wordpress security from wordcamp nyc 2012

52
WORDPRESS SECURITY BY BRAD WILLIAMS Brad Williams @williamsba

Upload: brad-williams

Post on 09-May-2015

7.472 views

Category:

Technology


1 download

DESCRIPTION

My WordPress Security presentation from WordCamp NYC 2012

TRANSCRIPT

Page 1: WordPress Security from WordCamp NYC 2012

WORDPRESS SECURITY BY  BRAD  WILLIAMS  

Brad Williams @williamsba

Page 2: WordPress Security from WordCamp NYC 2012

WHO IS BRAD?

Brad Williams @williamsba

Brad  Williams    

Co-­‐Founder  WebDevStudios.com  Co-­‐Author  Professional  WordPress    

 &  Professional  WordPress        Plugin  Development  

Co-­‐Organizer  WordCamp  Philly  Co-­‐Host  WP  Late  Night  

Page 3: WordPress Security from WordCamp NYC 2012

HAPPY BIRTHDAY TO BRAD

Brad Williams @williamsba

…and  it’s  my  Birthday  today!    

Page 4: WordPress Security from WordCamp NYC 2012

TODAY’S TOPICS

Brad Williams @williamsba

 

• Security  Stats  • Example  Hack  • Top  Security  Tips  • Recommended  Plugins  &  Services  • Resources  

Page 5: WordPress Security from WordCamp NYC 2012

SECURITY STATS FOR  WORDPRESS  

Brad Williams @williamsba

Security  Stats  

Page 6: WordPress Security from WordCamp NYC 2012

SECURITY STATS

Brad Williams @williamsba

Page 7: WordPress Security from WordCamp NYC 2012

SECURITY STATS

Brad Williams @williamsba

700+  million  websites  May  2012  (NetcraX)  300  million  websites  in  2011  (Pingdom)  

10+  billion  indexed  pages  (WorldWebSize)  

 Projected:  •  1  Billion  websites  by  2013  •  2  Billion  websites  by  2015  

0  

500  

1000  

1500  

2000  

2500  

2011   2012   2013   2015  

Websites  

Websites  

Page 8: WordPress Security from WordCamp NYC 2012

SECURITY STATS

Brad Williams @williamsba

WordPress  Stats    •  73+  Million  WordPress  powered  websites  •  16%  of  all  websites  are  running  WordPress  •  22  out  of  every  100  new  domains  in  the  U.S.  launches  with  WordPress  

•  Projected  300-­‐500  Million  WordPress  sites  by  2015  

Page 9: WordPress Security from WordCamp NYC 2012

SECURITY STATS

Brad Williams @williamsba

Web  Malware  Stats  •  403  Million  unique  variants  of  malware  in  2011  (Symantec)  

•  140%  growth  since  2010  

•  81%  increase  in  malicious  web-­‐based  adacks  between  2010  -­‐  2011  

Page 10: WordPress Security from WordCamp NYC 2012

SECURITY STATS

Brad Williams @williamsba

In  Summary  –  Be  Scared!    

Page 11: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

Hacker  bots  look  for  known  exploits  (SQL  Injecfon,  folder  permissions,  etc)  

This  allows  them  to  insert  spam  files/links  into    your  WordPress  Themes,  plugins,  and  core  files.  

 

Page 12: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

Hosfng  account  contained  two  separate  websites    

WordPress   WordPress  Mulfsite  

Page 13: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulfsite  install    

WordPress   WordPress  Mulfsite  

Page 14: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

WordPress  Mulfsite  starts  hacking  WordPress  install  Inserfng  spam  links  into  the  theme,  plugins,  and  core  files  

 

WordPress   WordPress  Mulfsite  

Page 15: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

WP  Mulfsite  contains  no  spam  links  Acts  as  a  carrier  to  spread  the  contaminafon  

           

Cleaning  up  the  WordPress  website  only  resulted  in  more  spam  links  a  few  days  later  

 

