WordPress Security from WordCamp NYC 2012
-
Upload
brad-williams -
Category
Technology
-
view
7.472 -
download
1
description
Transcript of WordPress Security from WordCamp NYC 2012
WORDPRESS SECURITY BY BRAD WILLIAMS
Brad Williams @williamsba
WHO IS BRAD?
Brad Williams @williamsba
Brad Williams
Co-‐Founder WebDevStudios.com Co-‐Author Professional WordPress
& Professional WordPress Plugin Development
Co-‐Organizer WordCamp Philly Co-‐Host WP Late Night
HAPPY BIRTHDAY TO BRAD
Brad Williams @williamsba
…and it’s my Birthday today!
TODAY’S TOPICS
Brad Williams @williamsba
• Security Stats • Example Hack • Top Security Tips • Recommended Plugins & Services • Resources
SECURITY STATS FOR WORDPRESS
Brad Williams @williamsba
Security Stats
SECURITY STATS
Brad Williams @williamsba
SECURITY STATS
Brad Williams @williamsba
700+ million websites May 2012 (NetcraX) 300 million websites in 2011 (Pingdom)
10+ billion indexed pages (WorldWebSize)
Projected: • 1 Billion websites by 2013 • 2 Billion websites by 2015
0
500
1000
1500
2000
2500
2011 2012 2013 2015
Websites
Websites
SECURITY STATS
Brad Williams @williamsba
WordPress Stats • 73+ Million WordPress powered websites • 16% of all websites are running WordPress • 22 out of every 100 new domains in the U.S. launches with WordPress
• Projected 300-‐500 Million WordPress sites by 2015
SECURITY STATS
Brad Williams @williamsba
Web Malware Stats • 403 Million unique variants of malware in 2011 (Symantec)
• 140% growth since 2010
• 81% increase in malicious web-‐based adacks between 2010 -‐ 2011
SECURITY STATS
Brad Williams @williamsba
In Summary – Be Scared!
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
Hacker bots look for known exploits (SQL Injecfon, folder permissions, etc)
This allows them to insert spam files/links into your WordPress Themes, plugins, and core files.
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
Hosfng account contained two separate websites
WordPress WordPress Mulfsite
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
Hacker bot dropped a malicious file on a WP Mulfsite install
WordPress WordPress Mulfsite
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
WordPress Mulfsite starts hacking WordPress install Inserfng spam links into the theme, plugins, and core files
WordPress WordPress Mulfsite
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon
Cleaning up the WordPress website only resulted in more spam links a few days later
WordPress WordPress Mulfsite
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon
Cleaning up the WordPress website only resulted in more spam links a few days later
WordPress WordPress Mulfsite
HACK EXAMPLE
Brad Williams @williamsba
Link Injecfon
375 spam links per page, only shown to search engines
THIS IS A SAMPLE TITLE THIS IS THE SUBTITLE
Brad Williams @williamsba
Default text box
Scared Yet?
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
That’s It! Good luck!
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
Securing WordPress
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
1 Update Update Update Keep WordPress Updated!
Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug fixes and security patches
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
1 Update Update Update Update Those Plugins!
The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
1. Update Update Update
NO EXCUSES! UPDATE!
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
2. Use Secret Keys
Some secrets should remain secrets
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
2. Use Secret Keys
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
1. Edit wp-‐config.php
A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password.
2. Visit this URL to get your secret keys: hdps://api.wordpress.org/secret-‐key/1.1/salt
BEFORE define('AUTH_KEY', '*8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD'); define('SECURE_AUTH_KEY', 'q+i-‐|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
AFTER
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
Do you login with username admin?
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
3. Delete the Admin user account
UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';
Change the admin username in MySQL:
Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account
WordPress will allow you to reassign all content wriden by admin to an account of your choice.
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
3. Delete the Admin user account
WordPress lets you set the username during the installafon process!
DON'T USE ADMIN!
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
3. Delete the Admin user account Knowing your
username is half the badle.
Don't make it easy on the hackers.
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
4. File and Folder Permissions What folder permissions should you use?
Good Rule of Thumb:
• Files should be set to 644 • Folders should be set to 755
Start with the default se�ngs above
If your host requires 777…SWITCH HOSTS!
