1
Table of ContentsFirst Things First - WordPress.com vs. WordPress.org
WordPress: The Most Hacked CMS Available? The Problem The Reasons The Proof
Don’t Throw the Baby Out With The Bathwater Why We Love WordPress
The Solution Hardening WordPress No Security Is Ever 100% The Plan (3 Phases)
Phase 1: Secure Your Foundation Harden WordPress Authentication Move the wp-config.php File Schedule Regular Backups Perform All Updates & Upgrades Secure File & Directory Permissions Remove the Version Number Clean Up User Profiles
Phase 2: Preventive Maintenance Eliminate Spam Comments Limit Login Attempts File Monitoring
Phase 3: Already Hacked? Stay Calm Check Your Machine & Change Passwords Remove Infected Files Reinstate the Latest Known “Clean” Version Of The Site Perform & Test All Security Measures
Extreme Security Measures Password Protect Admin Directory Modify Your Content Directory
Next Steps
Your Checklist
Resources
Glossary
About the Author
2
3455
66
7778
999910101010
11111111
121213131313
141415
16
17
18
19
20
2
WordPress.com
The online version of WordPress allows users to quickly create their own blogs in a matter of minutes. There are approximately 200 templates to choose from and they can be customized. WordPress.com does not allow you to add new plugins or modify the code at all. This can really limit the flexibility for small business owners.
WordPress.org
This version requires the software to be installed and hosted by you but allows you to upload your own themes, upload plugins and most importantly, have complete access to the code so that you can modify the software to fit your exact needs. For small business owners, with expansion and flexibility in mind, this is the “flavor” of choice.
For more information on the di!erences between WordPress.com and WordPress.org – click here.
This ebook largely deals with plugin and setup security for those that are using their own self-hosted version of WordPress. Many of the takeaways are applicable to any content management system (CMS), but the tasks and language are specific to the WordPress.org backend.
First things First:WordPress.com vs.
WordPress.orgWordPress, as a software platform,
really comes in two flavors.
3
WordPress:One Of !e Most
Hacked CMSOf 2013!
Let me start o! by saying:
I love WordPress. As a web developer with over 14 years of experience, WordPress has turned into my company’s “go-to” publishing platform for most of our client’s sites.
Why? Because it works! Over the past few years we have built over one hundred WordPress websites and we still use it to this day. That isn’t to say that all greatthings don’t have flaws...
Case In Point: Pizza with Anchovies. Yuck!
4
The Problem
As business owners, we typically run around wearing many di!erent hats. We get in early and we work late. We work weekends and holidays. We don’t have a whole lot of extra time and money to be wasting in areas that don’t help our businesses. Unfortunately, one of the areas that are almost never a concern (until it is too late) is website security.
Like identity theft in the personal realm, website security breaches have drastic implications for site owners. A compromised website can cost its owner:
Time
Many website owners do not take the proper precautions against website hacking, so recovering from a hacked site can be time consuming. Often, businesses have to start from scratch.
Money
Once your site is compromised, it has to be fixed. Whether you hire a web developer at $100 an hour or a security expert at $250 an hour, these charges add up and they add up fast.
Reputation
The most devastating loss for any business owner when their site is hacked is loss of online reputation. Even though you aren’t the one performing the malicious acts you could still su!er from decreased email deliverability and loss of search engine placement.
Additional consequences of a compromised websiteinclude (but aren’t limited to):
Having your website completely “blacklisted” from search enginesDecrease in page rank which directly impacts where you show up in the search resultsHaving your hosting account shut down or suspended until the site is fixedExposure of your site visitors to malicious softwareLoss of web contentInstant loss of confidence in your web site visitors
From one business owner to another...Think about it. How much spare time (money, energy, resources, tra"c, leads...) do you really have?
5
The Reasons
Let’s get this part clear: every server and every website in the world faces hacking attempts. However, WordPress is now being singled out for a couple of reasons:
Popularity
According to Google Trends, WordPress is the fastest growing web-publishing platform available.
In 2012, WordPress ran on nearly 73,500,000 websites around the world. It powers 22 out of every 100 new websites in the US and currently holds nearly 54% of the content management system (CMS) market share.
