WordPress Security Best Practices

Brennen Byrne @brennenbyrne

Sam Hotchkiss @hotchkissconsulting

How to make your site impossible to hack:

Delete it.

This talk is for the rest of you.

For the next 100 minutes, we’ll cover the:• 5 Rules • 4 Tools and • 3 Important Habits

To keep your site safe.

Sam HotchkissI run a WordPress agency in Bath, Maine and am the lead developer for the WordPress security plugin BruteProtect.

Brennen ByrneI’m one of the founders of Clef, a security plugin for WordPress that lets you log in without a password.

WordPress Security Best Practices

Brennen Byrne @brennenbyrne

Sam Hotchkiss @hotchkissweb

Checklist

Slidesgetclef.com/wordcamp-security

getclef.com/wordpress-security-checklist

Who attacks and why?it’s not usually because they want to be friends

pharma / affiliateif you’re not using akismet, you know these well

link injectionSEO hacking at its worst

hacktivistsSyrian Electronic Army, lulzsec, anonops, etc.

drive by downloadyou’re just the host

redirectspretty much just hijacking your site

How do they attack?know your own weaknesses

XSScross site scripting: comments or posts that

attack other visitors to your site

CSRFcross site request forgery: once you’re

authenticated, other sites can pretend to be you

brute forcehow many tries does it take to guess

your password?

brute force + botnethow long does it take an army to guess your

password?

server breachsites where you log in store your password.

(even though they shouldn’t…) what happens if they mess up?

bucket brigadean attacker sits between you and a site you log in to, when you send your password, they read it before passing it on

but really, insecure plugins and themes

WordPress core has a team of security experts looking for these flaws all the time. Most plugins do not.

Do you need to worry?some people think that their site is too small to be

attacked

WordPress is 20% of the web

most attackers are counting on a small success rate across a huge number of sites

Bots attack every siteBruteProtect blocked more than 20m attacks last

year, and it’s on less than 0.01% of WordPress sites

Botnet Economicsone small site infects hundreds of users, who will

help infect more, bigger sites

Now, The RulesThe first rule of WordPress is…

Respect your passwords

“password” doesn’t cut it anymore

1.

Require strong passwords

if you use them at all

Don’t email themto anyone, ever.

Don’t submit them without SSL on public wifi

or even private wifis that you don’t know that well

respect admineven if you don’t respect your administrators

2.

keep admin separateonly use it when you need it

change db table prefix

wp-avoidinghackersallday_users >

wp_users

make admin something other than

“admin”why make things easier?

Sanitize user inputyou don’t know where it’s been

3.

do not write your own SQL

or, if you do, clean it carefully before you use it

validate data before you display it

avoid running hack.js in your users’ browsers

Disclose Responsiblyand quietly

4.

Toolsnot that kind of tool

SFTPwhichever you like

BruteProtectawesome

Clefalso awesome

Cloakbecause WiFi is dangerous

!

(this only works for Mac users)

Important habitsgood security hygiene

check for ssllook for the little lock before typing anything

use different passwords

more important than using individually strong ones

!

better yet… don’t use passwords at all

use a password manager

computers have better memories for this kind of stuff

don’t trust new senders

.exe and .zip should be feared

educate your clientsit’s your responsibility (and will save you a lot of

headache)

Cleaning uphow do you recover after your site gets

compromised?

first stepchange all of your passwords — admin, users,

host, keys, everything you can

save wp-contentcopy the folder of your actual content

scan your local machine

make sure your computer is not infected

burn it with fire/www, chron, plugins and themes

fresh installyou can restore a backup, save old themes, but nothing works as well as starting from scratch

re-add wp-contentget back the things you’ve created

last stepchange all of your passwords — admin, users,

host, everything you can

Slidesgetclef.com/wordcamp-security

Checklistgetclef.com/wordpress-security-checklist

Questionshttp://getclef.com/wordpress-security-checklist