39
@michaelrmcneill #WCRaleigh WordPress Security: No Nonsense Edition Michael R. McNeill Power Users Track WordCamp Raleigh 2012 Saturday, November 3rd, 2012

WordCamp 2012 WordPress Security: No Nonsense Edition

Embed Size (px)

DESCRIPTION

Michael R. McNeill's WordCamp 2012 presentation on "WordPress Security: No Nonsense Edition".

Citation preview

Page 1: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

WordPress Security: No Nonsense EditionMichael R. McNeillPower Users Track

WordCamp Raleigh 2012Saturday, November 3rd, 2012

Page 2: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

A little about myself...Lovely girlfriend, Allie, who is with me today.

From Wilkesboro, NC, right below Boone, NC.

First-Year at the University of North Carolina at Chapel Hill with an intended business major. GO HEELS!

Owner of Connected Site Solutions and Partner in Digital Strategy Works.

I LOVE WORDPRESS! I’ve been using it for almost 3 years now and I wouldn’t use anything else.

I currently work for Apple, Inc. and I truly love both the product and relationship we create!

I’ve worked on exciting and wide ranging projects, such as Black Enterprise Magazine, DVJ Media, WiredHoods,smallbiztechnology.com, and MAXI Promotion and Records. I’ve also contracted for DRS Technologies, the United States Department of the Defense, and numerous other companies.

Page 3: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

A quick note...A question that is going to run through your head at some point and time in this presentation is “Why use WordPress when you have to do all this work to secure it?” The short answer to that is all web sites, content management systems, and web applications can and will have vulnerabilities. (Many of which are much, much, much, much worse than WordPress.) This presentation could scare you ****less, but this is really scary stuff. Sugarcoating it just makes it easier to ignore.

Page 4: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

WordPress Security 101First and foremost, congratulations on using WordPress! You’ve picked the most popular content management system on the planet!

Security is taken very seriously in the WordPress community, but no matter what the contributors to the project do, there is always going to be someone attacking both documented and undocumented vulnerabilities on WordPress sites.

Although there can be no guarantees of complete immunity, I’m going to help you do everything possible to secure all the sites you maintain.

Page 5: WordCamp 2012 WordPress Security: No Nonsense Edition

Myths...

Page 6: WordCamp 2012 WordPress Security: No Nonsense Edition

WordPress is not secure.

Myth 1

Page 7: WordCamp 2012 WordPress Security: No Nonsense Edition

This is not true, the WordPress core is in fact very secure, and when an issue arrises, the core team is quick to patch the vulnerability, and push that to end users.

Page 8: WordCamp 2012 WordPress Security: No Nonsense Edition

Nobody would want to hack my* site.

*clients included

Myth 2

Page 9: WordCamp 2012 WordPress Security: No Nonsense Edition

Most hacking attempts are automated and are rarely related to personal or political motives. Almost all the attacks I see have financial motives. Maybe you’re thinking, “I don’t have any sensitive information. What could they possibly steal from my site?” Emails, usernames, passwords. And even worse, your reputation.

Page 10: WordCamp 2012 WordPress Security: No Nonsense Edition

My WordPress site is 100% secure.

Myth 3

Page 11: WordCamp 2012 WordPress Security: No Nonsense Edition

No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.

Page 12: WordCamp 2012 WordPress Security: No Nonsense Edition

I only use themes and plugins from the WordPress repos, so they must be secure.

Myth 4

Page 13: WordCamp 2012 WordPress Security: No Nonsense Edition

Although WordPress plugins and themes are reviewed before being added, that doesn’t prevent them from having vulnerabilities and bugs. Even the best programmers make mistakes.

Page 14: WordCamp 2012 WordPress Security: No Nonsense Edition

I paid $35.00 for a premium theme from ThemeForest. Since it was “premium” it must be secure.

Myth 5

Page 15: WordCamp 2012 WordPress Security: No Nonsense Edition

If you purchase a theme from somewhere like ThemeForest, be weary. I’ve seen numerous themes from ThemeForest come with embedded malware in the code, infecting your and your client’s computer. If you do purchase a theme from ThemeForest or a site like it, throughly examine it to ensure that there is not any code that does not belong. When in doubt, contact a trusted developer.

