Download - WordPress Security Updated - NYC Meetup 2009
![Page 1: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/1.jpg)
WordPress Security
Brad WilliamsWebDevStudios.com
![Page 2: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/2.jpg)
Who Am I?
![Page 3: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/3.jpg)
Brad WilliamsCEO & Co-Founder, WebDevStudios.com
Founder of WPClassroom.com
Organizer NJ WordPress Meetup
Co-Host SitePoint Podcast
Co-Author of Professional WordPress (March 2010)
Who Am I?
![Page 4: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/4.jpg)
The Goal of this Presentation…
![Page 5: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/5.jpg)
The Goal of this Presentation…
…Is to scare the crap out of you!
![Page 6: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/6.jpg)
The Goal of this Presentation…
…and then make everything better
![Page 7: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/7.jpg)
Example Link Injection Hack Securing your WordPress Website Recommended Plugins
Topics
![Page 8: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/8.jpg)
The Scary
![Page 9: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/9.jpg)
Hacker bots look for known exploits (SQL Injection, folder perms, etc). This allows them to insert spam files/links into
your WordPress Themes, plugins, and core files.
Link Injection
![Page 10: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/10.jpg)
Example
WordPressWordPress
MU
Hosting account contained two separate websites
![Page 11: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/11.jpg)
Example
WordPressWordPress
MU
Bot dropped a hacker file on WPMU install
![Page 12: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/12.jpg)
Example
WordPressWordPress
MU
WPMU starts hacking WordPress installInserting spam links into the theme, plugins, and core files
![Page 13: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/13.jpg)
Example
WordPressWordPress
MU
WPMU contains no spam linksActs as a carrier to spread the contamination
Cleaning up the WordPress website onlyresulted in more spam links a few days later
![Page 14: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/14.jpg)
375 Spam Links Per Page
![Page 15: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/15.jpg)
<b style=“display:none”>Any text you want to hide</b>
CSS Hides the Spam
![Page 16: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/16.jpg)
• Website was dropped by Google completely• Pagerank went from 6 to 5• Hack also infected phpBB forum• Organic traffic for “viagra” started showing up
Aftermath
Hack happened in April 2009, website has still not fully recovered in search engines
![Page 17: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/17.jpg)
Scared Yet?
![Page 18: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/18.jpg)
Securing WordPress
![Page 19: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/19.jpg)
Don’t use the admin account
update wp_users set user_login='newuser' where user_login='admin';
If you are using the admin account you are wrong!
Either change the username in MySQL:
Or create a new/unique account with administrator privileges.
1. Create a new account. Make the username very unique2. Assign account to Administrator role3. Log out and log back in with new account4. Delete admin account
Make it hard on the hacker! If they already know your username that’s half the battle
![Page 20: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/20.jpg)
The Great Permission DebateWhat folder permissions should you use?
Good Rule of Thumb:• Files should be set to 644• Folders should be set to 755
Start with the default settings above if you can’t upload increase privileges (ie 775, 777)
Permission levels vary depending on server configuration
![Page 21: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/21.jpg)
The Great Permission Debate
Permissions can be set via FTP
find [your path here] -type d -exec chmod 755 {} \;find [your path here] -type f -exec chmod 644 {} \;
Or via shell access with the following commands
![Page 22: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/22.jpg)
Move the wp-config.php fileWordPress 2.6 added the ability to move the wp-config.php
file one directory above your WordPress root
This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory
You can move your wp-config.php file to here
WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php
![Page 23: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/23.jpg)
Move the wp-content DirectoryWordPress 2.6 added the ability to move the wp-content directory
1. Move your wp-content directory2. Make two additions to wp-config.php
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
If you have compatibility issues with plugins there are two optional settings
If hackers can’t find your wp-content folder, they can’t hack it!
![Page 24: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/24.jpg)
Remove WordPress Version from HeaderViewing source on most WP sites will reveal the version they are running
This helps hackers find vulnerable WP blogs running older versions
<meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
To remove find the code below in your header.php file of your theme and remove it
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
<!-- leave this for stats please -->
Themes and plugins might also display versions in your header.
The wp_head function also includes the WP version in your headerTo remove drop this line of code in your themes functions.php file
remove_action('wp_head', 'wp_generator');
![Page 25: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/25.jpg)
Stay Current on UpdatesKeep WordPress core, plugins, and theme files up to date
The newly added plugin Changelog tab makes it very easy to view what has changed in a new plugin version
Expect wider adoption in the coming months as this was just added a few weeks ago
Recent WordPress hack only affected outdated WordPress installs
![Page 26: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/26.jpg)
Use Secure PasswordsUse strong passwords to protect your website from dictionary attacks
Not just for WordPress, but also FTP, MySQL, etc
BAD PASSWORD: bradrules
Great resource: goodpassword.com
Creates random passwords
GOOD PASSWORD: S-gnop2D[6@8
WordPress will tell youwhen you have it right
![Page 27: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/27.jpg)
Use Secret Keys
define('AUTH_KEY', 'put your unique phrase here');define('SECURE_AUTH_KEY', 'put your unique phrase here');define('LOGGED_IN_KEY', 'put your unique phrase here');define('NONCE_KEY', 'put your unique phrase here');
1. Edit wp-config.php
A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password.
2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1
BEFORE
define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB'); define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB'); define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V'); define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r');
AFTER
You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
![Page 28: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/28.jpg)
Change WordPress Table Prefix
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */$table_prefix = ‘zztop_';
1. Edit wp-config.php before installing WordPress
All database tables will now have a unique prefix (ie zztop_posts)
2. Change the prefix wp_ to something unique:
![Page 29: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/29.jpg)
Force SSL Login and Admin Access
define('FORCE_SSL_LOGIN', true);
Set the below option in wp-config.php to force SSL (https) on login
Set the below option in wp-config.php to force SSL (https) on all admin pages
define('FORCE_SSL_ADMIN', true);
![Page 30: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/30.jpg)
.htaccess lockdown
AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName "Access Control"AuthType Basicorder deny,allowdeny from all#IP address to Whitelistallow from 67.123.83.59
1. Create a .htaccess file in your wp-admin directory
Only a user with the IP 67.123.83.59 can access wp-admin
2. Add the following lines of code:
![Page 31: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/31.jpg)
Recommended Security Plugins
![Page 32: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/32.jpg)
WP Security Scan
http://wordpress.org/extend/plugins/wp-security-scan/
![Page 33: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/33.jpg)
WordPress Exploit Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
![Page 34: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/34.jpg)
WordPress File Monitor
http://wordpress.org/extend/plugins/wordpress-file-monitor/
![Page 35: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/35.jpg)
Security Related Codex Articles› http://codex.wordpress.org/Hardening_WordPress› http://codex.wordpress.org/Changing_File_Permissions› http://codex.wordpress.org/Editing_wp-config.php› http://codex.wordpress.org/htaccess_for_subdirectories
Blog Security Articles› http://www.growmap.com/wordpress-exploits/› http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-
wordpress-blog/› http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/› http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-
wordpress-blog/› http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog› http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/
WordPress Security Resources
![Page 36: WordPress Security Updated - NYC Meetup 2009](https://reader033.vdocuments.site/reader033/viewer/2022061300/54c916b34a795900548b462d/html5/thumbnails/36.jpg)
Brad [email protected]
Blog: strangework.com
Twitter: @williamsba
IRC: WDS-Brad
Everywhere else: williamsba
Contact