WordPress Security Essentials WordCamp Denver 2012
34
WORDPRESS SECURITY ESSENTIALS Presented at WordCamp Denver 2012 By Angela Bowman aka Ask WP Girl
-
Upload
angela-bowman -
Category
Technology
-
view
2.891 -
download
4
description
Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say: 1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder. 2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates. 3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server. 4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking. 5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely. 6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security. 7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc. If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
Transcript of WordPress Security Essentials WordCamp Denver 2012
WORDPRESS SECURITY ESSENTIALS
Presented at WordCamp Denver 2012
By Angela Bowman aka Ask WP Girl
ABOUT ME
� Hi! My name is Angela Bowman @askwpgirl
� WordPress Instructor at Boulder Digital Arts
� Started working with WordPress in 2007 – self taught, very painful
� Used to hold the myth of “After I build a site, my job is done.”
� Common sense approach to security that isn’t overwhelming or super technical
Eating fufu is fun!
WHY DO WE NEED TO HAVE THIS TALK?
� PHP and MySQL are inherently vulnerable – this is the stuff WordPress is made of.
� What is MySQL? The database where all your content and settings are stored.
� What is PHP? The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window.
� Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
WHY ARE YOU VULNERABLE? � Because your site is on the Internet
� Because it’s easy to exploit known vulnerabilities
� Because we are human NOT Vulcan
� We live by our beliefs rather than logic (or don’t know what we don’t know)
� We are going to talk about common mythology (beliefs) and counteract those with logic and a rational approach to security
THE MYTHS WE LIVE BY
Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/ by Anders Vinther of The WordPress Security Checklist.
MYTH #1 WORDPRESS IS NOT SECURE
� WordPress is not secure, so you should stay away from it!
� WordPress is totally secure, so you don’t have to worry about it.
REALITY
� Both things are true! � Old versions of WordPress are NOT secure � Current WordPress version is secure
MYTH #2 MY SITE ISN’T LAUNCHED YET, SO IT CAN’T BE HACKED
� Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed
� If you have a website on public web host, you have an Internet presence even if the pages of your site aren’t indexed by Google
� You need to protect ALL installations of WordPress on your hosting account even if you don’t use them
MYTH #3 I ONLY USE PLUGINS & THEMES FROM WORDPRESS.ORG, SO I’M SAFE � Plugins and themes are the #1 way hackers gain access
to your site
� While WordPress CURRENT CORE is secure, plugins and themes are not. WordPress.org is safer but not sure bet.
� Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
MYTH #4 UPDATING MY THEMES AND PLUGINS WHENEVER I LOG IN IS GOOD ENOUGH � Exploits are published IMMEDIATELY to the web.
� If you are running an outdated version of WordPress, theme, or plugin, you are immediately vulnerable to attack.
� Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!
� If you don’t update your site’s code ASAP, you will be SOL.
MYTH #5 MY SITE IS SMALL, SO IT’S NOT WORTH HACKING
� From Devin’s WP Theming blog regarding TimThumb Hack: “… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the smaller sites yet – like my girlfriend’s food blog.
http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
“And, word to the wise, your girlfriend’s food blog should always be a top priority.”
MYTH # 6 IF I DE-ACTIVATE A THEME OR PLUGIN, THERE IS NO RISK
� De-activated themes and plugins are just as risky if they have vulnerable code.
� Because even files of deactivated plugins and themes can be access via the Internet
MYTH # 7 IF MY SITE IS COMPROMISED, I’LL FIND OUT RIGHT AWAY!
� Only if you use a site monitoring service or plugin (maybe)
� Your site can be compromised months before you find out
� Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted
� Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL
http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
MYTH # 8 I CAN USE A SECURITY PLUGIN AND THAT WILL COVER ME � Some security plugins can provide a layer of protection:
Firewall 2, WordPress File Monitor, and Limit Login Attempts (as well as others)
� Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files
� Security plugins won’t help if the web hosting server is compromised
MYTH # 9 MY PASSWORDS ARE GOOD ENOUGH � A “sniffed” password 8 characters or less can be decoded
instantaneously
� “Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.”
http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
MYTH #10 IF MY SITE IS HACKED, MY WEB HOST CAN RESTORE IT FOR ME
� If you discover the hack quickly enough, your web host may have a backup of the site made before the hack
� Most hosts store one day backup and one weekly backup
� Your host may not be able to help you discover why you were hacked in the first place. You’ll end up restoring hackable files.
WHAT CAN YOU DO TO PROTECT YOUR SITE?
SOME OPTIONS
� Set up an altar to the WordPress Gods and do daily puja and offerings
� Throw up your hands and cry
� Drink another beer and try to forget
� Delegate (hire a service to maintain your site)
� DIY using the following steps Regina Smola
WPSecurityLock.com
1 – SECURE YOUR OWN COMPUTER � Why bother securing WordPress if you give the keys away?
� Run anti-virus software regularly
� Don’t login via insecure or public WIFI networks
� Use a Virtual Private Network when traveling
� Secure your home WIFI network
� Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
2 – UPDATE TO CURRENT VERSIONS
� Run a full backup using BackupBuddy OR wp-db-backup plugin plus manual FTP backup of all files OR site snapshot (including database) at web host
� If your site hasn’t been updated in a LOOOOONG time: � Check plugins for compatibility
� Check server PHP and MySQL versions
� If you’re using WP version less than 3.2, you might be on MySQL 4. You will need to export this database and import it into a new MySQL 5 database. http://www.realestatebloglab.com/restore-your-wordpress-database-from-mysql-4-to-mysql-5/
2 – UPDATE CONTINUED � Update plugins first, delete unused, and de-activate all the
plugins (optional)
� Update WordPress, then re-activate plugins one at a time testing site between each activation.