Page 16: WordCamp 2012 WordPress Security: No Nonsense Edition

Updating WordPress core, plugins, and themes aren’t urgent. They can wait.

Myth 6

Page 17: WordCamp 2012 WordPress Security: No Nonsense Edition

You need to keep WordPress core, plugins, and themes updated at all times. Whenever a security update is released the entire internet can see what the problem is and how to exploit it. This obviously exposes any site that has not been updated.

Page 18: WordCamp 2012 WordPress Security: No Nonsense Edition

Hosting...

Page 19: WordCamp 2012 WordPress Security: No Nonsense Edition

What does WordPress need to run?

LAMP STACK

PHPMySQLApacheLinux

Operating System

Web Server

Database Server

Scripting Language

All of these can and do have numerous vulnerabilities. Keeping your own systems up to date is not an easy task, which is why most people (even myself) work with a web host to host their sites.

Page 20: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Who is your Host?How do you connect to your server? Through FTP, SFTP, SSH, Plesk, cPanel, etc?

What security does your host provide? Do they offer advanced services to provide further protection?

What will your host do if you get hacked?

Will they shut you down or lock your account?

Does your host have a good track record?

Does your host have 24/7 support?

Page 21: WordCamp 2012 WordPress Security: No Nonsense Edition

How do we protect ourselves?

Page 22: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

PASSWORDS...Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.

The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many password generators are available that can be used to create secure passwords.

Things to avoid when choosing a password:

Any combination of your own real name, username, company name, or name of your website.

A word from a dictionary, in any language.

A short password.

Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server and ruin your reputation.

Page 23: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Make sure to have anti-malware software installed on your computer, no matter if it is Windows, Mac OS X, or Linux. ALL computers can get some type of malware, and that can lead to an infected site.

Always keep your operating system and the software on it, especially your web browser and SFTP/SSH/FTP client, up to date in order to protect against security vulnerabilities.

Look to your computer...

Page 24: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Connecting to your site...SFTP/SSH is greatly preferred over standard FTP.

If you must use FTP, check if your host offers FTP-SSL.

SFTP/SSH/FTP username and password SHOULD NOT be the same as your WordPress Administration username or password.

You don’t need to log in as the administrator/root user all the time. Less access means less to exploit.

Use isolated SFTP/SSH/FTP accounts that can only access certain necessary parts of the site.

Page 25: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

User Restrictions are important!Everyone DOES NOT need to be an administrator.

Focus on the role that you are assigning users, only assign their role with what they NEED at the current time, you can always change their permissions later.

Get rid of generic account names (e.x. admin, administrator, root, etc.) and use something custom.

Create two accounts for yourself, one as an administrator account for managing and administering the site, and the other for common tasks.

Everyone DOES NOT need to access the site via SFTP/SSH/FTP.

Page 26: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Backup, Backup, Backup...You must backup your site!

Your WordPress database contains every post, every comment and every link you have on your blog. If something goes wrong, you will lose everything you have ever written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal.

You should be backing up at least once a week and storing one backup per month off the main web server (either your computer or a cloud storage provider like Amazon Web Services).

Disaster will strike at some point and time and you need to be in a position to take action when it happens. Spending a few minutes to set up an easy, convenient backup of your site will make your life much easier in the long run.

Page 27: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Kill PHP execution permissions.

Try this in your ~/wp-includes/ and ~/wp-content/uploads/ folders. Be aware, it could break your theme and/or plugins, so try it and if it breaks anything, delete it. #PROTECT PHP EXECUTION

<Files *.php>

Order Allow, Deny

Deny from all

</Files>

Page 28: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Disable Plugin/Theme Editing.

Add this to your wp-config.php file before the “/* That's all, stop editing! Happy blogging. */”.#Disable Plugin and Theme Editor

Define(‘DISALLOW_FILE_EDIT’,true);

Page 29: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Move wp-config.php file.

To add an extra layer of protection, you can move the wp-config.php file up one directory. This protects you if your PHP handler gets broken or modified in some way. This will prevent your DB information from being exposed.

Page 30: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Use salts.

