SlideShare une entreprise Scribd logo

WordPress Security from WordCamp NYC 2012

Brad Williams
Brad Williams

My WordPress Security presentation from WordCamp NYC 2012

TechnologieBusiness
1  sur  52
Télécharger pour lire hors ligne
WORDPRESS SECURITY BY  BRAD  WILLIAMS   Brad Williams @williamsba
WHO IS BRAD? Brad  Williams     Co-­‐Founder  WebDevStudios.com   Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development   Co-­‐Organizer  WordCamp  Philly   Co-­‐Host  WP  Late  Night   Brad Williams @williamsba
HAPPY BIRTHDAY TO BRAD …and  it’s  my  Birthday  today!     Brad Williams @williamsba
TODAY’S TOPICS   • Security  Stats   • Example  Hack   • Top  Security  Tips   • Recommended  Plugins  &  Services   • Resources   Brad Williams @williamsba
SECURITY STATS FOR  WORDPRESS   Security  Stats   Brad Williams @williamsba
SECURITY STATS Brad Williams @williamsba
SECURITY STATS Websites   2500   700+  million  websites  May  2012  (NetcraX)   2000   300  million  websites  in  2011  (Pingdom)   10+  billion  indexed  pages  (WorldWebSize)   1500     Projected:   Websites   1000   •  1  Billion  websites  by  2013   •  2  Billion  websites  by  2015   500   0   2011   2012   2013   2015   Brad Williams @williamsba
SECURITY STATS WordPress  Stats     •  73+  Million  WordPress  powered  websites   •  16%  of  all  websites  are  running  WordPress   •  22  out  of  every  100  new  domains  in  the  U.S.   launches  with  WordPress   •  Projected  300-­‐500  Million  WordPress  sites  by   2015   Brad Williams @williamsba
SECURITY STATS Web  Malware  Stats   •  403  Million  unique  variants  of  malware  in  2011  (Symantec)   •  140%  growth  since  2010   •  81%  increase  in  malicious  web-­‐based  adacks  between  2010  -­‐   2011   Brad Williams @williamsba
SECURITY STATS In  Summary  –  Be  Scared!     Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     Hacker  bots  look  for  known  exploits  (SQL  Injecfon,  folder   permissions,  etc)   This  allows  them  to  insert  spam  files/links  into     your  WordPress  Themes,  plugins,  and  core  files.     Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     Hosfng  account  contained  two  separate  websites     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulfsite  install     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     WordPress  Mulfsite  starts  hacking  WordPress  install   Inserfng  spam  links  into  the  theme,  plugins,  and  core  files     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     WP  Mulfsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminafon         WordPress   WordPress     Mulfsite       Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     WP  Mulfsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminafon         WordPress   WordPress     Mulfsite       Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     Brad Williams @williamsba
HACK EXAMPLE Link  Injecfon     375  spam  links  per  page,  only  shown  to  search  engines     Brad Williams @williamsba
THIS IS A SAMPLE TITLE THIS  IS  THE  SUBTITLE   Default  text  box   Scared  Yet?   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   That’s  It!    Good  luck!   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   Securing  WordPress   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   1  Update  Update  Update   Keep  WordPress  Updated!   Minor  WordPress  versions  (  ie  3.3.x  )  do  NOT  add  new  features.     They  contain  bug  fixes  and  security  patches   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   1  Update  Update  Update   Update  Those  Plugins!   The  plugin  Changelog  tab   makes  it  very  easy  to  view  what   has  changed  in  a  new  plugin   version   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   1.  Update  Update  Update   NO  EXCUSES!    UPDATE!   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   2.  Use  Secret  Keys   Some  secrets  should  remain  secrets   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   2.  Use  Secret  Keys   A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random   elements  to  the  password.   1.  