Open Source
WordPress is vulnerable to compromises because the software is open source. Because they have access to the code, a large developer community exists where programmers from around the world are constantly adding plugins and extensions that make WordPress a more powerful tool for small businesses.
The downside of open source software is that hackers from around the globe ALSO have access to the code. The second a new distribution is released, these jerks start pouring through the code looking for ways to exploit it.
The Proof
Although WordPress developers work extremely hard to keep hackers out, they still manage to find ways in. According to the National Vulnerability Database at the National Institute of Standards and Technology, WordPress one of the most vulnerable open-source CMS platforms. And although the table below was created in Q1 of 2013, WordPress, Joomla!, and Drupal have already had their fair share of vulnerabilities.
For additional information, check out Yoast.com’s WordPress: A Global Phenomenon Infographic.
2013
2012
2011
2010
2009
2008
6
22
58
11
45
2
33
38
114
50
11
1693477
1020
4 34
6
“Don’t !row theBaby Out With the
Bathwater.”
I always thought she was just a little crazy, but apparently this is a common idiom dating back over 500 years. (Check it out here)
What Gram was saying was: Don’t get rid of something good, just because there are some parts you aren’t happy with.
Let’s take a few seconds and remember why we chose WordPress in the first place.
6 Reasons to Love WordPress!
Great functionality out of the boxFree to download at Wordpress.orgSearch engine optimizedEasily extendable with thousands of pluginsConstant development (it is getting better)You can “DIY” (do it yourself)
Abandonment isn’t the solution, being prepared is.
As a web developer that has built custom content management systems for over a decade, I can honestly say, WordPress is great tool. We shouldn’t be afraid to use it. As business owners, we just need to be smart when we implement it.
Smart implementation means secure implementation.
My grandmother used to say ...
If WordPress is the most exploited CMS being used today, the answer is simple...
STOP using Wordpress, right?
not so fast!
7
!e SolutionNow we know WordPress is going to be our
content management system of choice.
Question: How can we take advantage of all that WordPress o!ers us while at
the same time keeping our systems and websites locked down and secure?
Answer: System hardening.
Hardening
In computing, hardening a system refers to the process of securing a system by reducing its surface of vulnerability. The lower the number of vulnerabilities, the more secure the system becomes. The steps outlined in this ebook help you lower your site’s vulnerabilities.
No Security is Ever 100%
The FBI, the White House, and the Department of Justice have all been hacked.
You’re thinking, “The FBI?! Really? Security is their thing and they still got hacked? Well, I must be doomed.”
No o!ense, but you’re probably not the focus of those kinds of hackers. The people we are more concerned with are opportunistic hackers looking to make money by placing hidden links on your site, using your mail server to send out spam, or through other malicious activities. What makes these guys (and gals) easy to deter, is the fact that they’re lazy. They write programs that automatically scan the Internet looking for sites that meet specific criteria (i.e. specific software versions, default usernames and passwords). Once these sites are identified, the hackers go to work.
8
!e Plan: 3 PhasesTo deter hackers, we will implement a three-phase strategy. Everybody will perform the
first two phases. The third phase is saved for those whose website has already been compromised (hacked). Again, although this ebook has been written with WordPress in
mind, these steps are valid for any modern-day content management system.
PHASE 1:Secure YourFoundation
When WordPress was initially installed on your web host (where you purchased your hosting, sites like GoDaddy,
Bluehost, or DreamHost) certain default values were likely used. The first phase
of the security plan is to go through your current
installation and make these default values more secure.
PHASE 2:Preventive
Maintenance
Once we have your WordPress foundation
secured, we want to look at your site the way hackers
do. We will eliminate spam, block “spammy” comments,
add CAPTCHAs to forms, limit login attempts, etc. These
are all steps that we will take to “reduce our surface of
vulnerability.”
PHASE 3:Already Hacked?
Last but not least … if your site has already been
compromised, we will walk you through the process of regaining control and implementing tactics that
reduce the chance of future infections.