Use the online generator (https://api.wordpress.org/secret-key/1.1/salt/) to generate salts, and place them in your wp-config.php file. define('AUTH_KEY', '=(jUjXE=,sZxY-+@_YX]OyDuo-`%}eQeQ jE-A-ZHo`A,B%*D+^3@~&5%X!>+&R+');

define('SECURE_AUTH_KEY', '6e)tLmd#ogG8@|)A8UNhl%Ql+gNR++Frg,#am4_rWY9)bcT$uk]`g7`FA(2%AIn9');

define('LOGGED_IN_KEY', 'bkW+7S+-Fsk y&A|gl{D=|Yv3h,U5uj,72{0%/&~VD.um R/8VRzGM9_!?l])rw,');

define('NONCE_KEY', 'Y4 HXcx6t|3-2%&[/daW~V%QK<{KxH<|SVf|otwbh(9U-!RpY^7sbds+qWC4dISb');

define('AUTH_SALT', 'x[Tl$wtoJ]FKZawPiR&m%etK%.!N=8;?5?NUZO*g.mUL;6.v`biw+Z%DkL[2sp*&');

define('SECURE_AUTH_SALT', '~JO0w%;$jrM}<n1+T)R:lM1-+y;n7F86*5)JDe@YqdL]6I@<I9Ve8R[Y&Kz?H{O&');

define('LOGGED_IN_SALT', 'x6aoLDs:NO]%uF(N|G`iK{$#j.*&.0hL)C:C&dHwP*&X[k|h<oeI}b$b4l175/nB');

define('NONCE_SALT', ' 9L[)xS=-<^YKV/d~JUA28Q]k;ibu#yB|%mMOG98:gwiD*`FZem%yHaq+NyyKD0<');

Page 31: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Secure wp-includes.

Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file in ~/wp-includes/# Block the include-only files.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

Page 32: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Change the database prefix.Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks. You can change it with this plugin: http://wordpress.org/extend/plugins/db-prefix-change/.

Once you use that plugin to change the prefix, go into your wp-config.php file and change the line

$table_prefix = 'wp_'; // Only numbers, letters, and underscores please!

to reflect what you selected through the plugin.

Page 33: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Implement CloudFlare.A little about CloudFlare:

CloudFlare protects and accelerates any website online by taking control of your DNS and separating your DNS from your domain registrar. Once your website is a part of the CloudFlare community, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

Page 34: WordCamp 2012 WordPress Security: No Nonsense Edition

Plugins...

Page 35: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Wordfence (Pro Version - $17.95 per year)

Wordfence scans your site for viruses, malware, trojans, malicious links, protects your site against scrapers, aggressive robots, fake Googlebots, protects against brute force attacks and much much more.

Duo Two-Factor Mobile Authentication (First 10 users free, then $3.00/per user/per month)

Duo Security enables your users to secure their logins with their phones.

Page 36: WordCamp 2012 WordPress Security: No Nonsense Edition

VaultPress (Starts at $15.00 per month)

VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dashboard setting.

BackupBuddy (Starts at $75.00)

Back up your entire WordPress installation and move it, store it, and restore it as much as you’d like!

Page 37: WordCamp 2012 WordPress Security: No Nonsense Edition

@michaelrmcneill #WCRaleigh

Know what to do if the inevitable happens...

Stay calm! You are going to be upset, but panicking and being frantic about the situation just makes things worse.Visit these sites:

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

If you are lost, or at any point and time feel uncomfortable with what you are doing STOP and contact a professional (like myself) to get your issues resolved. It might cost a few pennies, but it will be worth avoiding the headache, wasted time, and frustration in the end.

Page 38: WordCamp 2012 WordPress Security: No Nonsense Edition

Who do you recommend I host with?I host all my sites with Media Temple, and I recommend for you to do the same.

Because I trust them with my sites, you know you can trust them with yours.

If you do decide to sign up here is a coupon code for 15% off (gs) Grid-Service (kirupa07). The link to sign up is here: http://bit.ly/RzXwDE (DISCLAIMER: this gives me affiliate credit.)

Page 39: WordCamp 2012 WordPress Security: No Nonsense Edition

Contact info.

Michael R. McNeill

Connected Site Solutions

[email protected]

336.818.9540