Edit  wp-­‐config.php   BEFORE   AFTER   define('AUTH_KEY',                  'put  your  unique  phrase  here');   define('AUTH_KEY',                  '*8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD');   define('SECURE_AUTH_KEY',    'put  your  unique  phrase  here');   define('SECURE_AUTH_KEY',    'q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');   define('LOGGED_IN_KEY',        'put  your  unique  phrase  here');   define('LOGGED_IN_KEY',        'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+');   define('NONCE_KEY',                'put  your  unique  phrase  here');   define('NONCE_KEY',                'oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H');   define('AUTH_SALT',                'put  your  unique  phrase  here');   define('AUTH_SALT',                'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');   define('SECURE_AUTH_SALT',  'put  your  unique  phrase  here');   define('SECURE_AUTH_SALT',  '3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐');   define('LOGGED_IN_SALT',      'put  your  unique  phrase  here');   define('LOGGED_IN_SALT',      '`@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');   define('NONCE_SALT',              'put  your  unique  phrase  here');   define('NONCE_SALT',              'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');   2.  Visit  this  URL  to  get  your  secret  keys:  hdps://api.wordpress.org/secret-­‐key/1.1/salt   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   Do  you  login  with  username  admin?   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   3.  Delete  the  Admin  user  account   Change  the  admin  username  in  MySQL:   UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Or  create  a  new  account  with  administrator  privileges.     1.   Create  a  new  account.    Make  the  username  very  unique   2.   Set  account  to  Administrator  role   3.   Log  out  and  log  back  in  with  new  account   4.   Delete  admin  account   WordPress  will  allow  you  to   reassign  all  content  wriden  by   admin  to  an  account  of  your   choice.     Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   3.  Delete  the  Admin  user  account   WordPress  lets  you  set   the  username  during  the   installafon  process!   DON'T  USE  ADMIN!   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   3.  Delete  the  Admin  user  account   Knowing  your   username  is  half   the  badle.         Don't  make  it   easy  on  the   hackers.   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   4.  File  and  Folder  Permissions   What  folder  permissions  should  you  use?   Good  Rule  of  Thumb:   •   Files  should  be  set  to  644   •   Folders  should  be  set  to  755   Start  with  the  default  se…ngs  above     If  your  host  requires  777…SWITCH  HOSTS!   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   4.  File  and  Folder  Permissions   Or  via  SSH  with  the  following  commands   find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   5.  Move  wp-­‐config.php   WordPress  features  the  ability  to  move  the  wp-­‐config.php   file  one  directory  above  your  WordPress  root   If  WordPress  is  located  here:   public_html/wordpress/wp-config.php You  can  move  your  wp-­‐config.php  file  to  here     public_html/wp-config.php WordPress  automafcally  checks  the  parent  directory  if  a     wp-­‐config.php  file  is  not  found  in  your  root  directory   This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php     file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   6.  Lock  Down  WP  Login  and  WP  Admin   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   6.  Lock  Down  WP  Login  and  WP  Admin   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  login   define('FORCE_SSL_LOGIN',  true);   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  all  admin  pages   define('FORCE_SSL_ADMIN',  true);   Using  SSL  (hdps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data   transmided  with  the  same  encrypfon  as  online  shopping   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   6.  Lock  Down  WP  Login  and  WP  Admin   1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory   2.  Add  the  following  lines  of  code:   AuthUserFile  /dev/null   AuthGroupFile  /dev/null   AuthName  "Access  Control"   AuthType  Basic   order  deny,allow   deny  from  all   #IP  address  to  Whitelist   allow  from  67.123.83.59   allow  from  123.123.123.*   Only  a  user  with  the  IP  67.123.83.59  or  123.123.123.*  can  access  wp-­‐admin   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   7.  Use  Trusted  Sources  for  Themes  &   Plugins   WPMU.org  reviewed  the  top   10  results  for  “free   wordpress  themes”  on   Google.         Out  of  the  ten  sites  reviewed     1.   Safe:  1   2.   Iffy:  1   3.   Avoid:  8   Source:  hdp://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   7.  Use  Trusted  Sources  for  Themes  &   Plugins   The  only  safe  site  reviewed  was  WordPress.org   Most  themes  included  base64()  encoded  text  links  to  promote  various  servies   Source:  hdp://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   8.  