Upload
john-carcutt
View
146
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.
Citation preview
HOW TO HACKPROOF YOUR WORDPRESS SITE
WordPress Security
South FloridaWordPress MeetUp
South FloridaWordPress MeetUp
I’m @JohnCarcutt SEO Manager at MediaWhiz www.MediaWhiz.com
Co-Host of SEO101w www.WebmasterRadio.fm/SEO-101/
Mondays 5PM EST or listen on APPLE iTunes anytime
Long Time WordPress Evangelist
Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC
Tonight
Link Injections
Basic WordPress Security
Security Based Plug-ins
South FloridaWordPress MeetUp
“Hackproof”
This is impossible. Seriously… it’s IMPOSSIBLE! Hackers are Lazy. Make yourself a hard target. They will move on to someone else.
South FloridaWordPress MeetUp
Link Injection
Hacker bots look for known exploits (SQL Injection, folder perms, etc).
This allows them to insert spam files/links
Your WordPress Themes, plugins, and core files are the target
South FloridaWordPress MeetUp
Link Injection
Hosting account contains two separate sites
South FloridaWordPress MeetUp
WordPressWordPress
MU
Link Injection
Hacker puts a file on WPMU install
South FloridaWordPress MeetUp
WordPressWordPress
MU
Link Injection
WPMU file hacks WordPress installInstalls spam links into files
South FloridaWordPress MeetUp
WordPressWordPress
MU
Link Injection
WPMU Shows No Spam, Appears Clean
Cleaning WP Results in Recurring Injections
South FloridaWordPress MeetUp
WordPress MU
WordPress
Link InjectionSouth Florida
WordPress MeetUp
Link Injection
What does this do to your site?
Part of a “Link Farm” Loss of Trust and Authority Reduced Page Rank Lost Rankings Showing up for non-relevant terms
(Viagra)
South FloridaWordPress MeetUp
Basic WP Security
Are you using the default “Admin”
account?
South FloridaWordPress MeetUp
Basic WP SecuritySouth Florida
WordPress MeetUp
Basic WP Security
DON’T USE “ADMIN”
Create a Unique User Account Assign it the Administrator Role Log Out, Log Back in with new
Administrator Account Delete Original “Admin” Account
South FloridaWordPress MeetUp
Basic WP Security
Use of “Permissions”
Permissions tell the server who is allowed to access a file and what they can do with the file once they access it.
Owner, Group, Public Read, Write, Execute
South FloridaWordPress MeetUp
Basic WP Security
Use of “Permissions”
Good Rule of Thumb: Files should be set to 644 Folders should be set to 755
Permission levels vary depending on server configuration
South FloridaWordPress MeetUp
Basic WP Security
Move the wp-config.php file
WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root
WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
South FloridaWordPress MeetUp
Basic WP Security
Move the wp-config.php file
This makes it nearly impossible for anyone to access your wp-config.php
South FloridaWordPress MeetUp
You can move your wp-config.php file to here
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php
Basic WP Security
Move the wp-content Directory
WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice
If hackers can’t find your wp-content folder, they can’t hack it.
South FloridaWordPress MeetUp
Basic WP Security
Move the wp-content Directory
South FloridaWordPress MeetUp
1. Move your wp-content directory2. Make two additions to wp-config.php
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
If you have compatibility issues with plugins there are two optional settings
Basic WP Security
Remove WordPress Version from the Header
South FloridaWordPress MeetUp
Viewing source on most WP sites will reveal the version they are running
This helps hackers find vulnerable WP blogs running older versions
<meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
To remove find the code below in your header.php file of your theme and remove it<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave this for stats please -->
Basic WP Security
Remove WordPress Version from the Header
South FloridaWordPress MeetUp
Themes and plugins might also display versions in your header.
The wp_head function also includes the WP version in your headerTo remove drop this line of code in your themes functions.php file
remove_action('wp_head', 'wp_generator');
Basic WP Security
Use Secure Passwords
Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc
South FloridaWordPress MeetUp
BAD PASSWORD: johnrocks
GOOD PASSWORD: S-gnop2D[6@8
WordPress will tell youwhen you have it right
Basic WP Security
Are you using the same password in multiple
places?
South FloridaWordPress MeetUp
Basic WP SecuritySouth Florida
WordPress MeetUp
Basic WP Security
Change WordPress Table Prefix
Edit wp-config.php before installing WordPress
Change the prefix wp_ to something unique
South FloridaWordPress MeetUp
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */$table_prefix = ‘zztop_';
All database tables will now have a unique prefix (ie zztop_posts)
Basic WP Security
Other Advanced Security Techniques
Force SSL Login for Administrators Lockdown Admin via .htaccess Use Secret Keys with Passwords
South FloridaWordPress MeetUp
Basic WP Security
Recommended Security PluginsWP Security Scan
South FloridaWordPress MeetUp
http://wordpress.org/extend/plugins/wp-security-scan/
Basic WP Security
Recommended Security PluginsWP Exploit Scanner
South FloridaWordPress MeetUp
http://wordpress.org/extend/plugins/exploit-scanner/
Basic WP Security
Recommended Security PluginsWP Exploit Scanner
South FloridaWordPress MeetUp
http://wordpress.org/extend/plugins/exploit-scanner/
Basic WP Security
Recommended Security PluginsWordPress File Monitor
South FloridaWordPress MeetUp
http://wordpress.org/extend/plugins/wordpress-file-monitor/
Basic WP Security
Recommended Security PluginsLogin Lockdown
South FloridaWordPress MeetUp
http://wordpress.org/extend/plugins/login-lockdown/
Basic WP Security
WordPress Security Resources
South FloridaWordPress MeetUp
Security Related Codex Articles http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Changing_File_Permissions http://codex.wordpress.org/Editing_wp-config.php http://codex.wordpress.org/htaccess_for_subdirectories
Blog Security Articles http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-
wordpress-admin-area/ http://www.growmap.com/wordpress-exploits/ http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-
wordpress-blog/ http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-
wordpress-blog/ http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
Basic WP Security
WordPress Security Resources
South FloridaWordPress MeetUp
Security Related Codex Articles http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Changing_File_Permissions http://codex.wordpress.org/Editing_wp-config.php http://codex.wordpress.org/htaccess_for_subdirectories
Blog Security Articles http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-
wordpress-admin-area/ http://www.growmap.com/wordpress-exploits/ http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-
wordpress-blog/ http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-
wordpress-blog/ http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
South FloridaWordPress MeetUp
I’m @JohnCarcutt
Questions?
Credit Where Credit is due …
Tons of this presentation was stolen from Brad Williams who gave a great Presentation at WordCamp NYC