SecurityHow to Secure Your WordPress

About Me

• WordPress Plugins Developer– Since 2003– Created > 22 plugins

• wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc

• http://profiles.wordpress.org/gamerz

• Tech Guy in Tech in Asia– Just started on 1st September 2014– Tech in Asia is still hiring & you can join my team

• techinasia.com/join• PHP & iOS Developer

Lester Chan (@gamerz) [ 2 ]

WordPress Is Popular

• Power 22% of the web• Most blogs uses WordPress– Mashable.com– Techcrunch.com

• Because it is popular, lots of attacks are being targeted at WordPress sites

Lester Chan (@gamerz) [ 3 ]

Lester Chan (@gamerz)

Hack Attempts

• wp-includes/users.php– $fh = fopen(ABSPATH .

"core/wp-content/plugins/.htaccess","a+");– fwrite($fh,$credentials['user_login'] . ':' .

$credentials['user_password'] . "\n");– fclose($fh);

• Backdoor files

[ 4 ]

Lester Chan (@gamerz)

Security 101

• Always keep your WordPress & it’s plugins up to date.– 4th September 2014

• WordPress 4.0

– 6th August 2014• WordPress 3.9.2 was released to fix:

– Fixes a possible but unlikely code execution when processing widgets– Prevents information disclosure via XML entity attacks in the external

GetID3 library– Adds protections against brute attacks against CSRF tokens– Contains some additional security hardening, like preventing cross-

site scripting that could be triggered only by administrators.

[ 5 ]

Lester Chan (@gamerz)

Passwords

• Use a complex password– In general

• Not just WordPress but your CPanel/FTP as well

• Use a 2FA plugin– Google Authenticator

• https://wordpress.org/plugins/google-authenticator/

– Authy Two Factor Authentication• https://wordpress.org/plugins/authy-

two-factor-authentication/

[ 6 ]

Lester Chan (@gamerz)

Passwords

• Protect your WP-Admin with a password– Using htpasswd• http://www.htaccesstools.com/htpasswd-generator/

– Placing .htaccess in wp-adminErrorDocument 401 defaultAuthName "Lester Chan's Website WordPress Admin"AuthUserFile "/home/gamerz/wp-admin/passwd"AuthType Basicrequire valid-user<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any</Files>

[ 7 ]

Lester Chan (@gamerz)

HTTPS

• HTTPS encrypts communication and sensitive data between the browser and wp-admin.

• Prevents man in the middle attacks.– define('FORCE_SSL_LOGIN', true);– define('FORCE_SSL_ADMIN', true);

[ 8 ]

Lester Chan (@gamerz)

Files/Folder Permissions

• Files & folder should be only readable & writeable only by the owner and readable by the rest

• Ensure all files are CHMOD to 644– find . -type f -exec chmod 644 {} \;

• Ensure all folders are CHMOD to 755– find . -type d -exec chmod 755 {} \;

[ 9 ]

Lester Chan (@gamerz)

WordPress Uploads

• /wp-content/uploads/– Is a common vector for attacks because it store

user uploaded files– Harder to notice– Most people will just CHMOD this to 777• Which means everyone can read & write to it

– This folder should only serve static assets & not execute any scripts• http://stackoverflow.com/questions/18932756/disable-

all-cgi-php-perl-for-a-directory-using-htaccess

[ 10 ]

Lester Chan (@gamerz)

Monitor Changed Files

• I monitor my site changed files via email on a daily basis

• Using CRON– find /home/gamerz/public_html -mtime -1

[ 11 ]

Lester Chan (@gamerz)

Using Git

• /core/– Contains a Git checkout of

https://github.com/WordPress/WordPress– git fetch --tags; git checkout 4.0

• /content/– It is a Git checkout of my private repository– Contains all my active plugins and themes

• Doing a git status on any folder above will also tell me what has changed

[ 12 ]

Lester Chan (@gamerz)

Backup

• Backup your database regularly– Every hour if you blog more than once a day– Every day if you blog regularly– Using a plugin like WP-DBManager

• https://wordpress.org/plugins/wp-dbmanager/

• Backup your /uploads/ folder– Using Git? (not ideal)– FTP to S3/Dropbox?– NAS– Gluster FS

[ 13 ]

VaultPress

• https://vaultpress.com/– By Automattic• Company behind WordPress.com

– Paid• Lite (USD$55/year), Basic (USD$165/year), Premium

(USD$440/year)

– Features• Realtime full (database + files) backup• Scanning your site for dangerous files• Automatic restore of database + files

Lester Chan (@gamerz) [ 14 ]

Lester Chan (@gamerz)

Summary

• Password Protected WP-Admin• Use Google Authenticator as 2FA login for WordPress• HTTPS for WP-Admin• Ensure all file are CHMOD to 644 and folders to 755• Do not allow any script execution in /uploads/ folder• Monitor your site changed files • Backup your database regularly

[ 15 ]

Lester Chan (@gamerz)

Other References

• http://codex.wordpress.org/Hardening_WordPress

• http://codex.wordpress.org/Backing_Up_Your_WordPress_Files

• http://wordpress.tv/tag/security/

[ 16 ]

Lester Chan (@gamerz)

Questions?

• Any questions?• You can also find me at– Blog: http://lesterchan.net– Twitter: @gamerz– Facebook: https://fb.com/lesterchan– Instagram: @gamerz

[ 17 ]