WordPress   WordPress  Mulfsite  

Page 16: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

WP  Mulfsite  contains  no  spam  links  Acts  as  a  carrier  to  spread  the  contaminafon  

           

Cleaning  up  the  WordPress  website  only  resulted  in  more  spam  links  a  few  days  later  

 

WordPress   WordPress  Mulfsite  

Page 17: WordPress Security from WordCamp NYC 2012

HACK EXAMPLE

Brad Williams @williamsba

Link  Injecfon    

375  spam  links  per  page,  only  shown  to  search  engines    

Page 18: WordPress Security from WordCamp NYC 2012

THIS IS A SAMPLE TITLE THIS  IS  THE  SUBTITLE  

Brad Williams @williamsba

Default  text  box  

Scared  Yet?  

Page 19: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

That’s  It!    Good  luck!  

Page 20: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

Securing  WordPress  

Page 21: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

1  Update  Update  Update  Keep  WordPress  Updated!  

Minor  WordPress  versions  (  ie  3.3.x  )  do  NOT  add  new  features.    They  contain  bug  fixes  and  security  patches  

Page 22: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

1  Update  Update  Update  Update  Those  Plugins!  

The  plugin  Changelog  tab  makes  it  very  easy  to  view  what  has  changed  in  a  new  plugin  version  

Page 23: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

1.  Update  Update  Update  

NO  EXCUSES!    UPDATE!  

Page 24: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

2.  Use  Secret  Keys  

Some  secrets  should  remain  secrets  

Page 25: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

2.  Use  Secret  Keys  

define('AUTH_KEY',                  'put  your  unique  phrase  here');  define('SECURE_AUTH_KEY',    'put  your  unique  phrase  here');  define('LOGGED_IN_KEY',        'put  your  unique  phrase  here');  define('NONCE_KEY',                'put  your  unique  phrase  here');  define('AUTH_SALT',                'put  your  unique  phrase  here');  define('SECURE_AUTH_SALT',  'put  your  unique  phrase  here');  define('LOGGED_IN_SALT',      'put  your  unique  phrase  here');  define('NONCE_SALT',              'put  your  unique  phrase  here');  

1.  Edit  wp-­‐config.php  

A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random  elements  to  the  password.  

2.  Visit  this  URL  to  get  your  secret  keys:  hdps://api.wordpress.org/secret-­‐key/1.1/salt  

BEFORE  define('AUTH_KEY',                  '*8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD');  define('SECURE_AUTH_KEY',    'q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');  define('LOGGED_IN_KEY',        'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+');  define('NONCE_KEY',                'oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H');  define('AUTH_SALT',                'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');  define('SECURE_AUTH_SALT',  '3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐');  define('LOGGED_IN_SALT',      '`@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');  define('NONCE_SALT',              'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');  

AFTER  

Page 26: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

Do  you  login  with  username  admin?  

Page 27: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

Page 28: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

3.  Delete  the  Admin  user  account  

UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';

Change  the  admin  username  in  MySQL:  

Or  create  a  new  account  with  administrator  privileges.    1.   Create  a  new  account.    Make  the  username  very  unique  2.   Set  account  to  Administrator  role  3.   Log  out  and  log  back  in  with  new  account  4.   Delete  admin  account  

WordPress  will  allow  you  to  reassign  all  content  wriden  by  admin  to  an  account  of  your  choice.    

Page 29: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

3.  Delete  the  Admin  user  account  

WordPress  lets  you  set  the  username  during  the  installafon  process!  

DON'T  USE  ADMIN!  

Page 30: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

3.  Delete  the  Admin  user  account  Knowing  your  

username  is  half  the  badle.      

 Don't  make  it  easy  on  the  hackers.  

Page 31: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

4.  File  and  Folder  Permissions  What  folder  permissions  should  you  use?  

Good  Rule  of  Thumb:  

•   Files  should  be  set  to  644  •   Folders  should  be  set  to  755  

Start  with  the  default  se�ngs  above    

If  your  host  requires  777…SWITCH  HOSTS!  