9
Phase 1: Secure YourFoundation
Hardening the foundation of a WordPress installation is a relatively simple but tedious
task. While not incredibly technical in nature, it is very important that whoever
performs these functions understands the basic workings of WordPress and the site’s
database. The following is a brief list of actions to perform.
Harden WordPress Authentication
Authentication (requirement of a user name or password) is your first line of defense against unauthorized users gaining access to your site. Below is a list of the authentication elements that you should change. Database Name Administrative Username Database Table Prefixes Administrative Password Database Username Cookie Encryption Database Password Force SSL Login (If SSL)
Move the wp-config.php File
In WordPress, the wp-config.php file lives in the directory where you loaded the software. It contains all of the pertinent connection information about your WordPress site including database name, database username, database passwords, database table prefixes, etc. If an unauthorized user gains access to this file they will have complete control of your database.
WordPress allows you to move this file up one directory in your hosting server without having to change any configuration variables or templates. Do it.
Schedule Regular Backups
The single largest part of being prepared for a website compromise is having backup files ready that you know are safe. Backup files should be complete, clean and easy to access. Make sure that when you create your backup files you backup both the WordPress files AND the WordPress database. In the event of a total corruption you may need both.
WordPress file backups are typically scheduled through your hosting control panel and WordPress database backups can easily be scheduled through a WordPress plugin like WP DB Backup.
DEVELOPER TIP: FREE Gmail accounts are a great place for backups to automatically be sent.
10
Perform All Updates & Upgrades
Upgrades and updates to WordPress, your theme, and any plugins that you have running on your site are usually done for one of three reasons:
To add new functionalityTo fix a bugAs a security patch
Make sure you stay on top of these updates ESPECIALLY when security issues are involved. WordPress is great about notifying users of available updates on their dashboards. Additional information can be seen here in a video we shot for Black Dog Education.
Secure File & Directory Permissions
File and directory permissions are used to determine which users can do certain things to your files. Some can edit, some can read and some can execute.
Double check your permissions: PHP files should be set to 644Directories should be set to 755Uploads directories will likely need to be set at 777
Permissions can be modified by some FTP programs or through your web host’s online file manager.
BE CAREFUL – Incorrect permissions can cause your site to stop working.
Remove the Version Number
The fastest way for a hacker to know how to compromise your website is to know what version of WordPress you are using. By default, WordPress tells them exactly what they need to know with a little snippet of code that looks like this:
<?php bloginfo(‘version’); ?>
Most places will instruct you to remove the version from the header.php file but this isn’t the only place this shows up. Depending on your theme and version it can also show up in your RSS feeds among other places. To read more about the proper way to remove this code throughout multiple files, check out our blog post about it here.
Clean Up User Profiles
The last step in this phase of your security audit is to clean up the user profiles. By default, WordPress comes with a user by the name “admin”. We know this and so do the hackers. The best way that we can make it di"cult for these guys to get in is to delete this default user. We always want to have at least one, preferably two, users with administrative privileges on the system so once you remove the user “admin”, make sure you replace that user with a new one.
When creating administrative users, don’t let theusername be the same as the “nicename” that isdisplayed online.
CAUTION: Many plugins include JavaScript !les thatmay include your WordPress version number as well.If this is the case - contact the developer of the pluginand see if there is a safe way to remove this security risk.
11
Phase 2: Preventive
MaintenanceNow that your installation of WordPress is
secure at its core, it is time to launch the site and actually let other users on the
Interwebz interact with it. Perform the tasks below to keep your site running in
tip-top shape.
Eliminate Spam Comments
Akismet is a spam comment blocking plugin. By default, it is installed but not activated on every new version of WordPress. Not only does it block spam comments, it also filters spam links and spam trackbacks. To activate, you need to get an API key through Akismet’s site. Personal and Business accounts are available based on the purpose and amount of usage.
Limit Login Attempts
A common method hackers use to gain access to your website is called a “dictionary attack.” A dictionary attack runs a program that tries logging into your site thousands of times using popular username and password combinations.
Installing an e"cient and highly customizable plugin called Limit Login Attempts will place a limit on the number of login attempts that a user can try before they are locked out of your site for a period of time.
