WORDPRESS SECURITY ESSENTIALS

!Boulder Digital Arts Lunch June 12, 2014

By Angela Bowman, Ask WP Girl

About me

• Hi! My name is Angela Bowman @askwpgirl

• WordPress Instructor at Boulder Digital Arts

• Started using WordPress in 2007

• Used to think: “After I build a site, my job is done.”

• Now take a common sense approach to security that isn’t overwhelming or super technical

Why do we need to have this talk?

• PHP and MySQL are inherently vulnerable

• MySQL: A database where all your content is stored

• PHP: The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window.

• Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface

Why are you vulnerable?

• Because your site is on the Internet

• Because it’s easy to exploit known vulnerabilities

• Because we are human NOT Vulcan

• We live by our beliefs rather than logic

WHAT DOES A HACKED FILE LOOK LIKE? UGLY!

VIAGRA ANYONE?

HACKED COMMENTS.PHP

A FILE THAT DOESN’T BELONG - COMMON.PHP

TIMTHUMB HACK

THE MYTHS WE LIVE BY

Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/ by Anders Vinther of The WordPress Security Checklist.

Truth• Both things are true!

Old versions of WordPress are NOT secure Current WordPress version is secure

Myth #1

“WordPress is (is not) secure.”

Truth• You have an Internet presence even if the pages of your

site aren’t indexed by Google yet

• You need to protect ALL installations of WordPress on your hosting account even if you don’t use them

• Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed

Myth #2 my site isn’t launched yet, so it can’t be hacked

“My site isn’t launched, so it can’t be hacked.”

Myth #2

Truth• Plugins and themes are the #1

way hackers gain access to your site

• Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”

Myth #3“I only use plugins and themes from WordPress.org,

so I am safe!”

Truth• Exploits are published IMMEDIATELY to the web.

• Outdated version of WordPress, themes, and plugins are immediately vulnerable to attack.

• Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS and is still exploited!

Myth #4“Updating my themes and plugins whenever I login is good enough.”

Truth

Myth #5

“My site is small. It’s not worth hacking.”

“… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the smaller sites yet – like my girlfriend’s food blog.

http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/

“And, word to the wise, your girlfriend’s food blog should always be a top priority.”

Truth• De-activated themes and plugins are just as risky if they

have vulnerable code.

• Because even files of deactivated plugins and themes can be access via the Internet

Myth # 6

“If I de-activate a theme or plugin, there is no risk.”

Truth• Only if you use a site monitoring service or plugin (maybe)

• Your site can be compromised months before you find out

• Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted

• Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL

Myth # 7

“If my site is compromised, I’ll find out right away!”

!http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html

Truth• Some security plugins can provide a layer of protection

• Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files

• Security plugins won’t help if the web hosting server is compromised

Myth #8

“I can use a security plugin and that will cover me.”

Truth“Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.”

Myth # 9

“My passwords are good enough.”

http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm

Truth• If you discover the hack quickly enough, your web host may

have a backup of the site made before the hack

• Most hosts store one day backup and one weekly backup

• Your host may not be able to help you discover why you were hacked in the first place. You’ll end up restoring hackable files.

Myth #10“If my site is hacked,

my web host can restore it for me.”

WHAT CAN YOU DO TO PROTECT YOUR SITE?

Options

• Set up an altar to the WordPress Gods and do daily puja and offerings

• Throw up your hands and cry

• Drink another beer and try to forget

• Delegate to Tony (Sucuri.net)

• DIY using the following steps

1 – Secure Your Own Computer

• Why bother securing WordPress if you give the keys away?

• Run anti-virus software regularly

• Don’t login via insecure or public WIFI networks

• Use a Virtual Private Network when traveling (such as Astrill)

• Secure your home WIFI network

• Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.

2 – Update to Current Versions

• Backup database and files

• Delete unused plugins and themes

• Update plugins first (check compatibility)

• Update theme (might be tricky)

• Update WordPress

• Rename plugins folder if site crashes

3 – Protect Login

• If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin

• Use strong passwords on WordPress, FTP, hosting, and email: • Online Generator:

http://www.pctools.com/guides/password/ • Track Passwords:

http://agilebits.com/products/1Password

3 – Protect Login, continued

• Enable two-way authentication: Using Google Authenticator : http://wordpress.org/extend/plugins/google-authenticator/http://askwpgirl.com/secure-wordpress-two-step-authentication/

• Login using https:// (will need dedicated SSL certificate for domain, which is free with Business level web hosting at Host Gator)

4 – Backup Database and Uploads

• Use backup plugin or service: • Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php

• BackWPUp: https://wordpress.org/plugins/backwpup/

• VaultPress.com – Backup, one-click restore, and site monitoring

• Backup database (daily or weekly) and full site (weekly or monthly)

• Store backups on remote server (eg Amazon S3)

• Must backup database and wp-content folder

5 – Install Security Plugins

• Install Wordfence http://wordpress.org/extend/plugins/wordfence/

• Settings: http://optimwise.com/wordfence-security-plugin-wordpress-firewall-anti-malware/

6 – Create a Maintenance Plan

• Update sites frequently (as updates available)

• Use Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/

7 – Best Practices

• Don’t allow users to register (Settings > General)

• Always hold comments for moderation and use spam filtering (aka Akismet)

• Don’t use your username as your Display Name

• Use SFTP for file transfers and secure SMTP for email (ask web host)

7 – Best Practices, continued

• Turn off pingbacks/trackbacks (Settings > Discussion)

• Host site with good web host

• Use plugins and themes with caution - recently updated, going concern. Delete unused ones. but keep one TwentySomething theme installed as a default.

• Submit sites to Google Webmaster Tools. Turn ON email notifications:http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html

Summary

• Update, update, update!

• Use caution w/ plugins and themes, delete unused

• Strong usernames and passwords

• Backup! Today!

• Be a smart web user

If you get hacked…

• Contact your web host and see if they can restore the site from a backup (don’t rely on this)

• Contact sucuri.net to scan and clean the hack

• Change all passwords, reset wp-config.php encryption salts

• Check blacklisting status, request review

Resources•Hacked: http://wordpress.org/tags/hacked

•Malware: http://wordpress.org/tags/malware

•http://codex.wordpress.org/Hardening_WordPres

•http://codex.wordpress.org/WordPress_Backups

•http://codex.wordpress.org/FAQ_My_site_was_hacked

•wpsecuritylock.com - resources and services for securing sites

•sucuri.net - free scan, hack recovering, site monitoring

•Wpsecuritychecklist.com – off-site monitoring

Contact

• Angela Bowman askwpgirl.commoongoosedesigns.com

• 303.931.8191angela@askwpgirl.comtwitter.com/askwpgirlfacebook.com/askwpgirl.com