36

WordPress Security Presentation from South Florida WordPress Meetup

Embed Size (px)

DESCRIPTION

This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

Citation preview

Page 1: WordPress Security Presentation from South Florida WordPress Meetup
Page 2: WordPress Security Presentation from South Florida WordPress Meetup

HOW TO HACKPROOF YOUR WORDPRESS SITE

WordPress Security

South FloridaWordPress MeetUp

Page 3: WordPress Security Presentation from South Florida WordPress Meetup

South FloridaWordPress MeetUp

I’m @JohnCarcutt SEO Manager at MediaWhiz www.MediaWhiz.com

Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/

Mondays 5PM EST or listen on APPLE iTunes anytime

Long Time WordPress Evangelist

Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC

Page 4: WordPress Security Presentation from South Florida WordPress Meetup

Tonight

Link Injections

Basic WordPress Security

Security Based Plug-ins

South FloridaWordPress MeetUp

Page 5: WordPress Security Presentation from South Florida WordPress Meetup

“Hackproof”

This is impossible. Seriously… it’s IMPOSSIBLE! Hackers are Lazy. Make yourself a hard target. They will move on to someone else.

South FloridaWordPress MeetUp

Page 6: WordPress Security Presentation from South Florida WordPress Meetup

Link Injection

Hacker bots look for known exploits (SQL Injection, folder perms, etc).

This allows them to insert spam files/links

Your WordPress Themes, plugins, and core files are the target

South FloridaWordPress MeetUp

Page 7: WordPress Security Presentation from South Florida WordPress Meetup

Link Injection

Hosting account contains two separate sites

South FloridaWordPress MeetUp

WordPressWordPress

MU

Page 8: WordPress Security Presentation from South Florida WordPress Meetup

Link Injection

Hacker puts a file on WPMU install

South FloridaWordPress MeetUp

WordPressWordPress

MU

Page 9: WordPress Security Presentation from South Florida WordPress Meetup

Link Injection

WPMU file hacks WordPress installInstalls spam links into files

South FloridaWordPress MeetUp

WordPressWordPress

MU

Page 10: WordPress Security Presentation from South Florida WordPress Meetup

Link Injection

WPMU Shows No Spam, Appears Clean

Cleaning WP Results in Recurring Injections

South FloridaWordPress MeetUp

WordPress MU

WordPress

Page 11: WordPress Security Presentation from South Florida WordPress Meetup

Link InjectionSouth Florida

WordPress MeetUp

Page 12: WordPress Security Presentation from South Florida WordPress Meetup

Link Injection

What does this do to your site?

Part of a “Link Farm” Loss of Trust and Authority Reduced Page Rank Lost Rankings Showing up for non-relevant terms

(Viagra)

South FloridaWordPress MeetUp

Page 13: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Are you using the default “Admin”

account?

South FloridaWordPress MeetUp

Page 14: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP SecuritySouth Florida

WordPress MeetUp

Page 15: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

DON’T USE “ADMIN”

Create a Unique User Account Assign it the Administrator Role Log Out, Log Back in with new

Administrator Account Delete Original “Admin” Account

South FloridaWordPress MeetUp

Page 16: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Use of “Permissions”

Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.

Owner, Group, Public Read, Write, Execute

South FloridaWordPress MeetUp

Page 17: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Use of “Permissions”

Good Rule of Thumb: Files should be set to 644 Folders should be set to 755

Permission levels vary depending on server configuration

South FloridaWordPress MeetUp

Page 18: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Move the wp-config.php file

WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root

WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory

South FloridaWordPress MeetUp

Page 19: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Move the wp-config.php file

This makes it nearly impossible for anyone to access your wp-config.php

South FloridaWordPress MeetUp

You can move your wp-config.php file to here

public_html/wordpress/wp-config.php

If WordPress is located here:

public_html/wp-config.php

Page 20: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Move the wp-content Directory

WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice

If hackers can’t find your wp-content folder, they can’t hack it.

South FloridaWordPress MeetUp

Page 21: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Move the wp-content Directory

South FloridaWordPress MeetUp

1. Move your wp-content directory2. Make two additions to wp-config.php

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');

If you have compatibility issues with plugins there are two optional settings

Page 22: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Remove WordPress Version from the Header

South FloridaWordPress MeetUp

Viewing source on most WP sites will reveal the version they are running

This helps hackers find vulnerable WP blogs running older versions

<meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->

To remove find the code below in your header.php file of your theme and remove it<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave this for stats please -->

Page 23: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Remove WordPress Version from the Header

South FloridaWordPress MeetUp

Themes and plugins might also display versions in your header.

The wp_head function also includes the WP version in your headerTo remove drop this line of code in your themes functions.php file

remove_action('wp_head', 'wp_generator');

Page 24: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Use Secure Passwords

Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc

South FloridaWordPress MeetUp

BAD PASSWORD: johnrocks

GOOD PASSWORD: S-gnop2D[6@8

WordPress will tell youwhen you have it right

Page 25: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Are you using the same password in multiple

places?

South FloridaWordPress MeetUp

Page 26: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP SecuritySouth Florida

WordPress MeetUp

Page 27: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Change WordPress Table Prefix

Edit wp-config.php before installing WordPress

Change the prefix wp_ to something unique

South FloridaWordPress MeetUp

/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */$table_prefix = ‘zztop_';

All database tables will now have a unique prefix (ie zztop_posts)

Page 28: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Other Advanced Security Techniques

Force SSL Login for Administrators Lockdown Admin via .htaccess Use Secret Keys with Passwords

South FloridaWordPress MeetUp

Page 29: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Recommended Security PluginsWP Security Scan

South FloridaWordPress MeetUp

http://wordpress.org/extend/plugins/wp-security-scan/

Page 30: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Recommended Security PluginsWP Exploit Scanner

South FloridaWordPress MeetUp

http://wordpress.org/extend/plugins/exploit-scanner/

Page 31: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Recommended Security PluginsWP Exploit Scanner

South FloridaWordPress MeetUp

http://wordpress.org/extend/plugins/exploit-scanner/

Page 32: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Recommended Security PluginsWordPress File Monitor

South FloridaWordPress MeetUp

http://wordpress.org/extend/plugins/wordpress-file-monitor/

Page 33: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

Recommended Security PluginsLogin Lockdown

South FloridaWordPress MeetUp

http://wordpress.org/extend/plugins/login-lockdown/

Page 34: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

WordPress Security Resources

South FloridaWordPress MeetUp

Security Related Codex Articles http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Changing_File_Permissions http://codex.wordpress.org/Editing_wp-config.php http://codex.wordpress.org/htaccess_for_subdirectories

Blog Security Articles http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-

wordpress-admin-area/ http://www.growmap.com/wordpress-exploits/ http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-

wordpress-blog/ http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-

wordpress-blog/ http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/

Page 35: WordPress Security Presentation from South Florida WordPress Meetup

Basic WP Security

WordPress Security Resources

South FloridaWordPress MeetUp

Security Related Codex Articles http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Changing_File_Permissions http://codex.wordpress.org/Editing_wp-config.php http://codex.wordpress.org/htaccess_for_subdirectories

Blog Security Articles http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-

wordpress-admin-area/ http://www.growmap.com/wordpress-exploits/ http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-

wordpress-blog/ http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-

wordpress-blog/ http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/

Page 36: WordPress Security Presentation from South Florida WordPress Meetup

South FloridaWordPress MeetUp

I’m @JohnCarcutt

Questions?

Credit Where Credit is due …

Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC