Don’t Get Hacked!WordPress Security

Michael Carnell - @carnellm"http://www.MichaelCarnell.com

These slides are available athttp://www.MichaelCarnell.com/presentations

or http://slideshare.net/carnellm

Who is Michael Carnell?

• Currently programmer at MUSC"

• Web developer since the old days (HTML, ASP)"

• WordPress user since …"

• British car devotee"

• Train and trolley enthusiast"

• Writer / Reader / General Eccentric

Why This Presentation?

Because I Don’t Want You!To Ever Call Me!

The Type of Problems• External “Acts of God”"

• Hard drive failure"• Someone leaned on the keyboard"

• Collateral Damage"• DOS (Denial of Service) attacks"• Shared hosting site hack"

• Direct Attacks"• Hacking the security of your site"• Vandalism"• Hijacking - not just the site itself"

"In the end, our process is still …

Three Phase Approach

• Prevent!• Correct setup"• Secure and harden"

• Monitor!• Alerts of problems or activity"• Automated actions"

• Recover!• Backup, backup, backup

Before The Setup

Secure Your Identity• Your Domain Name"

• Domain Name Registrar"

• Need not be the same as your host (should not?)"

• Needs to be in YOUR name"

• Privacy? Depends on type of site and you"

• My preferred registrar these days is Hover.com

Hosting - The Not So Good

• GoDaddy - common back end database that isn’t secured well and suffers from performance overload, poor support"

• Brinkster - has been hacked numerous times"

• FreeHostia - slow, free account is very limited, always pushing the upsell"

• Doing it yourself – the pros and cons …

Hosting - The Good Guys• BlueHost – My current favorite"

• MediaTemple – May not be the cheapest, but very stable and secure. Monitors scripts"

• HostGator – I have not used them personally, but have heard good things"

• DreamHost – Used to be good, some still like them and use them. They are on my “iffy” list. But watch CPU usage as they will cut off processes

The Basic Rules• Do your research -

http://www.MichaelCarnell.com/hosting

• Check their own support forums"

• Is there a free trial or money back guarantee?"

• If you are a high traffic site (really), you may need a dedicated server or upgraded hosting"

• None of this really applies to WordPress.com

The Dirty Detailsfor WordPress

Install Correctly• While installing (most will use OneClick) . . ."

• Consider your directory? Do you use the standard? Root?"

• Consider altering the database name if your install allows"

• Make database username and password long and cryptic. Store them away not to be used"

• Don’t use redundant info - admin name same as username, same as blog name, etc...

Double Check the Install• File level tasks to be done via SFTP . . ."

• Delete ..\wp-admin\install.php"

• In wp-config.php, add the optional security keys - http://api.wordpress.org/secret-key/1.1/

• Add index.php, a blank file to all plugin and theme directories if it isn’t already there"

• Check the file directory privileges(if you are comfortable)

Post Install Setup• Create new admin user with strong password"

• Change Admin password and give no role Why not delete??"

• Make your main admin’s display name different from login name "

• Change setting to allow editing by outside packages if wanted - but know what you are doing"

• Change “permalink” structure (thank you WP 3.3!)"

• Demo Time....

As You Build• Themes and Plug-ins : be safe"

• Consider the source"

• Always be suspicious"

• Again, do you research and ask around"

• Consider Search Engine Visibility (under Settings / Reading)"

• Put up a Coming Soon or Down for Maintenance screen"

• Understand your Discussion Settings

Discussion Settings

Discussion Settings, part 2

Other Hardening

• Disable File Editing – placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:" " define('DISALLOW_FILE_EDIT', true);"

• Check out further in depth hardening options at http://codex.wordpress.org/Hardening_WordPress

Security Plugins You Need• Some more plugins that you should have:"

• Askimet - AntiSpam, comes with the install, you will just need key"

• Block Bad Queries - blocks code injection through queries"

• Acunetix WordPress Security - basically a security audit & fix"

• AntiVirus or another such"

Demo Time Again!

Monitor

Monitoring Users• Other plugins to consider:"

• Search Meter - What are your visitors looking for, but also shows extraneous search injections"

• Limit Login Attempts – Helps protect against dictionary attacks"

• ThreeWP Activity Monitor - Shows who did what and when"

• Demo Time Again!

Monitoring The Site"

What do you look like to the world?""How do you know if your site goes down?""• Hit your site regularly with different browsers"

• IE, Chrome, Firefox, mobile"• Do this while not logged in"

• Google’s tools"• What does Google see?"• Fetch As Google (part of Webmaster Tools)"

• Site monitor"• Such as SiteUptime

Who Gets Notified?"

Make sure that the address the monitoring alerts go to is not tied to the site or what you

are monitoring!

Alert that site is down!

Can’t send alert because the site is down.

After The Storm(Recovery)

The Key To RecoveryIs Good Backup

• Your content is your responsibility, not your host’s"• They may help you, but not guaranteed"

• The only good backup is an automated one"• You will forget at the worst time"• Decide on how much you can afford to lose"

• A manual backup every now and then doesn’t hurt"• Before or after a big change, back it up"

• Have more than one copy of the backups"• Different locations"• Different formats"• 3-2-1 backup …

Simple Backup for WP• Your content is your responsibility, not your host’s"

• Create a GMail account or use your current one with custom address such as “yourname+backups@gmail.com”

• Make a filter that auto files away all email coming in to that address"

• Database - WP-DB-Backup

• Images & Themes - WordPress Backup "

• Doesn’t hurt to occasionally backup manually too

More Complete• Use a tool such as UpdraftPlus

• This will backup all files and databases"

• Will transfer those to DropBox, FTP, etc…"

• Keep a document of your settings"

• Custom setting you change"

• Menu options"

• Date that you change things"

• Some screen captures"

• If you are really safe (paranoid?)"

• Create a test / backup site"

• Can also serve as a fail-over

Know How To Restore• You’ve made a backup, do you know how to use it?"

• Test it occasionally"

• Make sure you know what does and doesn’t get recovered and that you have a work around"

• Do you have a place to use it?"

• Alternative hosting or domain"

• Have you tested on a different server?"

• Is your site directory dependent?"

• Anticipate the worst case"

• Loss of access to GMail?"

• Corrupt backups

Stay Up-To-Date• WordPress 3.9.1 is out ""

• You will need to update your base software – unless your host does it for you or you are WordPress.com"

"• You will also need to update both your plug-ins and

themes

• Test your plug-ins so you can rollback if they don’t work"• Be careful of what theme updates will do to any

customizations you have made"• As always, backup first

Michael Carnell

@carnellm on Twitter

Slides available on http://www.MichaelCarnell.com/presentations

Q & A