now that's what i call wordpress security 2010
DESCRIPTION
My WordCamp Chicago 2010 WordPress Security presentationTRANSCRIPT
![Page 1: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/1.jpg)
Props @tweetsfromchris
![Page 2: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/2.jpg)
Brad WilliamsCo-Founder of WebDevStudios.com
Organizer NJ WordPress Meetup
Co-Host SitePoint Podcast
Co-Author of Professional WordPress (http://bit.ly/pro-wp)
Who Am I?
![Page 3: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/3.jpg)
The Goal of this Presentation…
![Page 4: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/4.jpg)
The Goal of this Presentation…
…Is to scare the crap out of you!
![Page 5: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/5.jpg)
The Goal of this Presentation…
…and then make everything betterwith the best security tips!
![Page 6: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/6.jpg)
Example WordPress Hacks Securing Your WordPress Website How to Clean Up a Hacked Site Recommended Plugins
Topics
![Page 7: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/7.jpg)
Who Do Hackers Target?
![Page 8: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/8.jpg)
Who Do Hackers Target?
YOU
![Page 9: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/9.jpg)
Who Is Safe?
![Page 10: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/10.jpg)
Who Is Safe?
NO ONE
![Page 11: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/11.jpg)
Scared Yet?
![Page 12: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/12.jpg)
ExampleExample
WordPress
Hacker bot finds a security hole on your website
![Page 13: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/13.jpg)
ExampleExample
Hacker bot hides a file in your WordPress installation
WordPress
Akismet.cache.php is NOT an Akismet file
![Page 14: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/14.jpg)
ExampleExample
WordPress Hacker Bot
Hacker bot can now trigger this file/code remotely
![Page 15: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/15.jpg)
ExampleExample
WordPress Hacker Bot
Common Hacker bot script jobs
• Add spam content and links to your websites theme files• Create posts and pages with spam content and links• Delete posts/pages/settings wreaking havoc on your site• etc, etc, bad stuff, etc, etc
![Page 16: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/16.jpg)
<b style=“display:none”>Any text you want to hide</b>
CSS Hides the SpamCSS Hides the Spam
![Page 17: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/17.jpg)
Hidden Spam LinksHidden Spam Links
![Page 18: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/18.jpg)
Only Noobs Get HackedOnly Noobs Get Hacked
![Page 19: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/19.jpg)
WRONG!
![Page 20: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/20.jpg)
Scobleizer.com: HACKED
![Page 21: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/21.jpg)
Scobleizer.com: HACKED
![Page 22: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/22.jpg)
Scobleizer.com: HACKED
![Page 23: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/23.jpg)
Pearsonified.com: HACKED
![Page 24: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/24.jpg)
FeaturedContentGallery.com: HACKED
![Page 25: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/25.jpg)
Make it Stop!
![Page 26: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/26.jpg)
Palette Cleanser
![Page 27: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/27.jpg)
Securing WordPress
![Page 28: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/28.jpg)
Don’t use the admin account
UPDATE wp_users SET user_login='newuser' WHERE user_login='admin';
If you are using the admin account you are wrong!
Either change the username in MySQL:
Or create a new/unique account with administrator privileges.
1.Create a new account. Make the username very unique2.Assign account to Administrator role3.Log out and log back in with new account4.Delete admin account
Make it hard on the hacker! If they already know your username that’s half the battle
![Page 29: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/29.jpg)
![Page 30: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/30.jpg)
Don’t use the admin account
WordPress 3.0 lets you setthe administrator username
during the installation process!
![Page 31: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/31.jpg)
The Great Permission DebateWhat folder permissions should you use?
Good Rule of Thumb:• Files should be set to 644• Folders should be set to 755
Start with the default settings above if you can’t upload increase privileges (ie 775, 777)
Permission levels vary depending on server configuration
![Page 32: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/32.jpg)
The Great Permission Debate
Permissions can be set via FTP
find [your path here] -type d -exec chmod 755 {} \;find [your path here] -type f -exec chmod 644 {} \;
Or via SSH with the following commands
![Page 33: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/33.jpg)
Move the wp-config.php fileWordPress 2.6 added the ability to move the wp-config.php
file one directory above your WordPress root
This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your website’s root directory
You can move your wp-config.php file to here
WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php
![Page 34: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/34.jpg)
Move the wp-content DirectoryWordPress 2.6 added the ability to move the wp-content directory
1. Move your wp-content directory2. Make two additions to wp-config.php
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
If you have compatibility issues with plugins there are two optional settings
If hackers can’t find your wp-content folder, they can’t hack it!
![Page 35: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/35.jpg)
Remove WordPress Version from HeaderViewing source on most WP sites will reveal the version they are running
This helps hackers find vulnerable WP blogs running older versions
<meta name="generator" content="WordPress 2.9.2" /> <!-- leave this for stats -->
To remove find the code below in your header.php file of your theme and remove it
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
<!-- leave this for stats please -->
Themes and plugins might also display versions in your header.
