word camp pune 2013 security
DESCRIPTION
My presentation on "WordPress Security: Nothing exposed to WWW is 100% secure" at WordCamp Pune 2013.TRANSCRIPT
![Page 1: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/1.jpg)
WordPress Security
Gaurav Singh@sgaurav_baghel
Nothing exposed to www is 100% secure
WordCamp Pune 2013
![Page 2: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/2.jpg)
The Real Problem
@sgaurav_baghel
“38% of us Would Rather Clean a Toilet Than Think of A New Password”
-- mashable
![Page 3: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/3.jpg)
Challenges
@sgaurav_baghel
• Environment• Network• Application• End Users -- YOU
Any of these levels can screw you.
![Page 4: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/4.jpg)
Environment
@sgaurav_baghel
![Page 5: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/5.jpg)
The Real Scenario
@sgaurav_baghel
Linux
Apache PHPMySQL
WordPress
cPanel phpMyAdmin
Modules
Each contains its own list of vulnerabilities.
![Page 6: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/6.jpg)
Network
@sgaurav_baghel
Why worry, be safe.
![Page 7: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/7.jpg)
Application
@sgaurav_baghel
WordPress
Core Plugin Theme You
Secure each, hackers have an eye on all.
![Page 8: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/8.jpg)
End User
@sgaurav_baghel
![Page 9: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/9.jpg)
@sgaurav_baghel
If you know it well, you are already half secure.
Attack Types
![Page 10: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/10.jpg)
@sgaurav_baghel
• Mostly automated• Scanning web looking for know vulnerabilities.• Brute Force/Data Dictionary Attacks.• SQLi• XSS
Opportunistic Attacks
![Page 11: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/11.jpg)
@sgaurav_baghel
• Against Large Enterprise with mass user base.• Sophisticated attacks mostly involving group of
hackers.• DDOS attacks to bring website down.• Done for financial/data benefits.
Targeted Attacks
![Page 12: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/12.jpg)
@sgaurav_baghel
• Defacement
• Injections
• Redirects
• Pharma Hacks
• Backdoors – hardest to find out
Top WordPress Infections
![Page 13: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/13.jpg)
@sgaurav_baghel
“A stitch in time, saves nine.” – Matt Mullenweg
Tips to Save Yourself
![Page 14: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/14.jpg)
@sgaurav_baghel
For “I Don’t Care” RockstarsI know you login with admin to post blogs.
Please change it from now.
![Page 15: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/15.jpg)
Know your Host
@sgaurav_baghel
1. Cheap should never be the criteria.2. Choose your host wisely.3. Know there security plan.4. If your host do not offer SSH, time to find a new.5. What will they do in case you get hacked?6. http://google.com/safebrowsing/diagnostics?sit
e=<yourhost>
![Page 16: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/16.jpg)
Be Safe and Connect Securely
@sgaurav_baghel
1. Choose SFTP over FTP.2. Always login with least privileges.
• Use account with least privileges to get your task done.• Avoid using root as far as possible.
3. Marry Linux as your OS.4. Keep antivirus updated, on your Mac too.
![Page 17: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/17.jpg)
Backup Regularly
@sgaurav_baghel
1. Do not rely on your host to backup data for you.
2. All it takes is a single command to do the job.
3. Use VaultPress to do backup job.
4. Never keep backup on same server.
5. Keeping backup of database is equally important.
![Page 18: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/18.jpg)
Update Update Update
@sgaurav_baghel
1. Single key to cut off most of attacks on WordPress.
2. Version like 3.1.X are mostly security patches.
3. Not just WordPress, update your themes and plugin as well.
4. Keep an eye on all vulnerabilities exposed and check if that
can affect you.
![Page 19: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/19.jpg)
Care your WordPress
@sgaurav_baghel
1. Use secure passwords and do not share.
2. Change Passwords regularly.
3. Login with least privileges possible.
4. Create a nickname to post blogs.
5. Do not search “Free Woo themes” until you plan to
end up serving Viagra from your blog.
![Page 20: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/20.jpg)
For “Yes, I do care” guys
@sgaurav_baghel
• Connect Securely, use SSH/SFTP• Choose a different “Admin” name.• Use a Nickname to post blogs.• Keep WordPress cookies salted.
http://api.wordpress.org/secret-keys/1.1/salt/
![Page 21: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/21.jpg)
For “Yes, I do care” guys
@sgaurav_baghel
• Limit theme and plugin use, delete unused ones.• Move up wp-config.php one level and lock it
down.• Rename database prefix during installation.• ‘Limit Login Attempts’ – kills brute force• Disable user registration• Use Child Themes to modify CSS instead of
tweaking base files.
![Page 22: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/22.jpg)
For “Yes, I do care” guys
@sgaurav_baghel
• Manage File PermissionsFiles: 644 or 640Folder: 755 or 750
• Hide version info – these small steps help.In functions.php add these lines
![Page 23: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/23.jpg)
For “Yes, I do care” guys
@sgaurav_baghel
• Enable SSL LoginSite needs to be accessible from https
Add following lines in wp-config.php
![Page 24: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/24.jpg)
For “Yes, I do care” guys
@sgaurav_baghel
• Discourage unnecessary crawlCrawlers can crawl unnecessary files and expose them to hackers.Create a robot.txt and disallow crawling of unnecessary files.
![Page 25: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/25.jpg)
For “The Paranoids”
@sgaurav_baghel
These Settings can break your website, know well before you execute.
![Page 26: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/26.jpg)
Kill PHP Execution
@sgaurav_baghel
Ensure that PHP files can not be executed from within a directory.
If it messes with theme/plugin, ensure this is implemented in at least wp-includes and uploads directory.
![Page 27: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/27.jpg)
Disable Editing in WP Admin
@sgaurav_baghel
Too often your passwords get hacked and you end up giving hacker access to entire code base.
Add these lines in wp-config.php
![Page 28: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/28.jpg)
Limit Admin/Login access by IP
@sgaurav_baghel
Add these lines of code in the .htaccess file placed in admin/root folder
To implement this, you need to have static ip address.
![Page 29: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/29.jpg)
Forbid Proxy Comment Posting
@sgaurav_baghel
Deny requests that use a proxy server to post comments and eliminate some spam.
Courtesy, perishablepress.com
![Page 30: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/30.jpg)
Disable PHP settings
@sgaurav_baghel
Edit php.ini - Idea is to turn display errors to off, in case of error they might return location of your web root.
This will most likely break something, test in dev server before moving to live
![Page 31: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/31.jpg)
Some Security Plugins
@sgaurav_baghel
• Akismet
• Duo Two Factor Authentication
• Vaultpress
• Limit Login Attempts
• BulletProof Security
![Page 32: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/32.jpg)
[Sh]it Happens
@sgaurav_baghel
Nothing to Panic, just clean and resubmit
![Page 33: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/33.jpg)
[Sh]it Happens
@sgaurav_baghel
• WordPress Forum –
http://wordpress.org/tags/hacked
http://wordpress.org/tags/malware
• http://safeweb.norton.com
![Page 34: Word camp pune 2013 security](https://reader033.vdocuments.us/reader033/viewer/2022061103/5404e5ab8d7f72a6768b48f4/html5/thumbnails/34.jpg)
Wish your WordPress a secure future
@sgaurav_baghel
Queries/feedback?