preventing your wordpress website from being hacked

(c) ann harris - southernsocialmarketing.com | hackpad: https://hackpad.com/DdB2ypCGOo7

Preventing Your Wordpress Site from Being Hacked

Beginner Level Workshop for Wordpress Website Owners, Designers, & Administrators

http://southernsocialmarketing.com

https://hackpad.com/DdB2ypCGOo7


Course Materials

• Notes + resources uploaded to Lanyrd

• Shortened: http://j.mp/wphackerbegone

• Hackpad

• Collaborative note pad

• Add comments + questions



http://j.mp/wphackerbegone


What You Need• Administrator of WordPress installation (or

familiarity with WP)

• Access to your Cpanel, an FTP client, or domain host’s file manager *very very beginners: this sounds more complicated than it is. Can you log in? You’re good.

• Web file editor Either in browser or Kompozer, Dreamweaver, Notepad++, etc.




Hi, y’all!

• Ann Harris

• @SoSocialAnn

• Code(Her) Workshops Co-Director

• Join us Tues, October 17 6:00 PM @ WeWork Chinatown for an incredibly interesting TBA topic




Before we begin…

1. Not a cybersecurity expert

2. More stuff out there

3. You can’t beat free

4. You really really can’t beat simple




Section 1: Wordpress Security




Section 2: Basic Site Security




Wordpress Protection




Back Up the Easy Way

• WordPress Plugin: Duplicator

• Back up x 2:

• Website styles, themes, and plugins

• Database tables, content, comments, membership/admin information




Back Up the Easy Way

• Wordpress > Duplicator

• Duplicator > Downloads

• Downloads > Cloud via Backblaze

• Behind-the-scenes backing up (wifi)




Update Everything

• Plugins, themes, and the site itself

• ALWAYS back up before updating or changing settings, configurations, plugins, or themes




Avoid “admin”

• Do NOT use the username “admin”

• Hacker software guesses UN + PW

Solution:

• Use something else to start with

• Plugin: Admin Renamer Extended




Optimize Database + Clear Old, Unused Plugin Files

• No longer need plugin

• Deactivate > Delete

• Many plugins do not clean up their database tables after you uninstall them

• WP DB Spring Clean




Scenario

• Hacker is trying to get access

• Try a username and password

• Keeps guessing, guessing, guessing, guessing…

• …until they (eventually) get access




Limit Login Attempts• Solution: Block them out after X number of tries.

• Plugin: Login Lockdown

!

• I might forget my password 5-10 times

• Anyone who tries 15+ times… probably a hacker

• Lock out!




Two Factor Authentication• Verify you are you by using your cell phone

• Three possible factors exist:

• Something you are (DNA, fingerprint, birth date)

• Something you have (cellphone, credit card, laptop)

• Something you know (password, mother’s maiden name)

• Two factor authentication =

• Factor One: Password

• Factor Two: Cell phone

• Many exist, few are free :(

• Need a smart phone to work




Two Factor Authentication• Google Authenticator Plugin

• Not in plugins list

• Users > Your Profile > Add description you’ll recognize

• Activate > Generate Key

• Pull out cell phone + install Google Authenticator App

• Scan barcode OR manual entry

• Email address must be same as Wordpress login

• Take a picture of your recovery key and store in a safe place




Fix Database Prefix

• WordPress installations defaults to name table beginning with “wp_”

• Hackers use automated software, SQL injection, and other malicious code to take down your site via your database tables & keep backups

• Start by changing default table prefix




Fix Database Prefix

• First, back up your site and databases (just in case)

• Plugin: Change DB Prefix

• Enter new prefix + make sure there’s an underscore

• Warning: Do this only ONCE




Hide Wordpress Version #

• How to find easily: use inspect element or view page source code to find the version number

• Possible solutions:

1. Plugin: Hide Wordpress Version (Adam Harley)

2. Add code to your functions.php files

3. Delete readme.html file (or at least the version)




Hide Wordpress Version #• My top choices:

• Don’t install another plugin

• Add to functions.php AND delete the readme.html

• Functions.php:

function wpbeginner_remove_version() {

return ‘ ‘;

}

add_filter('the_generator', 'wpbeginner_remove_version');

*note: removes from both source code and RSS feed




Protect WP-Config.Php

• Contains Wordpress configuration, cache settings, and database passwords

• How to fix?

• Move the file up 1 folder.

• It still works!




Protect wp-confing from .htaccess

• Just add the following to your .htaccess file:

<files wp-config.php>

order allow,deny

deny from all

</files>




Protect /wp-admin

• Hackers can’t enter a username and password if they can’t find the login box!

• Plugin: HC Custom WP-Admin URL




Force SSL

• Add the following to wp-config.php:

define('FORCE_SSL_ADMIN', true);




Basic Website Security




Hotlinking Protection

• You should probably back up now…

• Decide what files you want to protect

• Use HTAccess Tools Hotlink Protection

• Copy & paste into your .htaccess file

• http://www.htaccesstools.com/hotlink-protection/



http://www.htaccesstools.com/hotlink-protection/


Protect your videos

• Best host? Use Vimeo Pro.

• If you place it on your site, you can specify video only embeddable on your domain.

• Youtube? Even unlisted videos, if someone gets the link, you can share it anywhere.




Protecting Your Folders

• Navigate inside the folder

• Create (if not there already) .htaccess and .htpasswd

• Use htaccess tools’s htpasswd generator

• http://www.htaccesstools.com/htpasswd-generator/



http://www.htaccesstools.com/htpasswd-generator/


Protecting Your Folders• .htaccess:AuthType BasicAuthName "restricted area" AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd require valid-user *note: must use exact path. In MediaTemple, it looks like this:/home/21410/domains/website.com/html/examples/PasswordProtected/.htpasswd

• .htpasswd:ann-password:$apr1$ur9/yDct$Dt9G2yWKaiiVlEInOi2vF0

• UN: ann-password PW: password




Prevent Indexing Your Folders

• Stop search engines from indexing your sensitive or private files online

• Go to the folder you want to protect (uploads?)

• Add (or create) to .htaccess: Options -Indexes




DMCA Protection• Digital Millennium Copyright Act

• If you find someone pirating your content illegally on their site, you can contact the web hosting company with a claim of copyright violation and they have to take it down.

• DMCA takedown services - paid & subscription sites

• DMCA.com - DIY ($10/mo) or have a pro do it

• ActiveDMCA.com - Protect products ($1 trial)



http://DMCA.com

http://ActiveDMCA.com


Protecting Embedded Videos

• Encrypt HTML

• Instead of using YouTube’s embed code

• Doesn’t fix 100%, but does make it a PITA to decrypt and steal your videos




Download the Notes






WTF Rescue Plan1. Limit access to your website to *only* your IP address

2. Modify wp-config and change WP passwords, keys, salts

3. Change database table passwords

4. Investigate! Go through the website security checklist Figure out what went wrong so when you restore your backup you can fix the leak

5. Restore backup with new database passwords, keys, salts, etc. and any changes you need to make to the backup to keep it secure moving forward

6. Worst Case Scenario: Hire a pro to fix it and alert your domain host about the incident




Protecting Your Browsing

• Unsecure site = hacker playground

• Secure site + unsecure server (host) = hacker party

• Secure site + secure server + unsecure connection = hacker paradise

• TunnelBear



preventing your wordpress website from being hacked

Technology