2. WHO IS BRAD?
Brad
Williams
Co-‐Founder
WebDevStudios.com
Co-‐Author
Professional
WordPress
&
Professional
WordPress
Plugin
Development
Co-‐Organizer
WordCamp
Philly
Co-‐Host
WP
Late
Night
Brad Williams
@williamsba
3. HAPPY BIRTHDAY TO BRAD
…and
it’s
my
Birthday
today!
Brad Williams
@williamsba
4. TODAY’S TOPICS
• Security
Stats
• Example
Hack
• Top
Security
Tips
• Recommended
Plugins
&
Services
• Resources
Brad Williams
@williamsba
5. SECURITY STATS
FOR
WORDPRESS
Security
Stats
Brad Williams
@williamsba
7. SECURITY STATS
Websites
2500
700+
million
websites
May
2012
(NetcraX)
2000
300
million
websites
in
2011
(Pingdom)
10+
billion
indexed
pages
(WorldWebSize)
1500
Projected:
Websites
1000
• 1
Billion
websites
by
2013
• 2
Billion
websites
by
2015
500
0
2011
2012
2013
2015
Brad Williams
@williamsba
8. SECURITY STATS
WordPress
Stats
• 73+
Million
WordPress
powered
websites
• 16%
of
all
websites
are
running
WordPress
• 22
out
of
every
100
new
domains
in
the
U.S.
launches
with
WordPress
• Projected
300-‐500
Million
WordPress
sites
by
2015
Brad Williams
@williamsba
9. SECURITY STATS
Web
Malware
Stats
• 403
Million
unique
variants
of
malware
in
2011
(Symantec)
• 140%
growth
since
2010
• 81%
increase
in
malicious
web-‐based
adacks
between
2010
-‐
2011
Brad Williams
@williamsba
11. HACK EXAMPLE
Link
Injecfon
Hacker
bots
look
for
known
exploits
(SQL
Injecfon,
folder
permissions,
etc)
This
allows
them
to
insert
spam
files/links
into
your
WordPress
Themes,
plugins,
and
core
files.
Brad Williams
@williamsba
12. HACK EXAMPLE
Link
Injecfon
Hosfng
account
contained
two
separate
websites
WordPress
WordPress
Mulfsite
Brad Williams
@williamsba
13. HACK EXAMPLE
Link
Injecfon
Hacker
bot
dropped
a
malicious
file
on
a
WP
Mulfsite
install
WordPress
WordPress
Mulfsite
Brad Williams
@williamsba
14. HACK EXAMPLE
Link
Injecfon
WordPress
Mulfsite
starts
hacking
WordPress
install
Inserfng
spam
links
into
the
theme,
plugins,
and
core
files
WordPress
WordPress
Mulfsite
Brad Williams
@williamsba
15. HACK EXAMPLE
Link
Injecfon
WP
Mulfsite
contains
no
spam
links
Acts
as
a
carrier
to
spread
the
contaminafon
WordPress
WordPress
Mulfsite
Cleaning
up
the
WordPress
website
only
resulted
in
more
spam
links
a
few
days
later
Brad Williams
@williamsba
16. HACK EXAMPLE
Link
Injecfon
WP
Mulfsite
contains
no
spam
links
Acts
as
a
carrier
to
spread
the
contaminafon
WordPress
WordPress
Mulfsite
Cleaning
up
the
WordPress
website
only
resulted
in
more
spam
links
a
few
days
later
Brad Williams
@williamsba
17. HACK EXAMPLE
Link
Injecfon
375
spam
links
per
page,
only
shown
to
search
engines
Brad Williams
@williamsba
18. THIS IS A SAMPLE TITLE
THIS
IS
THE
SUBTITLE
Default
text
box
Scared
Yet?
Brad Williams
@williamsba
19. TOP SECURITY TIPS
FOR
WORDPRESS
That’s
It!
Good
luck!
Brad Williams
@williamsba
20. TOP SECURITY TIPS
FOR
WORDPRESS
Securing
WordPress
Brad Williams
@williamsba
21. TOP SECURITY TIPS
FOR
WORDPRESS
1
Update
Update
Update
Keep
WordPress
Updated!
Minor
WordPress
versions
(
ie
3.3.x
)
do
NOT
add
new
features.