File Monitoring
File Monitor Plus is one of my favorite security plugins to date. This plugin monitors your entire file system and alerts you to any changes such as: modified files, removed files and new files.
It does require a little configuration, but once it is setup you can sleep easy.
12
Phase 3: Already
Hacked?This section is for the unfortunate
masses that have already had their sites compromised. If this has happened to you,
don’t worry! It has happened to the best of us and there is a way out. Use these
instructions as your road map back to a safe and secure website.
Without exception, anytime we consult on a compromised website, the client’s initial reaction is to freak out and start shouting orders:
PULL THE BACKUPS! CHANGE THE PASSWORD!
FIX THE INTERNET!
LOCK IT DOWN! CAPS LOCK!
While panicking is completely understandable, it’s the wrong thing to do.
The first step is to stay calm and work with your developer/security team to determine how the site was compromised. I always tell clients, “We need to know how it is broken so that we make sure we fix it properly.” Why change your FTP passwords if the problem was an insecure script?
13
Check Your Machine & Change Passwords
In addition to checking your CMS, make sure you scan your local machine (especially PC users). Make sure your machine isn’t infected with any malware that could be logging your keystrokes and sending your brand new passwords right to the folks that compromised your site in the first place.
Once you are sure that your local machine is safe from keystroke loggers or other malware, then change your passwords to new, secure, non-dictionary ones.
Remove Infected Files
Now that you know your machine isn’t infected and you have successfully changed the site passwords, we can assume that no more connections to your site will be made. This gives you a limited window of opportunity to get things cleaned up. The first step is to remove the infected files. If you are running the File Monitor Plus plugin (discussed in Phase 2), an alert notifying you of modified or new files will be waiting for you on your WordPress Dashboard. Compromised files can take two forms: new files that were added to your site or existing files that have been modified by adding some malicious code to it.
Whatever files were changed or corrupted, remove or replace them. If the corruption came as a result of a hijacked comment or something within the data on your site, your database may be compromised and need to be reinstalled from your last known good version.
REMEMBER: Website files and database files are di!erent elements.
Reinstate the Latest Known “Clean” Version of the Site.Once the infected files have been removed it is time to open up your file system backup and replace the infected files. In most cases, you will have one, possibly two, infected files. Extreme cases may be cause for the entire site to be replaced. (And that’s why you backup!)
Perform & Test All Security Measures
After the infected files have been removed and replaced with files you know are safe, your site should be back to its original, uninfected status. Once you’re at this status run, don’t walk, back to Phase 1 and perform all of the operations in Phase 1 and Phase 2 so that you can reduce the possibility of being corrupted again.
NOTE: Depending on how old the backups are, you may need to rework the design a little bit or go back in and add some recent content. A small price to pay for regaining control of your website.
Statistics show that once a site has been compromised,the chances of it getting hit again are higher. !e hackingcommunity now knows your site is weak and will target it.Preventative measures help.
Having trouble coming up with a secure password?We like the Password Generator from PC Tools.
14
Extreme SecurityMeasures
If you are still having security issues after Phase 1, Phase 2 and even Phase 3, these
two final options may be just what you need.
Password Protect Admin Directory
WordPress uses username and password authentication as their method of security for limiting unauthorized access to your WordPress control panel. The login page can be seen by anybody visiting http://www.yourdomain.com/blog_directory/wp-admin.
Normally, the Limit Login Attempts plugin is su"cient for eliminating the possibility of dictionary attack on your blog login but for those super paranoid folks, you can actually use your .htaccess file to limit access to this page either by restricting IP addresses (i.e. only show the page to your IP address) or by requiring an additional username and password just to get to the login page.
BE CAREFUL! Most Internet service providers don’t allocate dedicated IP addresses to their customers so if you block access to this page by IP address, be prepared to change this frequently as your IP address may change frequently.
I don’t recommend these steps for everybody becausethey honestly require more work and are a bit of a hassle. In most cases, they aren’t necessary.
