Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13...
Transcript of Securing your WordPress Blog · Securing your WordPress Blog WordPress Knoxville, Dec. 13...
Securing your WordPress BlogWordPress Knoxville, Dec. 13
Wednesday, December 28, 11
Security Basics
Don’t use “nimda” as a password.
Don’t share passwords across accounts.
Prefer SFTP over FTP, SSH over telnet.
Wednesday, December 28, 11
Discovering Hackery
Wednesday, December 28, 11
Discovering Hackery
Wednesday, December 28, 11
Discovering Hackery
Try a scan, e.g. http://sitecheck.sucuri.net/scanner/
Check for uses of eval()
Check for uses of base64_decode()
Check for iframes
Check for php or non-image files in the uploads directory
Ask your hosting provider if other sites are hacked.
Wednesday, December 28, 11
Fixing HackeryScan your desktop
Back everything up
Check with your hosting company
Change mysql/ftp/ssh/user passwords
Change secret keys (http://bit.ly/2m00jW)
Check .htaccess (extras or weird rules)
Delete everything or at least replace core files
Change passwords again
Hire somebody with know-how.
Do the stuff you should already have done...
Wednesday, December 28, 11
Safeguarding in Advance
Never download WordPress from anywhere but wordpress.org
Update ASAP (plugins and themes too)
Rename the default admin account
Use file/permission scanners (http://bit.ly/KDPw1 and http://bit.ly/saYTz)
Move wp-config.php to the parent directory
Disable new user registration
Audit file permissions
Vary user credentials
Wednesday, December 28, 11
Safeguarding in Advance
Consider adding Basic auth to /wp-admin
Delete plugins/themes you’re not actually using
Vet plugins/themes before installing (e.g. watch for eval, base64_decode, iframes, or attempts to write to the filesystem.
Don’t use the default table prefix of wp_
Watch your logs for e.g. dictionary attacks (http://www.ossec.net/)
Consider trying VaultPress
Wednesday, December 28, 11
Links
http://codex.wordpress.org/Hardening_WordPress
http://ottopress.com/2011/how-to-cope-with-a-hacked-site/
http://codex.wordpress.org/Resetting_Your_Password
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
Wednesday, December 28, 11