They
contain
bug
fixes
and
security
patches
Brad Williams
@williamsba
22. TOP SECURITY TIPS
FOR
WORDPRESS
1
Update
Update
Update
Update
Those
Plugins!
The
plugin
Changelog
tab
makes
it
very
easy
to
view
what
has
changed
in
a
new
plugin
version
Brad Williams
@williamsba
23. TOP SECURITY TIPS
FOR
WORDPRESS
1.
Update
Update
Update
NO
EXCUSES!
UPDATE!
Brad Williams
@williamsba
24. TOP SECURITY TIPS
FOR
WORDPRESS
2.
Use
Secret
Keys
Some
secrets
should
remain
secrets
Brad Williams
@williamsba
25. TOP SECURITY TIPS
FOR
WORDPRESS
2.
Use
Secret
Keys
A
secret
key
is
a
hashing
salt
which
makes
your
site
harder
to
hack
by
adding
random
elements
to
the
password.
1.
Edit
wp-‐config.php
BEFORE
AFTER
define('AUTH_KEY',
'put
your
unique
phrase
here');
define('AUTH_KEY',
'*8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD');
define('SECURE_AUTH_KEY',
'put
your
unique
phrase
here');
define('SECURE_AUTH_KEY',
'q+i-‐|3S~d?];6$[$!ZOXbw6c]0
!k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');
define('LOGGED_IN_KEY',
'put
your
unique
phrase
here');
define('LOGGED_IN_KEY',
'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+');
define('NONCE_KEY',
'put
your
unique
phrase
here');
define('NONCE_KEY',
'oJo8C&sc+
C7Yc,W1v
o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H');
define('AUTH_SALT',
'put
your
unique
phrase
here');
define('AUTH_SALT',
'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');
define('SECURE_AUTH_SALT',
'put
your
unique
phrase
here');
define('SECURE_AUTH_SALT',
'3s1|cIj
d7y<?]Z1n#
i1^FQ
*L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐');
define('LOGGED_IN_SALT',
'put
your
unique
phrase
here');
define('LOGGED_IN_SALT',
'`@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');
define('NONCE_SALT',
'put
your
unique
phrase
here');
define('NONCE_SALT',
'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
2.
Visit
this
URL
to
get
your
secret
keys:
hdps://api.wordpress.org/secret-‐key/1.1/salt
Brad Williams
@williamsba
26. TOP SECURITY TIPS
FOR
WORDPRESS
Do
you
login
with
username
admin?
Brad Williams
@williamsba
28. TOP SECURITY TIPS
FOR
WORDPRESS
3.
Delete
the
Admin
user
account
Change
the
admin
username
in
MySQL:
UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';
Or
create
a
new
account
with
administrator
privileges.
1.
Create
a
new
account.
Make
the
username
very
unique
2.
Set
account
to
Administrator
role
3.
Log
out
and
log
back
in
with
new
account
4.
Delete
admin
account
WordPress
will
allow
you
to
reassign
all
content
wriden
by
admin
to
an
account
of
your
choice.
Brad Williams
@williamsba
29. TOP SECURITY TIPS
FOR
WORDPRESS
3.
Delete
the
Admin
user
account
WordPress
lets
you
set
the
username
during
the
installafon
process!
DON'T
USE
ADMIN!
Brad Williams
@williamsba
30. TOP SECURITY TIPS
FOR
WORDPRESS
3.
Delete
the
Admin
user
account
Knowing
your
username
is
half
the
badle.
Don't
make
it
easy
on
the
hackers.
Brad Williams
@williamsba
31. TOP SECURITY TIPS
FOR
WORDPRESS
4.
File
and
Folder
Permissions
What
folder
permissions
should
you
use?
Good
Rule
of
Thumb:
•
Files
should
be
set
to
644
•
Folders
should
be
set
to
755
Start
with
the
default
se…ngs
above
If
your
host
requires
777…SWITCH
HOSTS!
Brad Williams
@williamsba
32. TOP SECURITY TIPS
FOR
WORDPRESS
4.
File
and
Folder
Permissions
Or
via
SSH
with
the
following
commands
find [your path here] -type d -exec chmod 755 {} ;
find [your path here] -type f -exec chmod 644 {} ;
Brad Williams
@williamsba
33. TOP SECURITY TIPS
FOR
WORDPRESS
5.
