WordPress Security from WordCamp NYC 2012

WORDPRESS SECURITY BY BRAD WILLIAMS

Brad Williams @williamsba

WHO IS BRAD?

Brad Williams

Co-‐Founder WebDevStudios.com Co-‐Author Professional WordPress

& Professional WordPress Plugin Development

Co-‐Organizer WordCamp Philly Co-‐Host WP Late Night

HAPPY BIRTHDAY TO BRAD

…and it’s my Birthday today!

TODAY’S TOPICS

• Security Stats • Example Hack • Top Security Tips • Recommended Plugins & Services • Resources

SECURITY STATS FOR WORDPRESS

Security Stats

SECURITY STATS

700+ million websites May 2012 (NetcraX) 300 million websites in 2011 (Pingdom)

10+ billion indexed pages (WorldWebSize)

Projected: •  1 Billion websites by 2013 •  2 Billion websites by 2015

2011 2012 2013 2015

Websites

SECURITY STATS

WordPress Stats •  73+ Million WordPress powered websites •  16% of all websites are running WordPress •  22 out of every 100 new domains in the U.S. launches with WordPress

•  Projected 300-‐500 Million WordPress sites by 2015

SECURITY STATS

Web Malware Stats •  403 Million unique variants of malware in 2011 (Symantec)

•  140% growth since 2010

•  81% increase in malicious web-‐based adacks between 2010 -‐ 2011

SECURITY STATS

In Summary – Be Scared!

HACK EXAMPLE

Link Injecfon

Hacker bots look for known exploits (SQL Injecfon, folder permissions, etc)

This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.

HACK EXAMPLE

Link Injecfon

Hosfng account contained two separate websites

WordPress WordPress Mulfsite

HACK EXAMPLE

Link Injecfon

Hacker bot dropped a malicious file on a WP Mulfsite install

HACK EXAMPLE

Link Injecfon

WordPress Mulfsite starts hacking WordPress install Inserfng spam links into the theme, plugins, and core files

HACK EXAMPLE

Link Injecfon

WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon

Cleaning up the WordPress website only resulted in more spam links a few days later

HACK EXAMPLE

Link Injecfon

WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon

Cleaning up the WordPress website only resulted in more spam links a few days later

HACK EXAMPLE

Link Injecfon

375 spam links per page, only shown to search engines

THIS IS A SAMPLE TITLE THIS IS THE SUBTITLE

Default text box

Scared Yet?

TOP SECURITY TIPS FOR WORDPRESS

That’s It! Good luck!

Securing WordPress

1 Update Update Update Keep WordPress Updated!

Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug fixes and security patches

1 Update Update Update Update Those Plugins!

The plugin Changelog tab makes it very easy to view what has changed in a new plugin version

1. Update Update Update

NO EXCUSES! UPDATE!

2. Use Secret Keys

Some secrets should remain secrets

2. Use Secret Keys

define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');

1. Edit wp-‐config.php

A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password.

2. Visit this URL to get your secret keys: hdps://api.wordpress.org/secret-‐key/1.1/salt

BEFORE define('AUTH_KEY', '*8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD'); define('SECURE_AUTH_KEY', 'q+i-‐|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');

Do you login with username admin?

3. Delete the Admin user account

UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';

Change the admin username in MySQL:

Or create a new account with administrator privileges. 1.  Create a new account. Make the username very unique 2.  Set account to Administrator role 3.  Log out and log back in with new account 4.  Delete admin account

WordPress will allow you to reassign all content wriden by admin to an account of your choice.

3. Delete the Admin user account

WordPress lets you set the username during the installafon process!

DON'T USE ADMIN!

3. Delete the Admin user account Knowing your

username is half the badle.

Don't make it easy on the hackers.

4. File and Folder Permissions What folder permissions should you use?

Good Rule of Thumb:

•  Files should be set to 644 •  Folders should be set to 755

Start with the default se�ngs above

If your host requires 777…SWITCH HOSTS!

4. File and Folder Permissions

find [your path here] -type d -exec chmod 755 {} \; find [your path here] -type f -exec chmod 644 {} \;

Or via SSH with the following commands

5. Move wp-‐config.php WordPress features the ability to move the wp-‐config.php

file one directory above your WordPress root

This makes it nearly impossible for anyone to access your wp-‐config.php file from a browser as it now resides outside of your website’s root directory

You can move your wp-‐config.php file to here

WordPress automafcally checks the parent directory if a wp-‐config.php file is not found in your root directory

public_html/wordpress/wp-config.php

If WordPress is located here:

public_html/wp-config.php

6. Lock Down WP Login and WP Admin

define('FORCE_SSL_LOGIN', true);

Add the code below to wp-‐config.php to force SSL (hdps) on login

Add the code below to wp-‐config.php to force SSL (hdps) on all admin pages

define('FORCE_SSL_ADMIN', true);

Using SSL (hdps) on all admin screens in WordPress will encrypt all data transmided with the same encrypfon as online shopping

AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.*

1. Create an .htaccess file in your wp-‐admin directory

Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-‐admin

2. Add the following lines of code:

7. Use Trusted Sources for Themes & Plugins

WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1.  Safe: 1 2.  Iffy: 1 3.  Avoid: 8

Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/

7. Use Trusted Sources for Themes & Plugins

Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/

The only safe site reviewed was WordPress.org

Most themes included base64() encoded text links to promote various servies

8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date

•  Ensure you’re patching or installing updates ASAP

•  Automafc updates rock!

