wordpress security best practices
DESCRIPTION
The slides for Brennen Byrne and Sam Hotchkiss' talk on WordPress security best practices at WordCamp Phoenix 2014.TRANSCRIPT
WordPress Security Best Practices
Brennen Byrne @brennenbyrne
Sam Hotchkiss @hotchkissconsulting
How to make your site impossible to hack:
Delete it.
This talk is for the rest of you.
For the next 100 minutes, we’ll cover the:• 5 Rules • 4 Tools and • 3 Important Habits
To keep your site safe.
Sam HotchkissI run a WordPress agency in Bath, Maine and am the lead developer for the WordPress security plugin BruteProtect.
Brennen ByrneI’m one of the founders of Clef, a security plugin for WordPress that lets you log in without a password.
WordPress Security Best Practices
Brennen Byrne @brennenbyrne
Sam Hotchkiss @hotchkissweb
Checklist
Slidesgetclef.com/wordcamp-security
getclef.com/wordpress-security-checklist
Who attacks and why?it’s not usually because they want to be friends
pharma / affiliateif you’re not using akismet, you know these well
link injectionSEO hacking at its worst
hacktivistsSyrian Electronic Army, lulzsec, anonops, etc.
drive by downloadyou’re just the host
redirectspretty much just hijacking your site
How do they attack?know your own weaknesses
XSScross site scripting: comments or posts that
attack other visitors to your site
CSRFcross site request forgery: once you’re
authenticated, other sites can pretend to be you
brute forcehow many tries does it take to guess
your password?
brute force + botnethow long does it take an army to guess your
password?
server breachsites where you log in store your password.
(even though they shouldn’t…) what happens if they mess up?
bucket brigadean attacker sits between you and a site you log in to, when you send your password, they read it before passing it on
but really, insecure plugins and themes
WordPress core has a team of security experts looking for these flaws all the time. Most plugins do not.
Do you need to worry?some people think that their site is too small to be
attacked
WordPress is 20% of the web
most attackers are counting on a small success rate across a huge number of sites
Bots attack every siteBruteProtect blocked more than 20m attacks last
year, and it’s on less than 0.01% of WordPress sites
Botnet Economicsone small site infects hundreds of users, who will
help infect more, bigger sites
Now, The RulesThe first rule of WordPress is…
Respect your passwords
“password” doesn’t cut it anymore
1.
Require strong passwords
if you use them at all
Don’t email themto anyone, ever.
Don’t submit them without SSL on public wifi
or even private wifis that you don’t know that well
respect admineven if you don’t respect your administrators
2.
keep admin separateonly use it when you need it
change db table prefix
wp-avoidinghackersallday_users >
wp_users
make admin something other than
“admin”why make things easier?
Sanitize user inputyou don’t know where it’s been
3.
do not write your own SQL
or, if you do, clean it carefully before you use it
validate data before you display it
avoid running hack.js in your users’ browsers
Disclose Responsiblyand quietly
4.
Toolsnot that kind of tool
SFTPwhichever you like
BruteProtectawesome
Clefalso awesome
Cloakbecause WiFi is dangerous
!
(this only works for Mac users)
Important habitsgood security hygiene
check for ssllook for the little lock before typing anything
use different passwords
more important than using individually strong ones
!
better yet… don’t use passwords at all
use a password manager
computers have better memories for this kind of stuff
don’t trust new senders
.exe and .zip should be feared
educate your clientsit’s your responsibility (and will save you a lot of
headache)
Cleaning uphow do you recover after your site gets
compromised?
first stepchange all of your passwords — admin, users,
host, keys, everything you can
save wp-contentcopy the folder of your actual content
scan your local machine
make sure your computer is not infected
burn it with fire/www, chron, plugins and themes
fresh installyou can restore a backup, save old themes, but nothing works as well as starting from scratch
re-add wp-contentget back the things you’ve created
last stepchange all of your passwords — admin, users,
host, everything you can
Slidesgetclef.com/wordcamp-security
Checklistgetclef.com/wordpress-security-checklist
Questionshttp://getclef.com/wordpress-security-checklist