� If site crashes after activating a plugin, rename plugins folder to plugins-old, access dashboard, then delete bad plugin via ftp, and rename folder back to plugins and continue.
http://codex.wordpress.org/Updating_WordPress http://codex.wordpress.org/Upgrading_WordPress_Extended
2 – UPDATE CONTINUED
� Check site at sucuri.net
� Read the changelog for your theme to see if security updates made
� Consider new theme if outdated theme that isn’t being maintained. Delete unused themes except TwentyEleven.
� Backup theme before updating
� Update your wp-config.php encryption cookie salts: http://tentblogger.com/salt-keys/
3 – RESET PWDS AND ADMIN NAME
� If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
� Use password generator to reset passwords for WordPress, FTP, hosting, and email: � Online Generator: http://www.pctools.com/guides/password/
� RPG Dashboard Widget for Mac Os: http://www.apple.com/downloads/dashboard/networking_security/rpgwidgetedition_davidkreindler.html
� Track Passwords: http://agilebits.com/products/1Password
4 – SET UP BACKUP SCHEDULE
� Use backup plugin or service: � Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php
� WP DB Backup http://wordpress.org/extend/plugins/wp-db-backup/
� WP Online Backup http://wordpress.org/extend/plugins/wponlinebackup/
� Back WP Up http://wordpress.org/extend/plugins/backwpup/
� VautPress.com – Backup, one-click restore, and site monitoring
� Backup as often as you don’t want to loose data: � Database – daily or weekly
� Full Site – weekly or monthly
� Store backups on remote server (eg Amazon S3 account)
5 – INSTALL SECURITY PLUGINS
� Firewall 2 – http://wordpress.org/extend/plugins/wordpress-firewall-2/ AND WordPress Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/
OR Bulletproof Security – http://wordpress.org/extend/plugins/bulletproof-security/
� Limit Login Attempts -– http://wordpress.org/extend/plugins/limit-login-attempts/
� WordPress File Monitor – http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/
Use caution installing plugins. They don’t all play well with others.
6 – CREATE A MAINTENANCE PLAN
� Plan to login to all your sites at least once a month and update WordPress, plugins and themes
� Consider using Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/
� Follow @wpsecuritylock and @sucuri_security to stay current on latest security threats
� Update passwords and wp-config.php salts regularly
7 – BEST PRACTICES � Don’t allow users to register (Settings > General)
� Always hold comments for moderation and use spam filtering (aka Akismet)
� Don’t use your username as your Display Name
� SFTP for file transfers and secure SMTP for email (ask web host)
� Rename the database table prefix when you first install WordPress or later using plugin - http://www.seoegghead.com/software/wordpress-table-rename.seo
7 – BEST PRACTICES CONTINUED
� Host site with good web host who keeps software updated and doesn’t thwart your automatic backups
� Use plugins with caution - recently updated, going concern.
� Use themes with caution - Have a “relationship” with your theme developer so you know when he/she makes security updates
� Submit sites to Google Webmaster Tools. In preferences, turn ON email notifications: http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
8 – HARNESS POWER OF .HTACCESS
� .htaccess is an invisible configuration file for Apache web servers
� .htaccess can protect specific files and folders
� Use caution! You can totally jack up your site with edits made to .htaccess
http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676
8 - .HTACCESS TRICKS
In root .htaccess, add: # Prevent directory browsing Options All –Indexes # protect wpconfig.php <Files wp-config.php> order allow,deny deny from all </Files>
Limit access to WordPress Dashboard: In the wp-admin folder, add an .htaccess file with the following where the number below is your IP address. (Test to make sure doesn’t interfere with any other plugins or Ajax functionality.) order deny,allow allow from 99.999.999.999 deny from all
Tip: You can also move the wp-config.php file up one level (just above the public_html folder). Be sure your backup plugin still runs okay after doing this.
RESOURCES � WordPress.org
� Hacked: http://wordpress.org/tags/hacked
� Malware: http://wordpress.org/tags/malware
� http://codex.wordpress.org/Hardening_WordPres
� http://codex.wordpress.org/WordPress_Backups
� http://codex.wordpress.org/FAQ_My_site_was_hacked
� wpsecuritylock.com - resources and services for securing sites
� sucuri.net - Free site scanning, reasonable rates for monitoring and fixing your sites
� Wpsecuritychecklist.com – off-site monitoring
EXPLOIT INFORMATION � Badwarebusters.org
� wpsecure.net - Updated lists of vulnerable WordPress plugins
� spotthevuln.com - Helping developers understand security - examples of bad coding
� Security/Exploit Databases: � http://securityreason.com/exploit_alert/
� http://secunia.com/advisories/search/?search=wordpress
� http://exploit-db.com
OTHER PRESENTATIONS � Awesome slideshow and great video on how to hack a site in 2.5 minutes:
http://perezbox.com/2012/06/wordcamp-orange-county-2012-wordpress-security-presentation/
� Great presentation on using proper WordPress API usage for plugin and theme development (very technical): http://weblogtoolscollection.com/archives/2011/03/01/mark-jaquith-on-wordpress-themeandplugin-security/
� WordPress Security Webinar: http://blog.sucuri.net/2012/04/lockdown-wordpresssecurity-webinar-with-dre-armeda.html
� How to Stop the Hacker: http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-thehacker-and-ensure-your-site-is-locked.html
ONLINE TOOLS
� http://www.botsvsbrowsers.com/SimulateUserAgnet.asp
� http://www.tareeinternet.com/scripts/base.html
� http://www.tareeinternet.com/scripts/decrypt.php
CONTACT
� Angela Bowman askwpgirl.com moongoosedesigns.com
� 303.931.8191 [email protected] twitter.com/askwpgirl facebook.com/askwpgirl.com
