐a-‐security-‐webinar-‐with-‐dre-‐armeda.html • hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐how-‐to-‐stop-‐the-‐hacker-‐and-‐ensure-‐your-‐site-‐is-‐ locked.html • hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐what-‐should-‐i-‐know-‐when-‐engaging-‐a-‐web-‐ malware-‐company.html • Clean a Hacked Site • hdp://codex.wordpress.org/FAQ_My_site_was_hacked • hdp://www.markefngtechblog.com/wordpress-‐hacked/ • Support Forums • Hacked: hdp://wordpress.org/tags/hacked • Malware: hdp://wordpress.org/tags/malware Brad Williams @williamsba
- 52. CONTACT BRAD Brad Williams brad@webdevstudios.com Blog: strangework.com Twider: @williamsba IRC: WDS-‐Brad Professional WordPress Second Edifon coming December 2012! Brad Williams @williamsba