Be  Secure  Locally     Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or   king.  Your  kingdom  must  be  protected!     Keep  your  computer  up  to  date   •   Ensure  you’re  patching  or  installing  updates  ASAP   •   Automafc  updates  rock!   Install  an  anO-­‐virus  soluOon     •   Ensure  you’re  keeping  definifons  current   •   Automafc  updates  aren’t  a  bad  idea  here  either!   Yes,  personal  firewalls  sOll  apply!         Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   8.  Be  Secure  Locally     It’s  your  informafon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at   home,  but  what  happens  at  Starbucks?     Your  Internet  ConnecOon   Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.   •   HTTPS  is  a  great  way  to  ensure  your  transacfons  &  traffic  are  traveling  with  security  in  mind.     ConnecOng  To  Your  Site(s)   Consider  using  sFTP  or  SSH  vs.  FTP   • Sfll  widely  marketed,  but  did  you  know  your  credenfals  are  passed  unencrypted  when  using  FTP?   • If  unavoidable,  do  not  allow  anonymous  logins,  limit  connecfons,  pracfce  least  privilege.   • Don’t  store  your  credenfals  in  your  FTP  client.   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   9.  Use  a  Trusted  Host   You  get  what   you  pay  for…   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   9.  Use  a  Trusted  Host   " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " Your Lovely Host! " " •  Cheap doesn’t always mean best, or " safe!! •  How many sites on their network are blacklisted for malware reasons?" •  What version of software do they run and how often do they update?" •  How are account credentials stored & who has access?" " Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   9.  Use  a  Trusted  Host   " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress specific hosting!" Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   10.  Use  Common  Sense   •  Use a strong password" •  BAD: bradisawesome" •  GOOD: SCrEE79joLly$" •  A=@, E=3, S=$, O=0 (This is not unique, they know this)" •  Update passwords regularly (Monthly, make a schedule)" •  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" •  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)" Brad Williams @williamsba
PLUGINS & SERVICES FOR  WORDPRESS   Plugins  &  Services   Brad Williams @williamsba
PLUGINS & SERVICES FOR  WORDPRESS   Login  Lockdown   http://wordpress.org/extend/plugins/login-lockdown/ Brad Williams @williamsba
PLUGINS & SERVICES FOR  WORDPRESS   BulletProof  Security   •  .htaccess  lockdown  rules  for   various  directories  (root,  wp-­‐ admin,  etc)   •  Security  status  scanner  for   folder/file  permissions  and   file  checks   •  Very  well  documented   http://wordpress.org/extend/plugins/bulletproof-security/ Brad Williams @williamsba
PLUGINS & SERVICES FOR  WORDPRESS   Secure  WordPress   •  Hides  login  error   messages   •  Adds  index.php  to  / themes  and  /plugins  to   prevent  directory  lisfng   •  Removes  WP,  plugin,   and  theme  update   nofces  for  non-­‐admins   •  and  more!   http://wordpress.org/extend/plugins/secure-wordpress/ Brad Williams @williamsba
PLUGINS & SERVICES FOR  WORDPRESS   Exploit  Scanner   •  Scans  your  files  and   database  for  potenfally   malicious  code   •  Does  not  remove  code,   only  detects  it   http://wordpress.org/extend/plugins/exploit-scanner/ Brad Williams @williamsba
PLUGINS & SERVICES FOR  WORDPRESS   hdp://Sucuri.net   •  Free  Website  Malware  Scanner:  hdp://sitecheck.sucuri.net/scanner/   •  Website  monitoring   •  Hack  cleanup  services   •  Sucuri  Security  Plugin   •  Free  to  clients   •  Web  Applicafon  Firewall   •  Integrity  Monitoring   •  Audifng   •  Hardening   http://Sucuri.net Brad Williams @williamsba
RESOURCES FOR  WORDPRESS   •  Security  Related  Arfcles   •  hdp://codex.wordpress.org/Hardening_WordPress   •  hdp://blog.sucuri.net/2012/04/lockdown-­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html   •  hdp://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐ locked.html   •  hdp://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐ malware-­‐company.html     •  Clean  a  Hacked  Site   •  hdp://codex.wordpress.org/FAQ_My_site_was_hacked   •  hdp://www.markefngtechblog.com/wordpress-­‐hacked/   •  Support  Forums   •  Hacked:  hdp://wordpress.org/tags/hacked   •  Malware:  hdp://wordpress.org/tags/malware   Brad Williams @williamsba
CONTACT BRAD Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   Twider:  @williamsba   IRC:  WDS-­‐Brad       Professional  WordPress  Second  Edifon     coming  December  2012!   Brad Williams @williamsba