15
Modify Your Content Directory
Many WordPress compromises occur within the default WordPress content directory: Example: http://www.yourdomain.com/blog_directory/wp-content/
One extreme option would be to move the content directory outside of the web-readable directory into a directory where normal web users can’t read or access the files. This is similar to moving our wp-config.php file like we did in Phase 1 but this time we are moving a complete directory with hundreds of files.
This is a feature that is supported by WordPress but please keep in mind that many plugins may look for content in the standard WordPress directory structure so moving your content directory could cause a lot of your plugins, widgets or themes to not work correctly. Proceed with caution.
Another less extreme option is to leave the content directory where it is but restrict access to it. Since WordPress doesn’t access PHP files in the wp-content directory it is relatively easy within your .htaccess file to restrict access for this directory to just resources (images, scripts, CSS files, etc.)
16
Next StepsNow that you have braved the last 15 pages of this ebook you can rest assured that you now have more knowledge about website
security than 99% of the small business owners in the market today.
So what?
Education without Application is FascinationNow it is time to put this knowledge into play on your website. Like all things in life … you have options.
Option 1 - You Do It
With the information you just read and the checklist on the next page you have everything you need to perform your own WordPress security audit. To do this comfortably you should understand the basic structure of WordPress, understand your web hosting control panel and be comfortable transferring files to and from your website. If you are – AWESOME! If not, you may want to get some additional help.
Option 2 - Let Us Help You
After the creation of this ebook, we received a lot of feedback about people wanting more help. They felt they could do it themselves if they had a little coaching. This made a lot of sense to us so we created a video training course that lets the users look over our shoulder as we do the work. The video course is a quick, no-frills course showing you specifically how to perform all of the tasks necessary to complete your own security audit. You can get more information about the course at DIYWordpressSecurity.com.
Option 3 - We Do It For You
If after all of this you realized that you either can’t do it or most likely don’t want to do it … that’s OK. We understand completely and have a service where our techno-nerds will do it all for you so that you can focus your time and energy where it will serve you best. You can get more information about this service at DIYWordpressSecurity.com as well.
17
Your ChecklistIf you are like me, you definitely want to know why you are doing something, but at the
end of the day you need to know how. So, what are the specific steps you need to take to secure your website? That’s what the checklist below is for.
1. Backups
Make full backups of your data immediatelyDatabase
Schedule regular backups of your data
4. Users
Remove default admin user Add new administrative user
2. Database
Create a blog-specific database user
Update database name Update database password
Update database table prefix Update database username Update database password
5. Update & Install
Update existing WordPress installation Update existing theme Update existing plugins (including Akismet
with API key) Install new plugins
3. File System
Update your wp-config.php file
Move wp-config.php file up one directory Force secure login (if you have an SSL cert) Turn o! all directory browsing
18
ResourcesBelow is a list of resources discussed throughout this book. For the most current
information please visit their sites by clicking on the link (if you are connected to the internet) or by copying and pasting the URL’s into your web browser.
Plugins
AkismetLimit Login AttemptsWordPress File Monitor PlusWP DB BackupWP Security Scan
Citations
WordPress.com vs. WordPress.orgGoogle TrendsWordPress StatsYoast.comNational Vulnerabilities DatabaseWikipedia - Throw The Baby Out...Wikipedia - HardeningGmailBlack Dog Education
Websites
WordPress.orgBlack Dog EducationBlack Dog StudiosDIY WordPress Security PCTools.com
http://bit.ly/L74pWZhttp://bit.ly/LSSkrd
http://bit.ly/J8uw kRhttp://bit.ly/IYlFh6 http://bit.ly/zVwi10
http://bit.ly/LSSZZNhttp://bit.ly/J8uRnJ
http://bit.ly/JweKkVhttp://bit.ly/JjRUH3http://bit.ly/KfXIB4http://bit.ly/JTxSYghttp://bit.ly/JK1i9Ghttp://bit.ly/Jsa3Xt
http://bit.ly/LT3VXm
http://bit.ly/JwfVREhttp://bit.ly/KaPKuD
http://bit.ly/JKelYuhttp://bit.ly/KaRkg6http://bit.ly/Ml1H5S
Additional Resources
19
GlossaryAuthenticationProving that you are who you say you are. This is commonly done through logging on to a website with a password and username.