Move
wp-‐config.php
WordPress
features
the
ability
to
move
the
wp-‐config.php
file
one
directory
above
your
WordPress
root
If
WordPress
is
located
here:
public_html/wordpress/wp-config.php
You
can
move
your
wp-‐config.php
file
to
here
public_html/wp-config.php
WordPress
automafcally
checks
the
parent
directory
if
a
wp-‐config.php
file
is
not
found
in
your
root
directory
This
makes
it
nearly
impossible
for
anyone
to
access
your
wp-‐config.php
file
from
a
browser
as
it
now
resides
outside
of
your
website’s
root
directory
Brad Williams
@williamsba
34. TOP SECURITY TIPS
FOR
WORDPRESS
6.
Lock
Down
WP
Login
and
WP
Admin
Brad Williams
@williamsba
35. TOP SECURITY TIPS
FOR
WORDPRESS
6.
Lock
Down
WP
Login
and
WP
Admin
Add
the
code
below
to
wp-‐config.php
to
force
SSL
(hdps)
on
login
define('FORCE_SSL_LOGIN',
true);
Add
the
code
below
to
wp-‐config.php
to
force
SSL
(hdps)
on
all
admin
pages
define('FORCE_SSL_ADMIN',
true);
Using
SSL
(hdps)
on
all
admin
screens
in
WordPress
will
encrypt
all
data
transmided
with
the
same
encrypfon
as
online
shopping
Brad Williams
@williamsba
36. TOP SECURITY TIPS
FOR
WORDPRESS
6.
Lock
Down
WP
Login
and
WP
Admin
1.
Create
an
.htaccess
file
in
your
wp-‐admin
directory
2.
Add
the
following
lines
of
code:
AuthUserFile
/dev/null
AuthGroupFile
/dev/null
AuthName
"Access
Control"
AuthType
Basic
order
deny,allow
deny
from
all
#IP
address
to
Whitelist
allow
from
67.123.83.59
allow
from
123.123.123.*
Only
a
user
with
the
IP
67.123.83.59
or
123.123.123.*
can
access
wp-‐admin
Brad Williams
@williamsba
37. TOP SECURITY TIPS
FOR
WORDPRESS
7.
Use
Trusted
Sources
for
Themes
&
Plugins
WPMU.org
reviewed
the
top
10
results
for
“free
wordpress
themes”
on
Google.
Out
of
the
ten
sites
reviewed
1.
Safe:
1
2.
Iffy:
1
3.
Avoid:
8
Source:
hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/
Brad Williams
@williamsba
38. TOP SECURITY TIPS
FOR
WORDPRESS
7.
Use
Trusted
Sources
for
Themes
&
Plugins
The
only
safe
site
reviewed
was
WordPress.org
Most
themes
included
base64()
encoded
text
links
to
promote
various
servies
Source:
hdp://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/
Brad Williams
@williamsba
39. TOP SECURITY TIPS
FOR
WORDPRESS
8.
Be
Secure
Locally
Think
of
your
local
environment
as
if
it
was
a
medieval
castle
and
you’re
the
queen
or
king.
Your
kingdom
must
be
protected!
Keep
your
computer
up
to
date
•
Ensure
you’re
patching
or
installing
updates
ASAP
•
Automafc
updates
rock!
Install
an
anO-‐virus
soluOon
•
Ensure
you’re
keeping
definifons
current
•
Automafc
updates
aren’t
a
bad
idea
here
either!
Yes,
personal
firewalls
sOll
apply!
Brad Williams
@williamsba
40. TOP SECURITY TIPS
FOR
WORDPRESS
8.
Be
Secure
Locally
It’s
your
informafon,
but
who’s
watching
&
listening?
You
may
be
a
network
geek
at
home,
but
what
happens
at
Starbucks?
Your
Internet
ConnecOon
Use
SSL
whenever
possible,
especially
on
an
unverified
connecOon.
•
HTTPS
is
a
great
way
to
ensure
your
transacfons
&
traffic
are
traveling
with
security
in
mind.
ConnecOng
To
Your
Site(s)
Consider
using
sFTP
or
SSH
vs.
FTP
• Sfll
widely
marketed,
but
did
you
know
your
credenfals
are
passed
unencrypted
when
using
FTP?