Recommandé

Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application FrameworkBrad Williams
 
Developing digital marketing into your WordPress
Developing digital marketing into your WordPressDeveloping digital marketing into your WordPress
Developing digital marketing into your WordPressAustin Gunter
 
WordPress for Nonprofits Using CiviCRM
WordPress for Nonprofits Using CiviCRMWordPress for Nonprofits Using CiviCRM
WordPress for Nonprofits Using CiviCRMTadpole Collective
 
Supporting Wordpress
Supporting WordpressSupporting Wordpress
Supporting Wordpressmasonjames
 
Customizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffCustomizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffAlexander Sapountzis
 
Killer Docs for Killer Devs
Killer Docs for Killer DevsKiller Docs for Killer Devs
Killer Docs for Killer Devsspmckeown
 
Google loves WordPress - Blogging For SEO WordCamp NYC 2012
Google loves WordPress - Blogging For SEO WordCamp NYC 2012Google loves WordPress - Blogging For SEO WordCamp NYC 2012
Google loves WordPress - Blogging For SEO WordCamp NYC 2012Organical - The SEO Experts
 
Firstborn child theme word camp presentation - atlanta 2013
Firstborn child theme word camp presentation - atlanta 2013Firstborn child theme word camp presentation - atlanta 2013
Firstborn child theme word camp presentation - atlanta 2013Evan Mullins
 

Recommandé

Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application FrameworkBrad Williams
 
Developing digital marketing into your WordPress
Developing digital marketing into your WordPressDeveloping digital marketing into your WordPress
Developing digital marketing into your WordPressAustin Gunter
 
WordPress for Nonprofits Using CiviCRM
WordPress for Nonprofits Using CiviCRMWordPress for Nonprofits Using CiviCRM
WordPress for Nonprofits Using CiviCRMTadpole Collective
 
Supporting Wordpress
Supporting WordpressSupporting Wordpress
Supporting Wordpressmasonjames
 
Customizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffCustomizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffAlexander Sapountzis
 
Killer Docs for Killer Devs
Killer Docs for Killer DevsKiller Docs for Killer Devs
Killer Docs for Killer Devsspmckeown
 
Google loves WordPress - Blogging For SEO WordCamp NYC 2012
Google loves WordPress - Blogging For SEO WordCamp NYC 2012Google loves WordPress - Blogging For SEO WordCamp NYC 2012
Google loves WordPress - Blogging For SEO WordCamp NYC 2012Organical - The SEO Experts
 
Firstborn child theme word camp presentation - atlanta 2013
Firstborn child theme word camp presentation - atlanta 2013Firstborn child theme word camp presentation - atlanta 2013
Firstborn child theme word camp presentation - atlanta 2013Evan Mullins
 
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressBrad Williams
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress CodeBrad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress MultisiteBrad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for BeginnersBrad Williams
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesBrad Williams
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPBrad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressBrad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfBrad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceBrad Williams
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Contenu connexe

Plus de Brad Williams

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressBrad Williams
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress CodeBrad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for BeginnersBrad Williams
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesBrad Williams
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPBrad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressBrad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfBrad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceBrad Williams
 