API KeyAPI stands for “Application Programming Interface” and an API key is a code that lets users unlock access to di!erent programs and applications. Each API Key is unique to an individual user, so it’s important that you keep any API keys you use for plugins (like Akismet) as secure as you would a password.
Backup FilesCopies of important website or database files used to restore your website in the event of a data loss or corruption.
CAPTCHACAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to make sure a form is being submitted by a human and not a computer. CAPTCHAs can take the form of distorted letters and numbers, a question or a math equation.
Content Management System (CMS)Content Management Systems are used to store and manage all of the contents on a website including pages, content, images, etc.
CSS Files (Cascading Style Sheets)CSS files dictates the color, layout and fonts of your site.
DirectoryA general computing term for a “folder” containing files. On web servers they are called directories, on your desktop it is called a folder.
HardeningThe process of securing a system by reducing its vulnerabilities.
JavaScriptA programming language used on the web to control certain aspects of the user experience (browser control, etc.). Many plugins include their own JavaScript libraries.
MalwareShort for “malicious software”, designed to do bad things to your computer like give others access, share information or make it stop working. This is bad and you DON’T want it.
MySQLPronounced “my sequel” or “my S Q L”. This is the database used to store all of the settings and content from your WordPress blog/web site.
Open SourceA philosophy that promotes the free distribution and access to a program or code.
PermissionsThe rights that specific users have to files and directories on your web server.
PHPThe scripting language that WordPress is developed in. Since WordPress is open source, any PHP developer can customize it.
PluginsA small software program used to extend the functionality of your WordPress site.
ScriptsA small program written to perform a specific function or group of functions.
TablesThe data structure in MySQL that stores your data. One table stores all of your user information, another stores all of your settings, etc.
ThemeA theme is a coordinated group of templates, images and stylesheets. These a!ect the colors, headers, and page layouts of your site. Basic themes are available through WordPress but professionally developed themes are relatively inexpensive and are available through companies like WooThemes or Elegant Themes.
Web HostA web host is the company that provides you with the space for your web site. Typically your host will also provide email, FTP and limited amounts of support. Examples of some common web hosts include Go Daddy, Bluehost, DreamHost or Black Dog Education.
WidgetsSimilar to Plugins, Widgets are small bits of portable code that can be used throughout your website. A typical widget may show a newsletter sign up box, your social media links or the last few posts from your blog.
20
About the Author About Black Dog Education
Mike Linville, a self-proclaimed “nerd”, began his Internet career by building websites while in college. After college, Mike realized he enjoyed web design and development much more than electrical engineering, so much to his parents’ surprise, he packed his degree away and opened his own web development shop in Sacramento, CA.
For the past 14 years, Mike and his team have remained small and focused on the craft of web development. While most businesses were growing like crazy in the mid 2000’s, Black Dog Studios resisted the urge and instead focused on skill building. Quick growth is often times follows by poor quality and Black Dog Studios wasn’t going to go down that path.
“Our success isn’t defined by how many clients we have. It is defined by how many expectations we can exceed. Quality craftsmanship with service … it is what I expect and so should our clients”
- Mike Linville
DIYWordPressSecurity.com160 Blue Ravine RoadFolsom, CA 95630p: (916) 608-2151w: www.diywordpresssecurity.com
Custom development and boutique web shops are fine for medium-large businesses that can a!ord to pay for quality, but what about the small business owners in the world? Are they left to fend for themselves? Who is going to serve their online marketing needs?
In 2009 Mike went to a business seminar with one question in mind. “How can we provide professional quality design, development and marketing advice for small business owners across America?” He came back with the idea for Black Dog Education but no real concrete plan on how to create it. Over the past three years Black Dog Education has evolved onto an online training community for small business owners across the globe.
Through its unique training and coaching programs Black Dog Education is becoming the “go-to” resource for web design, web development and online marketing for small business owners.
Brought To You By:
Black DogEDUCATION
Recommended