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
4. File and Folder Permissions
find [your path here] -type d -exec chmod 755 {} \; find [your path here] -type f -exec chmod 644 {} \;
Or via SSH with the following commands
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
5. Move wp-‐config.php WordPress features the ability to move the wp-‐config.php
file one directory above your WordPress root
This makes it nearly impossible for anyone to access your wp-‐config.php file from a browser as it now resides outside of your website’s root directory
You can move your wp-‐config.php file to here
WordPress automafcally checks the parent directory if a wp-‐config.php file is not found in your root directory
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
6. Lock Down WP Login and WP Admin
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
6. Lock Down WP Login and WP Admin
define('FORCE_SSL_LOGIN', true);
Add the code below to wp-‐config.php to force SSL (hdps) on login
Add the code below to wp-‐config.php to force SSL (hdps) on all admin pages
define('FORCE_SSL_ADMIN', true);
Using SSL (hdps) on all admin screens in WordPress will encrypt all data transmided with the same encrypfon as online shopping
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
6. Lock Down WP Login and WP Admin
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.*
1. Create an .htaccess file in your wp-‐admin directory
Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-‐admin
2. Add the following lines of code:
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
7. Use Trusted Sources for Themes & Plugins
WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8
Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
7. Use Trusted Sources for Themes & Plugins
Source: hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/
The only safe site reviewed was WordPress.org
Most themes included base64() encoded text links to promote various servies
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date
• Ensure you’re patching or installing updates ASAP
• Automafc updates rock!
Install an anO-‐virus soluOon • Ensure you’re keeping definifons current
• Automafc updates aren’t a bad idea here either!
Yes, personal firewalls sOll apply!
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
8. Be Secure Locally It’s your informafon, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet ConnecOon Use SSL whenever possible, especially on an unverified connecOon.
• HTTPS is a great way to ensure your transacfons & traffic are traveling with security in mind.
ConnecOng To Your Site(s) Consider using sFTP or SSH vs. FTP
• Sfll widely marketed, but did you know your credenfals are passed unencrypted when using FTP?
• If unavoidable, do not allow anonymous logins, limit connecfons, pracfce least privilege.
• Don’t store your credenfals in your FTP client.
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
9. Use a Trusted Host
You get what you pay for…
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
9. Use a Trusted Host "At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you."""""
Your Lovely Host! "
• Cheap doesn’t always mean best, or safe!!
• How many sites on their network are blacklisted for malware reasons?"
• What version of software do they run and how often do they update?"
• How are account credentials stored & who has access?"
"
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
9. Use a Trusted Host "
Only use a trusted host that clearly states their security policies. "Bonus points if they specialize in WordPress specific hosting!"
TOP SECURITY TIPS FOR WORDPRESS
Brad Williams @williamsba
10. Use Common Sense • Use a strong password"
• BAD: bradisawesome"• GOOD: SCrEE79joLly$"• A=@, E=3, S=$, O=0 (This is not unique, they know this)"
• Update passwords regularly (Monthly, make a schedule)"• Know your admins, limit number of accounts (WP, FTP, Hosting, etc)"• Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"
PLUGINS & SERVICES FOR WORDPRESS
Brad Williams @williamsba
Plugins & Services
PLUGINS & SERVICES FOR WORDPRESS
Brad Williams @williamsba
Login Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
PLUGINS & SERVICES FOR WORDPRESS
Brad Williams @williamsba
BulletProof Security
http://wordpress.org/extend/plugins/bulletproof-security/
• .htaccess lockdown rules for various directories (root, wp-‐admin, etc)
• Security status scanner for folder/file permissions and file checks
• Very well documented
PLUGINS & SERVICES FOR WORDPRESS
Brad Williams @williamsba
Secure WordPress
http://wordpress.org/extend/plugins/secure-wordpress/
• Hides login error messages
• Adds index.php to /themes and /plugins to prevent directory lisfng
• Removes WP, plugin, and theme update nofces for non-‐admins
• and more!
PLUGINS & SERVICES FOR WORDPRESS
Brad Williams @williamsba
Exploit Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
• Scans your files and database for potenfally malicious code
• Does not remove code, only detects it
PLUGINS & SERVICES FOR WORDPRESS
Brad Williams @williamsba
http://Sucuri.net
• Free Website Malware Scanner: hdp://sitecheck.sucuri.net/scanner/ • Website monitoring • Hack cleanup services • Sucuri Security Plugin
• Free to clients • Web Applicafon Firewall • Integrity Monitoring • Audifng • Hardening
hdp://Sucuri.net
RESOURCES FOR WORDPRESS
Brad Williams @williamsba
• Security Related Arfcles • hdp://codex.wordpress.org/Hardening_WordPress • hdp://blog.sucuri.net/2012/04/lockdown-‐wordpress-‐a-‐security-‐webinar-‐with-‐dre-‐armeda.html • hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐how-‐to-‐stop-‐the-‐hacker-‐and-‐ensure-‐your-‐site-‐is-‐
locked.html • hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐what-‐should-‐i-‐know-‐when-‐engaging-‐a-‐web-‐
malware-‐company.html
• Clean a Hacked Site • hdp://codex.wordpress.org/FAQ_My_site_was_hacked • hdp://www.markefngtechblog.com/wordpress-‐hacked/
• Support Forums • Hacked: hdp://wordpress.org/tags/hacked • Malware: hdp://wordpress.org/tags/malware
CONTACT BRAD
Brad Williams @williamsba
Brad Williams [email protected] Blog: strangework.com Twider: @williamsba IRC: WDS-‐Brad
Professional WordPress Second Edifon coming December 2012!