Plus de Brad Williams (20)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

WordPress Security from WordCamp NYC 2012

  • 1. WORDPRESS SECURITY BY  BRAD  WILLIAMS   Brad Williams @williamsba
  • 2. WHO IS BRAD? Brad  Williams     Co-­‐Founder  WebDevStudios.com   Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development   Co-­‐Organizer  WordCamp  Philly   Co-­‐Host  WP  Late  Night   Brad Williams @williamsba
  • 3. HAPPY BIRTHDAY TO BRAD …and  it’s  my  Birthday  today!     Brad Williams @williamsba
  • 4. TODAY’S TOPICS   • Security  Stats   • Example  Hack   • Top  Security  Tips   • Recommended  Plugins  &  Services   • Resources   Brad Williams @williamsba
  • 5. SECURITY STATS FOR  WORDPRESS   Security  Stats   Brad Williams @williamsba
  • 6. SECURITY STATS Brad Williams @williamsba
  • 7. SECURITY STATS Websites   2500   700+  million  websites  May  2012  (NetcraX)   2000   300  million  websites  in  2011  (Pingdom)   10+  billion  indexed  pages  (WorldWebSize)   1500     Projected:   Websites   1000   •  1  Billion  websites  by  2013   •  2  Billion  websites  by  2015   500   0   2011   2012   2013   2015   Brad Williams @williamsba
  • 8. SECURITY STATS WordPress  Stats     •  73+  Million  WordPress  powered  websites   •  16%  of  all  websites  are  running  WordPress   •  22  out  of  every  100  new  domains  in  the  U.S.   launches  with  WordPress   •  Projected  300-­‐500  Million  WordPress  sites  by   2015   Brad Williams @williamsba
  • 9. SECURITY STATS Web  Malware  Stats   •  403  Million  unique  variants  of  malware  in  2011  (Symantec)   •  140%  growth  since  2010   •  81%  increase  in  malicious  web-­‐based  adacks  between  2010  -­‐   2011   Brad Williams @williamsba
  • 10. SECURITY STATS In  Summary  –  Be  Scared!     Brad Williams @williamsba
  • 11. HACK EXAMPLE Link  Injecfon     Hacker  bots  look  for  known  exploits  (SQL  Injecfon,  folder   permissions,  etc)   This  allows  them  to  insert  spam  files/links  into     your  WordPress  Themes,  plugins,  and  core  files.     Brad Williams @williamsba
  • 12. HACK EXAMPLE Link  Injecfon     Hosfng  account  contained  two  separate  websites     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
  • 13. HACK EXAMPLE Link  Injecfon     Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulfsite  install     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
  • 14. HACK EXAMPLE Link  Injecfon     WordPress  Mulfsite  starts  hacking  WordPress  install   Inserfng  spam  links  into  the  theme,  plugins,  and  core  files     WordPress   WordPress   Mulfsite   Brad Williams @williamsba
  • 15. HACK EXAMPLE Link  Injecfon     WP  Mulfsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminafon         WordPress   WordPress     Mulfsite       Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     Brad Williams @williamsba
  • 16. HACK EXAMPLE Link  Injecfon     WP  Mulfsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminafon         WordPress   WordPress     Mulfsite       Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     Brad Williams @williamsba
  • 17. HACK EXAMPLE Link  Injecfon     375  spam  links  per  page,  only  shown  to  search  engines     Brad Williams @williamsba
  • 18. THIS IS A SAMPLE TITLE THIS  IS  THE  SUBTITLE   Default  text  box   Scared  Yet?   Brad Williams @williamsba
  • 19. TOP SECURITY TIPS FOR  WORDPRESS   That’s  It!    Good  luck!   Brad Williams @williamsba
  • 20. TOP SECURITY TIPS FOR  WORDPRESS   Securing  WordPress   Brad Williams @williamsba
  • 21. TOP SECURITY TIPS FOR  WORDPRESS   1  Update  Update  Update   Keep  WordPress  Updated!   Minor  WordPress  versions  (  ie  3.3.x  )  do  NOT  add  new  features.     They  contain  bug  fixes  and  security  patches   Brad Williams @williamsba
