secure all the things!
DESCRIPTION
Slightly updated version of my previous WordPress Security presentation.TRANSCRIPT
When it comes When it comes to security, to security, WordPress is WordPress is the least of your the least of your worries...worries...
Secure All The Things!Secure All The Things!
HACKERS!HACKERS!
HACKERS!HACKERS!
CRACKERS!CRACKERS!
HACKERS!HACKERS!Everybody says “hackers” anyways.Everybody says “hackers” anyways.
WordPress HacksWordPress Hacks
Warning! Massive Number of GoDaddy Warning! Massive Number of GoDaddy WordPress Blogs Hacked!WordPress Blogs Hacked!
DreamHost: One Million Domains Hacked; WordDreamHost: One Million Domains Hacked; WordPress Blogs InfectedPress Blogs Infected
WordPress Sites on GoDaddy, Bluehost HackedWordPress Sites on GoDaddy, Bluehost Hacked
Reuters Hacked Again, Outdated WordPress BloReuters Hacked Again, Outdated WordPress Blog At Fault?g At Fault?
InMotion Hosting Servers Hacked, Thousands InMotion Hosting Servers Hacked, Thousands of Web Sites Affectedof Web Sites Affected
WordPress HacksWordPress Hacks
History shows there have been very few History shows there have been very few “WordPress Hacks”“WordPress Hacks”
““In the vast majority of cases I see, attackers In the vast majority of cases I see, attackers get in some other way, and then once already get in some other way, and then once already in the system, they go looking for WordPress in the system, they go looking for WordPress installs.installs.”” -- Mark Jaquith -- Mark Jaquith
If WordPress isn’t the If WordPress isn’t the weak point, what is?weak point, what is?
WordPress HacksWordPress Hacks
Most hacks that Most hacks that affectaffect WordPress actually WordPress actually originate originate outsideoutside of WordPress Core. of WordPress Core.
TimThumb (PHP library, many themes/plugins)TimThumb (PHP library, many themes/plugins)
Uploadify (jQuery plugin, many themes/plugins)Uploadify (jQuery plugin, many themes/plugins)
Adserve (plugin)Adserve (plugin)
WassUp (plugin)WassUp (plugin)
Is Human (plugin)Is Human (plugin)
We need to look at the We need to look at the bigger picturebigger picture
The LAMP StackThe LAMP Stack
Other Services and AppsOther Services and Apps
SMTP (email)SMTP (email)
FTPFTP
DNSDNS
Other web sites and utilities?Other web sites and utilities?
Drupal, Joomla, forumsDrupal, Joomla, forums
PHPMyAdminPHPMyAdmin
Shared HostingShared Hosting
Shared hosting? Shared security!Shared hosting? Shared security!
Other users on the same server as you can Other users on the same server as you can become a security risk that affects youbecome a security risk that affects you
What about your own users? Can you trust What about your own users? Can you trust everyone who has a login for your site? everyone who has a login for your site? ReallyReally trust them?trust them?
““Nobody cares as much about the survival of Nobody cares as much about the survival of your business as yourself.” -- Ron Cain, your business as yourself.” -- Ron Cain, business ownerbusiness owner
How do hackers get in?How do hackers get in?Known exploits in vulnerable softwareKnown exploits in vulnerable software
Brute-force password hackingBrute-force password hacking
Network scannersNetwork scanners
FiresheepFiresheep
Wifi vulnerabilities (WEP/WPA)Wifi vulnerabilities (WEP/WPA)
Automated toolsAutomated tools
RootkitsRootkits
Staying SafeStaying Safe
Three WordsThree Words
UpdateUpdate
UpdateUpdate
UpdateUpdate
Three WordsThree Words
Update CoreUpdate Core
Update PluginsUpdate Plugins
Update ThemesUpdate Themes
What Else?What Else?
Hotfix PluginHotfix Plugin
WP Security ScannerWP Security Scanner
Login LockdownLogin Lockdown
BulletProof SecurityBulletProof Security
Sucuri.netSucuri.net
What Else?What Else?
Not using a plugin Not using a plugin anymore? anymore?
DeactivateDeactivate
DELETE!DELETE!
The same goes The same goes for themesfor themes
HACKED!HACKED!
Now What?Now What?
You can no longer trust any code filesYou can no longer trust any code files
Nuke the site, start from Nuke the site, start from trustedtrusted, fresh copies, fresh copies
Save wp-config.php and wp-content/uploadsSave wp-config.php and wp-content/uploads
Reinstall data from backupsReinstall data from backups
You You dodo have backups, right? have backups, right?
RightRight??
What do I back up?What do I back up?
DatabaseDatabase
Uploaded media (wp-content/uploads)Uploaded media (wp-content/uploads)
Custom themes and pluginsCustom themes and plugins
wp-config.phpwp-config.php
Keep a list of your installed third-party pluginsKeep a list of your installed third-party plugins
How do I back up?How do I back up?
Backup BuddyBackup Buddy
VaultPressVaultPress
WordPress Backup to DropboxWordPress Backup to Dropbox
It can happen to youIt can happen to you
It can happen to meIt can happen to me
It can happen to everyone, eventuallyIt can happen to everyone, eventually
-- Yes, -- Yes, It Can HappenIt Can Happen, 90125, 90125
A Little Healthy ParanoiaA Little Healthy Paranoia
Healthy ParanoiaHealthy ParanoiaUse strong passwordsUse strong passwords
Two-factor authentication -- Google Two-factor authentication -- Google Authenticator pluginAuthenticator plugin
Use separate WordPress logins for publishing Use separate WordPress logins for publishing day-to-day content and for site administrationday-to-day content and for site administration
Limit who can login to your site, and what Limit who can login to your site, and what permissions they havepermissions they have
Create temporary accounts for developers, if Create temporary accounts for developers, if necessarynecessary
Healthy ParanoiaHealthy Paranoia
Use secure protocols: SFTP, SCP, SSH -- Use secure protocols: SFTP, SCP, SSH -- notnot FTPFTP
If possible, enforce SSL on WordPress logins If possible, enforce SSL on WordPress logins and dashboard accessand dashboard access
Ensure MySQL server is not accessible to Ensure MySQL server is not accessible to other hostsother hosts
Same goes for memcache (or any other data Same goes for memcache (or any other data store)store)
What? I don’t know What? I don’t know how!how!
Getting helpGetting help
Security is part of the cost of doing business, like Security is part of the cost of doing business, like insuranceinsurance
If you don’t know how to do all this, retain the services If you don’t know how to do all this, retain the services of someone who doesof someone who does
Managed hosting:Managed hosting:
Page.lyPage.ly
WordPress.comWordPress.com
WP EngineWP Engine
ZippykidZippykid
Security for DevelopersSecurity for DevelopersSettings API, nonces, validation handlersSettings API, nonces, validation handlers
Data escaping functions: esc_*()Data escaping functions: esc_*()
esc_html()esc_html()
esc_attr()esc_attr()
esc_sql()esc_sql()
esc_url() & esc_url_raw()esc_url() & esc_url_raw()
esc_jsesc_js
Now, SECURE ALL THE Now, SECURE ALL THE THINGS!THINGS!
Thanks!Thanks!
Dougal CampbellDougal Campbell@[email protected]