how to secure your wordpress blog

27
Just how safe is your WordPress site? Rick Nielsen TheWebTrainer.com

Upload: rick-nielsen

Post on 08-May-2015

11.060 views

Category:

Self Improvement


1 download

DESCRIPTION

http://thewebtrainer.com: This presentation covers how to secure your WordPress blog. There are some simple but important steps you can take to make your WordPress blog air tight!

TRANSCRIPT

Page 1: How To Secure Your WordPress Blog

Just how safe is your WordPress site?Rick NielsenTheWebTrainer.com

Page 2: How To Secure Your WordPress Blog

Who Am I ??● Started Mach10 Design in 1998● Built over 400 websites since 1998● Began hosting websites in 2000● Hosted over 3000 websites● Started using WordPress in 2008● Google Apps reseller in 2008● Started The Web Trainer LLC 2009● Over 100 WordPress sites● First Product Launch Oct 7, 2010● TheWebTrainerSystem.com

Page 3: How To Secure Your WordPress Blog

The Purpose of this Presentation…

…is to scare the wp_crap out of you!

Page 4: How To Secure Your WordPress Blog

The Purpose of this Presentation…

…and then make it all better again!

Page 5: How To Secure Your WordPress Blog

What We Will Cover● Do I really need to do all this?● What to look at first● Examples of Link Injection Hack● How to secure your WordPress Site: Basics● How to secure your WordPress Site: Advanced● Plugins that help

Page 6: How To Secure Your WordPress Blog

Do I Really Need To Secure WP?● “There is nothing valuable on my blog.”● “I only have 20 people a month that visit my site.”● “I thought it was already secure?”● “What moron hacker would bother my site?”● “I'm already secure. I turned off comments.”

YES!!!

Page 7: How To Secure Your WordPress Blog

What To Look At First● Start with your hosting company● Are they well known?● Do they have a good reputation?● Is it a Linux or Windows environment?● Do they offer a Control Panel?● Avoid hosting at “Johnny's Hosting/Pet Grooming/Coin Laundromat Inc.”

Page 8: How To Secure Your WordPress Blog

Securing WordPressLET THE FUN BEGIN!!!

Page 9: How To Secure Your WordPress Blog

WordPress Hidden Link InjectionHacker bots look for known exploits(SQL Injection, folder perms, etc). This allows them to insert spam files/links into your WordPress Themes, plugins, and core files. Before, it would be used to take your site down, but now they use it to post spam links.

(Mostly hijacking the/wp-admin/upload.php)

Page 10: How To Secure Your WordPress Blog

Link Injection Example

Page 11: How To Secure Your WordPress Blog

CSS Hides the SPAM<b style=“display:none”>Any text you want to hide</b>

Page 12: How To Secure Your WordPress Blog

Basic WP Security

Page 13: How To Secure Your WordPress Blog

DO NOT USE ADMIN ACCOUNT● Create a new account● Make the username very unique● Assign the new account an Administrator role● Log out and log back in with new account● Delete original admin account● Make it hard on the hacker! If they already know your username that’s half the battle

Page 14: How To Secure Your WordPress Blog

Use Secure Passwords● News FLASH! 123456 or

abcdefg are not good passwords!!!!● Use strong passwords to protect your website from dictionary attacks● Not just for WordPress, but also FTP, MySQL, etc● Great resource:

goodpassword.com● Creates random passwords

Page 15: How To Secure Your WordPress Blog

Keep WP and Plugins Updated● Update WP Core Code● Keep Theme files current● Keep all plugins current● Do not use out-dated plugins

Page 16: How To Secure Your WordPress Blog

Advanced WP Security

Page 17: How To Secure Your WordPress Blog

What folder permissions to use?● Files should be set to 644● Folders should be set to 755● If you can’t upload, increase privileges (ie 775, 777)● Permission levels vary depending on server configuration

Page 18: How To Secure Your WordPress Blog

How to Change Permissions● Use your FTP client: Dreamweaver, FileZilla● Use cPanel “File Manager”● The “Uber Geeks” can use shell access for a good time on a Friday night!

Page 19: How To Secure Your WordPress Blog

Remove WP Version from Header● Viewing source on most WP sites reveal the version they are running● <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->

● This helps hackers find vulnerable WP blogs running older versions● <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave

this for stats please -->

● Themes and plugins might also display versions in your header.

Page 20: How To Secure Your WordPress Blog

Use Secret Keys● A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password.● Edit wp-config.php● Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1

define('AUTH_KEY', 'put your unique phrase here');define('SECURE_AUTH_KEY', 'put your unique phrase here');define('LOGGED_IN_KEY', 'put your unique phrase here');define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB'); define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB'); define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V'); define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r');

Before

After

Page 21: How To Secure Your WordPress Blog

Change WordPress Table Prefix● Edit wp-config.php before installing WordPress● Change the prefix wp_ to something unique:

● All database tables will now have a unique prefix (ie zztop_posts)

/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */$table_prefix = ‘zztop_';

Page 22: How To Secure Your WordPress Blog

.htaccess lockdown● Create a .htaccess file in your wp-admin directory● Add the following lines of code

● Only a user with the IP 67.123.83.59 can access wp-admin

AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName "Access Control"AuthType Basicorder deny,allowdeny from all#IP address to Whitelistallow from 67.123.83.59

Page 23: How To Secure Your WordPress Blog

Other WP Security Tips● Move the wp-content Directory● Move the wp-config.php file● Hide your plugins folder (add index.php)● Check Google Web Master tools to see if your site has been compromised and it will tell you why.● Backup, backup, backup and..oh ya...BACKUP!!

Page 24: How To Secure Your WordPress Blog

Recommended Security Plugins

Page 25: How To Secure Your WordPress Blog

WP Security Plugins● WP Security Scan● WordPress Exploit Scanner● WordPress File Monitor● Login Lockdown Plugin

Page 26: How To Secure Your WordPress Blog

And if you STILL get HACKED?Give Up and Join the Circus!

Page 27: How To Secure Your WordPress Blog

Contact InfoRick [email protected]://thewebtrainer.comEverywhere around the web: thewebtrainer