  • 22. TOP SECURITY TIPS FOR  WORDPRESS   1  Update  Update  Update   Update  Those  Plugins!   The  plugin  Changelog  tab   makes  it  very  easy  to  view  what   has  changed  in  a  new  plugin   version   Brad Williams @williamsba
  • 23. TOP SECURITY TIPS FOR  WORDPRESS   1.  Update  Update  Update   NO  EXCUSES!    UPDATE!   Brad Williams @williamsba
  • 24. TOP SECURITY TIPS FOR  WORDPRESS   2.  Use  Secret  Keys   Some  secrets  should  remain  secrets   Brad Williams @williamsba
  • 25. TOP SECURITY TIPS FOR  WORDPRESS   2.  Use  Secret  Keys   A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random   elements  to  the  password.   1.  Edit  wp-­‐config.php   BEFORE   AFTER   define('AUTH_KEY',                  'put  your  unique  phrase  here');   define('AUTH_KEY',                  '*8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD');   define('SECURE_AUTH_KEY',    'put  your  unique  phrase  here');   define('SECURE_AUTH_KEY',    'q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');   define('LOGGED_IN_KEY',        'put  your  unique  phrase  here');   define('LOGGED_IN_KEY',        'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+');   define('NONCE_KEY',                'put  your  unique  phrase  here');   define('NONCE_KEY',                'oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H');   define('AUTH_SALT',                'put  your  unique  phrase  here');   define('AUTH_SALT',                'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');   define('SECURE_AUTH_SALT',  'put  your  unique  phrase  here');   define('SECURE_AUTH_SALT',  '3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐');   define('LOGGED_IN_SALT',      'put  your  unique  phrase  here');   define('LOGGED_IN_SALT',      '`@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');   define('NONCE_SALT',              'put  your  unique  phrase  here');   define('NONCE_SALT',              'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');   2.  Visit  this  URL  to  get  your  secret  keys:  hdps://api.wordpress.org/secret-­‐key/1.1/salt   Brad Williams @williamsba
  • 26. TOP SECURITY TIPS FOR  WORDPRESS   Do  you  login  with  username  admin?   Brad Williams @williamsba
  • 27. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba
  • 28. TOP SECURITY TIPS FOR  WORDPRESS   3.  Delete  the  Admin  user  account   Change  the  admin  username  in  MySQL:   UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Or  create  a  new  account  with  administrator  privileges.     1.   Create  a  new  account.    Make  the  username  very  unique   2.   Set  account  to  Administrator  role   3.   Log  out  and  log  back  in  with  new  account   4.   Delete  admin  account   WordPress  will  allow  you  to   reassign  all  content  wriden  by   admin  to  an  account  of  your   choice.     Brad Williams @williamsba
  • 29. TOP SECURITY TIPS FOR  WORDPRESS   3.  Delete  the  Admin  user  account   WordPress  lets  you  set   the  username  during  the   installafon  process!   DON'T  USE  ADMIN!   Brad Williams @williamsba
  • 30. TOP SECURITY TIPS FOR  WORDPRESS   3.  Delete  the  Admin  user  account   Knowing  your   username  is  half   the  badle.         Don't  make  it   easy  on  the   hackers.   Brad Williams @williamsba
  • 31. TOP SECURITY TIPS FOR  WORDPRESS   4.  File  and  Folder  Permissions   What  folder  permissions  should  you  use?   Good  Rule  of  Thumb:   •   Files  should  be  set  to  644   •   Folders  should  be  set  to  755   Start  with  the  default  se…ngs  above     If  your  host  requires  777…SWITCH  HOSTS!   Brad Williams @williamsba