Install an anO-‐virus soluOon •  Ensure you’re keeping definifons current

•  Automafc updates aren’t a bad idea here either!

Yes, personal firewalls sOll apply!

8. Be Secure Locally It’s your informafon, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet ConnecOon Use SSL whenever possible, especially on an unverified connecOon.

•  HTTPS is a great way to ensure your transacfons & traffic are traveling with security in mind.

ConnecOng To Your Site(s) Consider using sFTP or SSH vs. FTP

• Sfll widely marketed, but did you know your credenfals are passed unencrypted when using FTP?

• If unavoidable, do not allow anonymous logins, limit connecfons, pracfce least privilege.

• Don’t store your credenfals in your FTP client.

9. Use a Trusted Host

You get what you pay for…

9. Use a Trusted Host "At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you."""""

Your Lovely Host! "

•  Cheap doesn’t always mean best, or safe!!

•  How many sites on their network are blacklisted for malware reasons?"

•  What version of software do they run and how often do they update?"

•  How are account credentials stored & who has access?"

9. Use a Trusted Host "

Only use a trusted host that clearly states their security policies. "Bonus points if they specialize in WordPress specific hosting!"

10. Use Common Sense •  Use a strong password"

•  BAD: bradisawesome"•  GOOD: SCrEE79joLly$"•  A=@, E=3, S=$, O=0 (This is not unique, they know this)"

•  Update passwords regularly (Monthly, make a schedule)"•  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)"•  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"

PLUGINS & SERVICES FOR WORDPRESS

Plugins & Services

Login Lockdown

http://wordpress.org/extend/plugins/login-lockdown/

BulletProof Security

http://wordpress.org/extend/plugins/bulletproof-security/

•  .htaccess lockdown rules for various directories (root, wp-‐admin, etc)

•  Security status scanner for folder/file permissions and file checks

•  Very well documented

Secure WordPress

http://wordpress.org/extend/plugins/secure-wordpress/

•  Hides login error messages

•  Adds index.php to /themes and /plugins to prevent directory lisfng

•  Removes WP, plugin, and theme update nofces for non-‐admins

•  and more!

Exploit Scanner

http://wordpress.org/extend/plugins/exploit-scanner/

•  Scans your files and database for potenfally malicious code

•  Does not remove code, only detects it

http://Sucuri.net

•  Free Website Malware Scanner: hdp://sitecheck.sucuri.net/scanner/ •  Website monitoring •  Hack cleanup services •  Sucuri Security Plugin

•  Free to clients •  Web Applicafon Firewall •  Integrity Monitoring •  Audifng •  Hardening

hdp://Sucuri.net

RESOURCES FOR WORDPRESS

•  Security Related Arfcles •  hdp://codex.wordpress.org/Hardening_WordPress •  hdp://blog.sucuri.net/2012/04/lockdown-‐wordpress-‐a-‐security-‐webinar-‐with-‐dre-‐armeda.html •  hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐how-‐to-‐stop-‐the-‐hacker-‐and-‐ensure-‐your-‐site-‐is-‐

locked.html •  hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐what-‐should-‐i-‐know-‐when-‐engaging-‐a-‐web-‐

malware-‐company.html

•  Clean a Hacked Site •  hdp://codex.wordpress.org/FAQ_My_site_was_hacked •  hdp://www.markefngtechblog.com/wordpress-‐hacked/

•  Support Forums •  Hacked: hdp://wordpress.org/tags/hacked •  Malware: hdp://wordpress.org/tags/malware

CONTACT BRAD

Brad Williams brad@webdevstudios.com Blog: strangework.com Twider: @williamsba IRC: WDS-‐Brad

Professional WordPress Second Edifon coming December 2012!

WordPress Security from WordCamp NYC 2012

Technology

WordPress Plugins (WordCamp Utah)

Wordpress SEO Basics Wordcamp Las Vegas 2009. Wordpress 2.7

Multilingual Wordpress - Matt Smithm.smithworx.com/publications/multilingual-wordpress-wordcamp... · Multilingual Wordpress Nov 15-16, 2014 WordCamp Toronto Matt Smith msmith@lingotek.com

PSD to WordPress (WordCamp LA)

WordCamp NYC Scriblio 2009-11-13

WordPress 2025 (WordCamp Frankfurt 2016)

WordPress 102 WordCamp Hamilton 2016

WordPress & User Experience - WordCamp London

Creating WordPress ChildThemes - WordCamp Montreal 2012

WordCamp Finland WordPress SEO workshop

Wordcamp Montréal - Wordpress in the cloud

Optimizing WordPress (WordCamp Philly 2011)

WordCamp Nashville: Clean Code for WordPress

WordCamp NYC 2015

Command Line for Designers - WordCamp NYC

WP-CLI Presentation from WordCamp NYC 2015

WordPress Accessibility - WordCamp Buffalo 2016

Widgetize Everything: Building smarter WordPress themes with Widgets and Templates (WordCamp Montreal/NYC 2010)

WordPress Multilingual: WordCamp Antwerp 2016

WordPress Migrations 101 - WordCamp Orlando