Page 32: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

4.  File  and  Folder  Permissions  

find [your path here] -type d -exec chmod 755 {} \; find [your path here] -type f -exec chmod 644 {} \;

Or  via  SSH  with  the  following  commands  

Page 33: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

5.  Move  wp-­‐config.php  WordPress  features  the  ability  to  move  the  wp-­‐config.php  

file  one  directory  above  your  WordPress  root  

This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php    file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory  

You  can  move  your  wp-­‐config.php  file  to  here    

WordPress  automafcally  checks  the  parent  directory  if  a    wp-­‐config.php  file  is  not  found  in  your  root  directory  

public_html/wordpress/wp-config.php

If  WordPress  is  located  here:  

public_html/wp-config.php

Page 34: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

6.  Lock  Down  WP  Login  and  WP  Admin  

Page 35: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

6.  Lock  Down  WP  Login  and  WP  Admin  

define('FORCE_SSL_LOGIN',  true);  

Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  login  

Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  all  admin  pages  

define('FORCE_SSL_ADMIN',  true);  

Using  SSL  (hdps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data  transmided  with  the  same  encrypfon  as  online  shopping  

Page 36: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

6.  Lock  Down  WP  Login  and  WP  Admin  

AuthUserFile  /dev/null  AuthGroupFile  /dev/null  AuthName  "Access  Control"  AuthType  Basic  order  deny,allow  deny  from  all  #IP  address  to  Whitelist  allow  from  67.123.83.59  allow  from  123.123.123.*  

1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory  

Only  a  user  with  the  IP  67.123.83.59  or  123.123.123.*  can  access  wp-­‐admin  

2.  Add  the  following  lines  of  code:  

Page 37: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

7.  Use  Trusted  Sources  for  Themes  &  Plugins  

WPMU.org  reviewed  the  top  10  results  for  “free  wordpress  themes”  on  Google.        Out  of  the  ten  sites  reviewed    1.   Safe:  1  2.   Iffy:  1  3.   Avoid:  8  

Source:  hdp://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/  

Page 38: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

7.  Use  Trusted  Sources  for  Themes  &  Plugins  

Source:  hdp://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/  

The  only  safe  site  reviewed  was  WordPress.org  

Most  themes  included  base64()  encoded  text  links  to  promote  various  servies  

Page 39: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

8.  Be  Secure  Locally    Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or  king.  Your  kingdom  must  be  protected!    Keep  your  computer  up  to  date  

•   Ensure  you’re  patching  or  installing  updates  ASAP  

•   Automafc  updates  rock!  

Install  an  anO-­‐virus  soluOon    •   Ensure  you’re  keeping  definifons  current  

•   Automafc  updates  aren’t  a  bad  idea  here  either!  

Yes,  personal  firewalls  sOll  apply!  

     

Page 40: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

8.  Be  Secure  Locally    It’s  your  informafon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at  home,  but  what  happens  at  Starbucks?    Your  Internet  ConnecOon  Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.  

•   HTTPS  is  a  great  way  to  ensure  your  transacfons  &  traffic  are  traveling  with  security  in  mind.  

 

ConnecOng  To  Your  Site(s)  Consider  using  sFTP  or  SSH  vs.  FTP  

• Sfll  widely  marketed,  but  did  you  know  your  credenfals  are  passed  unencrypted  when  using  FTP?  

• If  unavoidable,  do  not  allow  anonymous  logins,  limit  connecfons,  pracfce  least  privilege.  

• Don’t  store  your  credenfals  in  your  FTP  client.  

Page 41: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

9.  Use  a  Trusted  Host  

You  get  what  you  pay  for…  

Page 42: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

9.  Use  a  Trusted  Host  "At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you."""""

Your Lovely Host! "

•  Cheap doesn’t always mean best, or safe!!

•  How many sites on their network are blacklisted for malware reasons?"

•  What version of software do they run and how often do they update?"

•  How are account credentials stored & who has access?"