The wp_head function also includes the WP version in your headerTo remove drop this line of code in your themes functions.php file
remove_action('wp_head', 'wp_generator');
![Page 36: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/36.jpg)
Stay Current on UpdatesKeep WordPress core, plugins, and theme files up to date
The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
Recent WordPress hack only affected outdated WordPress installs
![Page 37: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/37.jpg)
Use Secure PasswordsUse strong passwords to protect your website from dictionary attacks
Not just for WordPress, but also FTP, MySQL, etc
BAD PASSWORD: bradrocks
Great resource: toughpassword.com
Creates random passwords
GOOD PASSWORD: S-gnop2D[6@8
WordPress will tell youwhen you have it right
![Page 38: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/38.jpg)
Use Secret Keys
define('AUTH_KEY', 'put your unique phrase here');define('SECURE_AUTH_KEY', 'put your unique phrase here');define('LOGGED_IN_KEY', 'put your unique phrase here');define('NONCE_KEY', 'put your unique phrase here');define('AUTH_SALT', 'put your unique phrase here');define('SECURE_AUTH_SALT', 'put your unique phrase here');define('LOGGED_IN_SALT', 'put your unique phrase here');define('NONCE_SALT', 'put your unique phrase here');
1. Edit wp-config.php
A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password.
2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt
BEFORE
define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD');define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+');define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H');define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-');define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
AFTER
You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
![Page 39: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/39.jpg)
Change WordPress Table Prefix
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */$table_prefix = ‘drupal_';
1. Edit wp-config.php before installing WordPress
All database tables will now have a unique prefix (ie drupal_posts)
2. Change the prefix wp_ to something unique:
![Page 40: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/40.jpg)
Force SSL Login and Admin Access
define('FORCE_SSL_LOGIN', true);
Set the below option in wp-config.php to force SSL (https) on login
Set the below option in wp-config.php to force SSL (https) on all admin pages
define('FORCE_SSL_ADMIN', true);
![Page 41: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/41.jpg)
.htaccess lockdown
AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName "Access Control"AuthType Basicorder deny,allowdeny from all#IP address to Whitelistallow from 67.123.83.59allow from 123.123.123.123
1. Create a .htaccess file in your wp-admin directory
Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin
2. Add the following lines of code:
![Page 42: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/42.jpg)
Clean Up a Hacked Site
![Page 43: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/43.jpg)
Step 1: Delete Everything and Start Over!
![Page 44: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/44.jpg)
OR
![Page 45: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/45.jpg)
Step 1: Do a Fresh Install of WordPress
• Delete, don’t overwrite, all original WordPress files• Upload fresh copies of all WordPress core files
Be sure to backup your theme, plugins, media, etc
![Page 46: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/46.jpg)
Step 2: Re-install All Plugins
• Install fresh copies of all WP plugins need• DON’T use the same plugin files from the hacked site
![Page 47: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/47.jpg)
Step 3: Re-install Your Theme
• If possible install a fresh copy of your theme• If using the old theme be sure to inspect every file for hack code
![Page 48: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/48.jpg)
Step 4: Change all Passwords and Keys
• Change your passwords: WordPress, FTP, MySQL• Verify the hacker didn’t create another user, if so delete it• Update your secret keys in wp-config.php (as shown earlier)
![Page 49: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/49.jpg)
Step 5: Scan Database for Malicious Code
• Look for common hack keywords: • eval, base64, strrev, iframe, noscript, display
• Use WordPress Exploit Scanner plugin (discussed later)
Example SQL: SELECT * FROM wp_posts WHERE post_content LIKE '%eval%'
![Page 50: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/50.jpg)
Step 6: Verify folder/file permissions
• Check all folder and file permissions are correct• Reset to 755 on folders and 644 on files if needed
![Page 51: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/51.jpg)
Step 7: Pray
![Page 52: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/52.jpg)
Recommended Security Plugins
![Page 53: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/53.jpg)
WP Security Scan
http://wordpress.org/extend/plugins/wp-security-scan/
![Page 54: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/54.jpg)
WP-MalWatch
http://wordpress.org/extend/plugins/wp-malwatch/
• Nightly security scan• Detects files based on configurable file patterns• Detects hidden files•
![Page 55: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/55.jpg)
ServerBuddy
http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
![Page 56: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/56.jpg)
WordPress Exploit Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
![Page 57: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/57.jpg)
WordPress File Monitor
http://wordpress.org/extend/plugins/wordpress-file-monitor/
![Page 58: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/58.jpg)
Login Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
![Page 59: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/59.jpg)
Security Related Codex Articles› http://codex.wordpress.org/Hardening_WordPress› http://codex.wordpress.org/Changing_File_Permissions› http://codex.wordpress.org/Editing_wp-config.php› http://codex.wordpress.org/htaccess_for_subdirectories
Blog Security Articles› http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-
wordpress-admin-area/› http://www.growmap.com/wordpress-exploits/› http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-
wordpress-blog/› http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/› http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-
wordpress-blog/› http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog
Clean A Hacked Site› http://codex.wordpress.org/FAQ_My_site_was_hacked› http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/› http://ocaoimh.ie/did-your-wordpress-site-get-hacked/› http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-
your-hacked-wordpress-installation/› http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
WordPress Security Resources
![Page 60: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/60.jpg)
Brad [email protected]
Blog: strangework.com
Twitter: @williamsba
IRC: WDS-Brad
http://www.slideshare.net/williamsba
Contact
![Page 61: Now That's What I Call WordPress Security 2010](https://reader037.vdocuments.mx/reader037/viewer/2022110306/554ba3ebb4c905b8618b4d27/html5/thumbnails/61.jpg)
Tweet: @williamsba WordPress Security Rocks! #wcchicago
Win a copy of Professional WordPress!