re bar camp presentation wordpress lamp security 2010 06 17
DESCRIPTION
A brief intro to some simple but effective things thatindividual Wordpress site owners (and you don\'t have to be aprogrammer) can do to keep hackers out of their site(s).TRANSCRIPT
Securing Wordpress & it’s underlying LAMP stack
rICh morrowPrincipal Engineer, quicloud.com
An OGRE is like an ONION(or something like that… I want a parfait now)
6/17/10 RE Bar Camp Denver
Browser
Wordpress
PHP (Logic), MySQL (Database)
Apache (Web Server)
Linux (Operating System)
Vulnerabilities at each layer
• Wordpress, poor Wordpress.– No core security team like Drupal– Popularity makes it a target– “ease of use” = “lack of security”– Contrib Modules can inject vulnerabilities
• LAMP stack depends heavily on your host– You may or may not have control.– Even if you have control, each layer is a job unto itself.– Even the best hosts use “default” installs which are far
from secure.
6/17/10 RE Bar Camp Denver
Across all layers• Update & Patch religiously, or make sure someone is.• Only enable what you need (Wordpress or Apache modules, ports/services
in Linux)• Passwords
– Choose tough passwords & change them every 3 months or when contractors exit.– NEVER email or IM usernames & passwords together.
• Install security products on every layer possible.• Schedule & plan 2-3 hrs/ at least quarterly (if not monthly) to review
policies.• Back up before changes.• Assume you will be hacked at some point.
– Set up monitoring to alert you w/i 5 minutes of a hack.– Back up religiously & test those backups.– Have at least 2-3 Wordpress &/or LAMP Security pros on call.
6/17/10 RE Bar Camp Denver
Linux
• Regularly Scan for vulnerabilities with free products like Nessus, or get a $25 scan done with a provider like quicloud. Send “high” and “medium” vulnerabilities to your host or “Linux dude” & ask them to remediate.
• Use SFTP, not FTP• Disable “Root” login and create different login
accounts for each consultant.• Have a consultant install a “Denail of Service” or
“DOS” prevention tool (like fail2ban), a monitoring system (like Nagios) and/or an IDS (like Snort).
6/17/10 RE Bar Camp Denver
Apache
• Make sure you have “mod_security” installed.• Make sure Apache is running as a distinct user
(typically “apache”).• Disable “Root” login and create different login
accounts for each consultant.• Make sure these are OFF: ‘DirectoryIndexes’,
‘ServerSignature’, ‘ServerTokens’, ‘ExecCGI’, ‘Server Side Includes’.
6/17/10 RE Bar Camp Denver
PHP
• Make sure there are no ‘phpinfo’ entries in any files. (have your “Linux Dude” do a “find . –type f | xargs grep ‘phpinfo’” from your root web directory).
• Make sure users can’t upload “.php” files.• Scrub all user input (you need a programmer).• Turn on and use “error_reporting” on high load pages or
suspicious code.• Have your “Linux Dude” use PhpSecInfo, “PHP Security
Scanner” or the “Spike PHP Security Audit” tool to find & fix problems.
• Make sure ‘register_globals’ is OFF
6/17/10 RE Bar Camp Denver
MySQL
• Disable “root” user (after making sure you’re not using it)• Remove unused users in the “mysql.User” table.• Close remote access (port 3306) to the database (again,
after you’ve checked you’re not using it).• Make sure MySQL is running as a distinct user (usually
“mysql”).• Remove “test” users and “test” databases that are in
default install.• Ensure that all users are set for only “localhost” access
(again, after you’ve checked “remote” is not needed).
6/17/10 RE Bar Camp Denver
Wordpress (finally :-)• Install and use:
– “Login LockDown” module (records IP of failed login and can block login after many attempts in a short period of time).
– “Stealth Login” module (creates hidden URLs for login, logout, admin, etc)• In the “.htaccess” of your “wp-admin” folder, restrict login to your IP (if
your IP is static)• Move your “wp-config.php” file out of your Web root (possible after wp
2.x).• Change the Wordpress table prefix (from “wp_” to something cryptic).
Easy prior to installing Wordpress, tough afterwards.• Create a 2nd “admin” account, and delete the default “admin” user.• Disable browsing of your “wp-content/plugins/” folder.• Stop advertising your Wordpress version to hackers. Remove the code “<?
php bloginfo(‘version’); ?>’ from your theme’s “header.php” file.
6/17/10 RE Bar Camp Denver
Security can be quick & easy• Just regularly patching & updating is huge.• Instructions in here will secure probably 80-90% of your problems,
and an experienced Sys Admin can do all “the big stuff” in probably 4-6 hours.
• If you’re not a system administrator, don’t “tinker”. In Linux, you can delete your whole server with just 7 characters… and there’s no “undo”.
• Use a free/cheap monitoring service like ‘pingdom’, ‘site24x7’, or ‘BinaryCanary’ to set up SMS or email messages if your site is down or hacked.
• Ask for help if you’re in over your head and/or don’t want to bother. Security is definitely one area you don’t want to ‘skimp’ on.
6/17/10 RE Bar Camp Denver
quicloud.com
• We help the smallest of small businesses create secure, scalable Websites using LAMP, Wordpress, Drupal, and Joomla!
• Services:– Build an entirely new secure server for as low as $200 per server.– Patch and secure an existing server for as low as $150 per server.– Update and support your systems for as low as $20 per month, per
server.– Emergency “I’ve been hacked” resolution.– We can help you build, deploy, and maintain your services in the
cloud, reducing your hosting costs and improving your service level.
6/17/10 RE Bar Camp Denver
Resources / further reading• Wordpress Security:
– http://codex.wordpress.org/Hardening_WordPress– http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/– http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow
• LAMP Stack Security:– http://blog.taragana.com/index.php/archive/top-10-linux-security-tips-for-system-administrators/– http://www.noupe.com/php/php-security-tips.html– http://dev.mysql.com/doc/refman/5.0/en/security.html– http://www.fail2ban.org/wiki/index.php/Main_Page– http://www.nessus.org/ (Security Scanner which you can run from your desktop)
• Rackspace Cloud (excellent cloud hosting for as low as $11/month, great for us “small guys”):– http://www.rackspacecloud.com/
• Site Monitoring tools (most offer a “free” version to monitor one site):– http://pingdom.com/– http://site24x7.com/– http://binarycanary.com/– http://www.nagios.org/ (Nagios monitors your Linux server internally)
6/17/10 RE Bar Camp Denver