"

Page 43: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

9.  Use  a  Trusted  Host  "

Only use a trusted host that clearly states their security policies. "Bonus points if they specialize in WordPress specific hosting!"

Page 44: WordPress Security from WordCamp NYC 2012

TOP SECURITY TIPS FOR  WORDPRESS  

Brad Williams @williamsba

10.  Use  Common  Sense  •  Use a strong password"

•  BAD: bradisawesome"•  GOOD: SCrEE79joLly$"•  A=@, E=3, S=$, O=0 (This is not unique, they know this)"

•  Update passwords regularly (Monthly, make a schedule)"•  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)"•  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"

Page 45: WordPress Security from WordCamp NYC 2012

PLUGINS & SERVICES FOR  WORDPRESS  

Brad Williams @williamsba

Plugins  &  Services  

Page 46: WordPress Security from WordCamp NYC 2012

PLUGINS & SERVICES FOR  WORDPRESS  

Brad Williams @williamsba

Login  Lockdown  

http://wordpress.org/extend/plugins/login-lockdown/

Page 47: WordPress Security from WordCamp NYC 2012

PLUGINS & SERVICES FOR  WORDPRESS  

Brad Williams @williamsba

BulletProof  Security  

http://wordpress.org/extend/plugins/bulletproof-security/

•  .htaccess  lockdown  rules  for  various  directories  (root,  wp-­‐admin,  etc)  

•  Security  status  scanner  for  folder/file  permissions  and  file  checks  

•  Very  well  documented  

Page 48: WordPress Security from WordCamp NYC 2012

PLUGINS & SERVICES FOR  WORDPRESS  

Brad Williams @williamsba

Secure  WordPress  

http://wordpress.org/extend/plugins/secure-wordpress/

•  Hides  login  error  messages  

•  Adds  index.php  to  /themes  and  /plugins  to  prevent  directory  lisfng  

•  Removes  WP,  plugin,  and  theme  update  nofces  for  non-­‐admins  

•  and  more!  

Page 49: WordPress Security from WordCamp NYC 2012

PLUGINS & SERVICES FOR  WORDPRESS  

Brad Williams @williamsba

Exploit  Scanner  

http://wordpress.org/extend/plugins/exploit-scanner/

•  Scans  your  files  and  database  for  potenfally  malicious  code  

•  Does  not  remove  code,  only  detects  it  

Page 50: WordPress Security from WordCamp NYC 2012

PLUGINS & SERVICES FOR  WORDPRESS  

Brad Williams @williamsba

http://Sucuri.net

•  Free  Website  Malware  Scanner:  hdp://sitecheck.sucuri.net/scanner/  •  Website  monitoring  •  Hack  cleanup  services  •  Sucuri  Security  Plugin  

•  Free  to  clients  •  Web  Applicafon  Firewall  •  Integrity  Monitoring  •  Audifng  •  Hardening  

hdp://Sucuri.net  

Page 51: WordPress Security from WordCamp NYC 2012

RESOURCES FOR  WORDPRESS  

Brad Williams @williamsba

•  Security  Related  Arfcles  •  hdp://codex.wordpress.org/Hardening_WordPress  •  hdp://blog.sucuri.net/2012/04/lockdown-­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html  •  hdp://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐

locked.html  •  hdp://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐

malware-­‐company.html    

•  Clean  a  Hacked  Site  •  hdp://codex.wordpress.org/FAQ_My_site_was_hacked  •  hdp://www.markefngtechblog.com/wordpress-­‐hacked/  

•  Support  Forums  •  Hacked:  hdp://wordpress.org/tags/hacked  •  Malware:  hdp://wordpress.org/tags/malware  

Page 52: WordPress Security from WordCamp NYC 2012

CONTACT BRAD

Brad Williams @williamsba

Brad  Williams  [email protected]    Blog:    strangework.com  Twider:  @williamsba  IRC:  WDS-­‐Brad      

Professional  WordPress  Second  Edifon    coming  December  2012!