HOW TO KEEP YOUR BLOG FROM BEING HACKED, STOLEN

OR OTHERWISE VIOLATED

Brian Layman

North East Ohio WordPress Meetup

#NEOWP

Introduction

Who I am. What I do. What I see. What software do your blogs run on? Who here has had a blog hacked, defaced, stolen or

taken down? Is your site safe? (No one would ever want to hack

my blog about _____.) The title is a lie…

Well Known Blog Hacks

Go Daddy Blue Host Network Solutions

• PayPal’s Blog• CorneliaMarie.com• ClimateCrisis.net• Twilight Lexicon

• Twitter• Gawker• PhotoMatt• Problogger

• DreamHost• Bizland

Antivirus Campaign

http://bit.ly/AVCampaign

Define “hacked”

Content or uploads destroyed Hidden hyperlinks added to your site Redirect to another site Content edited Hijacked website Defacement Bank fraud

Definition of TermsHow attacks happen…

CSRF/XSRF – Cross Site Request Forgery XSS – Cross Site Scripting SQL Injection DDOS – (Distributed) Denial of Service DNS Hijacking – Spoofing or Poisoning Malvertising – Malicious Advertising Stolen Password Bad Code

Open source Responses to Vulnerabilities

WordPress http://codex.wordpress.org/Hardening_WordPress security@wordpress.org

Drupal http://drupal.org/security-team security@drupal.org

Joomla http://developer.joomla.org/security.html security@joomla.org

Security Through Obscurity

What is it? You tell me… Who is right? My thought:

Any steps that may eliminate a large subset of attacks on your blog should be taken.

Tactics YOU can use no matter what platform you are on

The basics Passwords Communication (Plain Text vs. SSL) Updates Watch what you add to your sites

(plugins/themes/add-ons) Backups Google Webmaster Tools

Passwords

Use strong passwords Make them unique in high value situations

Communication

Pay attention to how you are sending your passwords Wireless Networks = Risk FTP – Use SFTP instead Email – Use SSL Ports 587,995,993 vs 25,110,143 Skype – Syncs history upon connect, never send

secure passwords – EVER CPanel/WHM/Admin pages – if it is http not https, your

password can be scraped

Updates

Keep your blog, plugins, themes, & operating system current – yes, even Linux

Security and attacks improve over time2005 – Admin operations required a referrer

2006 – Admin operations required a NONCE

2007 – Plugin pages forced to check security

2008 – Randomized keys and salts & upgrades

2009 – Security escalations issues – full review

2010 – Automated plugin and theme upgrades

2011 – Sniffing, upload, clickjacking, file cleanup

Watch what you add…

Every plugin or theme is a security risk “Free Theme” sites are a very high risk Less popular & highly specialized plugins have had

less eyes on them and are riskier Older plugins used older security standards - we

simply knew less and had fewer tools You are responsible for your site. Learn how to

identify problems or make a friend who can.

Backups

Both files and database Keep the files offline If you have files online keep them out of public_html As important as having the backups…

Know how to restore them! Before you restore – delete the files and directories

to remove the hack files

Google Webmaster Tools

How do you know you are hacked? Google will email you when they consider you a risk

http://www.google.com/webmasters/ http://www.google.com/webmasters/checklist/ https://www.google.com/webmasters/tools/reconsideration

You can configure multiple owners

Coding Practices

EVERYTHING that is displayed on the screen must be filtered. WordPress provides: esc_html esc_url esc_*

http://codex.wordpress.org/Data_Validation EVERYTHING that you send to the database must

be filtered. WordPress provides: $wpdb->prepare

TRUST NOTHING Try to use your text instead of user input

Servers

Permissions - The 755 myth chmod -R 755 * Generic: Directories Should be 755 Files 644 Reality: The least privileges provides the most access

VPS vs Shared Hosting vs Managed Hosting Flexibility, Access, Less risk = More $ Harden your own server or let someone do it suPHP – Isolates your installation

WordPress Specific Security Techniques

Create a “Editor” user for posting Create a new “Administrator”, delete the old one, then

only use it for maintenance Never use wp_ as your table prefix Look at wp-config-sample.php now and then and

update your wp-config.php Force Secure password logins

http://codex.wordpress.org/Administration_Over_SSL

WordPress Techniques(Expected Answers)

Move wp-config.php Remove version Info Rename the admin user Move your wp-content directory – Possibly worth

doing but will break many plugins and themes Use .htaccess to white list IP addresses or add an

extra password layer

WordPress Techniques

Free Plugins http://wordpress.org/extend/plugins/ exploit-scanner wp-security-scan wordpress-file-monitor

Paid Plugins

http://pluginbuddy.com/purchase/backupbuddy/

Who can help?

Site Rescue, Securing & Code Review Sucuri.net WebDevStudios.com WebDevStudios.com CoveredWebServices.com

Managed Hosting WPEngine.com Page.ly WPSecuritylock.com

And of course doing it all: eHermitsInc.com

Brian Laymanhttp://eHermitsinc.com

http://thecodecave.com

http://www.slideshare.net/brianlayman

http://twitter.com/brianlayman

@eHermits

Text ehermits to 50500

Brian@eHermitsInc.com