  • 32. TOP SECURITY TIPS FOR  WORDPRESS   4.  File  and  Folder  Permissions   Or  via  SSH  with  the  following  commands   find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Brad Williams @williamsba
  • 33. TOP SECURITY TIPS FOR  WORDPRESS   5.  Move  wp-­‐config.php   WordPress  features  the  ability  to  move  the  wp-­‐config.php   file  one  directory  above  your  WordPress  root   If  WordPress  is  located  here:   public_html/wordpress/wp-config.php You  can  move  your  wp-­‐config.php  file  to  here     public_html/wp-config.php WordPress  automafcally  checks  the  parent  directory  if  a     wp-­‐config.php  file  is  not  found  in  your  root  directory   This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php     file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory   Brad Williams @williamsba
  • 34. TOP SECURITY TIPS FOR  WORDPRESS   6.  Lock  Down  WP  Login  and  WP  Admin   Brad Williams @williamsba
  • 35. TOP SECURITY TIPS FOR  WORDPRESS   6.  Lock  Down  WP  Login  and  WP  Admin   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  login   define('FORCE_SSL_LOGIN',  true);   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (hdps)  on  all  admin  pages   define('FORCE_SSL_ADMIN',  true);   Using  SSL  (hdps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data   transmided  with  the  same  encrypfon  as  online  shopping   Brad Williams @williamsba
  • 36. TOP SECURITY TIPS FOR  WORDPRESS   6.  Lock  Down  WP  Login  and  WP  Admin   1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory   2.  Add  the  following  lines  of  code:   AuthUserFile  /dev/null   AuthGroupFile  /dev/null   AuthName  "Access  Control"   AuthType  Basic   order  deny,allow   deny  from  all   #IP  address  to  Whitelist   allow  from  67.123.83.59   allow  from  123.123.123.*   Only  a  user  with  the  IP  67.123.83.59  or  123.123.123.*  can  access  wp-­‐admin   Brad Williams @williamsba
  • 37. TOP SECURITY TIPS FOR  WORDPRESS   7.  Use  Trusted  Sources  for  Themes  &   Plugins   WPMU.org  reviewed  the  top   10  results  for  “free   wordpress  themes”  on   Google.         Out  of  the  ten  sites  reviewed     1.   Safe:  1   2.   Iffy:  1   3.   Avoid:  8   Source:  hdp://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   Brad Williams @williamsba
  • 38. TOP SECURITY TIPS FOR  WORDPRESS   7.  Use  Trusted  Sources  for  Themes  &   Plugins   The  only  safe  site  reviewed  was  WordPress.org   Most  themes  included  base64()  encoded  text  links  to  promote  various  servies   Source:  hdp://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   Brad Williams @williamsba
  • 39. TOP SECURITY TIPS FOR  WORDPRESS   8.  Be  Secure  Locally     Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or   king.  Your  kingdom  must  be  protected!     Keep  your  computer  up  to  date   •   Ensure  you’re  patching  or  installing  updates  ASAP   •   Automafc  updates  rock!   Install  an  anO-­‐virus  soluOon     •   Ensure  you’re  keeping  definifons  current   •   Automafc  updates  aren’t  a  bad  idea  here  either!   Yes,  personal  firewalls  sOll  apply!         Brad Williams @williamsba
  • 40. TOP SECURITY TIPS FOR  WORDPRESS   8.  Be  Secure  Locally     It’s  your  informafon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at   home,  but  what  happens  at  Starbucks?     Your  Internet  ConnecOon   Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.   •   HTTPS  is  a  great  way  to  ensure  your  transacfons  &  traffic  are  traveling  with  security  in  mind.     ConnecOng  To  Your  Site(s)   Consider  using  sFTP  or  SSH  vs.  FTP   • Sfll  widely  marketed,  but  did  you  know  your  credenfals  are  passed  unencrypted  when  using  FTP?   • If  unavoidable,  do  not  allow  anonymous  logins,  limit  connecfons,  pracfce  least  privilege.   • Don’t  store  your  credenfals  in  your  FTP  client.   Brad Williams @williamsba