• If
unavoidable,
do
not
allow
anonymous
logins,
limit
connecfons,
pracfce
least
privilege.
• Don’t
store
your
credenfals
in
your
FTP
client.
Brad Williams
@williamsba
41. TOP SECURITY TIPS
FOR
WORDPRESS
9.
Use
a
Trusted
Host
You
get
what
you
pay
for…
Brad Williams
@williamsba
42. TOP SECURITY TIPS
FOR
WORDPRESS
9.
Use
a
Trusted
Host
"
At the end of the day, hosting providers market the world. You in turn, should
have opportunity to know how they’re going to protect you."
"
" Your Lovely Host!
"
" • Cheap doesn’t always mean best, or
" safe!!
• How many sites on their network are
blacklisted for malware reasons?"
• What version of software do they run and
how often do they update?"
• How are account credentials stored &
who has access?"
"
Brad Williams
@williamsba
43. TOP SECURITY TIPS
FOR
WORDPRESS
9.
Use
a
Trusted
Host
"
Only use a trusted host that clearly states their security policies. "
Bonus points if they specialize in WordPress specific hosting!"
Brad Williams
@williamsba
44. TOP SECURITY TIPS
FOR
WORDPRESS
10.
Use
Common
Sense
• Use a strong password"
• BAD: bradisawesome"
• GOOD: SCrEE79joLly$"
• A=@, E=3, S=$, O=0 (This is not unique, they know this)"
• Update passwords regularly (Monthly, make a schedule)"
• Know your admins, limit number of accounts (WP, FTP, Hosting, etc)"
• Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"
Brad Williams
@williamsba
45. PLUGINS & SERVICES
FOR
WORDPRESS
Plugins
&
Services
Brad Williams
@williamsba
46. PLUGINS & SERVICES
FOR
WORDPRESS
Login
Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
Brad Williams
@williamsba
47. PLUGINS & SERVICES
FOR
WORDPRESS
BulletProof
Security
• .htaccess
lockdown
rules
for
various
directories
(root,
wp-‐
admin,
etc)
• Security
status
scanner
for
folder/file
permissions
and
file
checks
• Very
well
documented
http://wordpress.org/extend/plugins/bulletproof-security/
Brad Williams
@williamsba
48. PLUGINS & SERVICES
FOR
WORDPRESS
Secure
WordPress
• Hides
login
error
messages
• Adds
index.php
to
/
themes
and
/plugins
to
prevent
directory
lisfng
• Removes
WP,
plugin,
and
theme
update
nofces
for
non-‐admins
• and
more!
http://wordpress.org/extend/plugins/secure-wordpress/
Brad Williams
@williamsba
49. PLUGINS & SERVICES
FOR
WORDPRESS
Exploit
Scanner
• Scans
your
files
and
database
for
potenfally
malicious
code
• Does
not
remove
code,
only
detects
it
http://wordpress.org/extend/plugins/exploit-scanner/
Brad Williams
@williamsba
51. RESOURCES
FOR
WORDPRESS
• Security
Related
Arfcles
• hdp://codex.wordpress.org/Hardening_WordPress
• hdp://blog.sucuri.net/2012/04/lockdown-‐wordpress-‐a-‐security-‐webinar-‐with-‐dre-‐armeda.html
• hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐how-‐to-‐stop-‐the-‐hacker-‐and-‐ensure-‐your-‐site-‐is-‐
locked.html
• hdp://blog.sucuri.net/2012/04/ask-‐sucuri-‐what-‐should-‐i-‐know-‐when-‐engaging-‐a-‐web-‐
malware-‐company.html
• Clean
a
Hacked
Site
• hdp://codex.wordpress.org/FAQ_My_site_was_hacked
• hdp://www.markefngtechblog.com/wordpress-‐hacked/
• Support
Forums
• Hacked:
hdp://wordpress.org/tags/hacked
• Malware:
hdp://wordpress.org/tags/malware
Brad Williams
@williamsba
52. CONTACT BRAD
Brad
Williams
brad@webdevstudios.com
Blog:
strangework.com
Twider:
@williamsba
IRC:
WDS-‐Brad
Professional
WordPress
Second
Edifon
coming
December
2012!
Brad Williams
@williamsba