  • 41. TOP SECURITY TIPS FOR  WORDPRESS   9.  Use  a  Trusted  Host   You  get  what   you  pay  for…   Brad Williams @williamsba
  • 42. TOP SECURITY TIPS FOR  WORDPRESS   9.  Use  a  Trusted  Host   " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " Your Lovely Host! " " •  Cheap doesn’t always mean best, or " safe!! •  How many sites on their network are blacklisted for malware reasons?" •  What version of software do they run and how often do they update?" •  How are account credentials stored & who has access?" " Brad Williams @williamsba
  • 43. TOP SECURITY TIPS FOR  WORDPRESS   9.  Use  a  Trusted  Host   " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress specific hosting!" Brad Williams @williamsba
  • 44. TOP SECURITY TIPS FOR  WORDPRESS   10.  Use  Common  Sense   •  Use a strong password" •  BAD: bradisawesome" •  GOOD: SCrEE79joLly$" •  A=@, E=3, S=$, O=0 (This is not unique, they know this)" •  Update passwords regularly (Monthly, make a schedule)" •  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" •  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)" Brad Williams @williamsba
  • 45. PLUGINS & SERVICES FOR  WORDPRESS   Plugins  &  Services   Brad Williams @williamsba
  • 46. PLUGINS & SERVICES FOR  WORDPRESS   Login  Lockdown   http://wordpress.org/extend/plugins/login-lockdown/ Brad Williams @williamsba
  • 47. PLUGINS & SERVICES FOR  WORDPRESS   BulletProof  Security   •  .htaccess  lockdown  rules  for   various  directories  (root,  wp-­‐ admin,  etc)   •  Security  status  scanner  for   folder/file  permissions  and   file  checks   •  Very  well  documented   http://wordpress.org/extend/plugins/bulletproof-security/ Brad Williams @williamsba
  • 48. PLUGINS & SERVICES FOR  WORDPRESS   Secure  WordPress   •  Hides  login  error   messages   •  Adds  index.php  to  / themes  and  /plugins  to   prevent  directory  lisfng   •  Removes  WP,  plugin,   and  theme  update   nofces  for  non-­‐admins   •  and  more!   http://wordpress.org/extend/plugins/secure-wordpress/ Brad Williams @williamsba
  • 49. PLUGINS & SERVICES FOR  WORDPRESS   Exploit  Scanner   •  Scans  your  files  and   database  for  potenfally   malicious  code   •  Does  not  remove  code,   only  detects  it   http://wordpress.org/extend/plugins/exploit-scanner/ Brad Williams @williamsba
  • 50. PLUGINS & SERVICES FOR  WORDPRESS   hdp://Sucuri.net   •  Free  Website  Malware  Scanner:  hdp://sitecheck.sucuri.net/scanner/   •  Website  monitoring   •  Hack  cleanup  services   •  Sucuri  Security  Plugin   •  Free  to  clients   •  Web  Applicafon  Firewall   •  Integrity  Monitoring   •  Audifng   •  Hardening   http://Sucuri.net Brad Williams @williamsba
  • 51. RESOURCES FOR  WORDPRESS   •  Security  Related  Arfcles   •  hdp://codex.wordpress.org/Hardening_WordPress   •  hdp://blog.sucuri.net/2012/04/lockdown-­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html   •  hdp://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐ locked.html   •  hdp://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐ malware-­‐company.html     •  Clean  a  Hacked  Site   •  hdp://codex.wordpress.org/FAQ_My_site_was_hacked   •  hdp://www.markefngtechblog.com/wordpress-­‐hacked/   •  Support  Forums   •  Hacked:  hdp://wordpress.org/tags/hacked   •  Malware:  hdp://wordpress.org/tags/malware   Brad Williams @williamsba
  • 52. CONTACT BRAD Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   Twider:  @williamsba   IRC:  WDS-­‐Brad       Professional  WordPress  Second  Edifon     coming  December  2012!   Brad Williams @williamsba