SlideShare una empresa de Scribd logo

WordPress Security WordCamp OC 2013

Brad Williams
Brad Williams

Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.

TecnologíaEmpresariales
1 de 52
WORDPRESS SECURITY BY  BRAD  WILLIAMS   Brad Williams @williamsba
WHO IS BRAD? Brad Williams @williamsba Brad  Williams     Co-­‐Founder  WebDevStudios.com   Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development   Co-­‐Organizer  WordCamp  Philly   Co-­‐Host  DradCast  
TODAY’S TOPICS Brad Williams @williamsba   • Security  Stats   • Example  Hack   • Top  Security  Tips   • Recommended  Plugins  &  Services   • Resources  
SECURITY STATS FOR  WORDPRESS   Brad Williams @williamsba Security  Stats  
SECURITY STATS Brad Williams @williamsba 700+  million  websites  May  2012  (NetcraU)   300  million  websites  in  2011  (Pingdom)   10+  billion  indexed  pages  (WorldWebSize)     Projected:   •  1  Billion  websites  by  2013   •  2  Billion  websites  by  2015   0   500   1000   1500   2000   2500   2011   2012   2013   2015   Websites   Websites  
SECURITY STATS Brad Williams @williamsba WordPress  Stats     •  73+  Million  WordPress  powered  websites   •  18%  of  all  websites  are  running  WordPress   •  22  out  of  every  100  new  domains  in  the  U.S.   launches  with  WordPress   •  Projected  300-­‐500  Million  WordPress  sites  by   2015  
SECURITY STATS Brad Williams @williamsba Web  Malware  Stats   •  403  Million  unique  variants  of  malware  in  2011  (Symantec)   •  140%  growth  since  2010   •  81%  increase  in  malicious  web-­‐based  a`acks  between  2010  -­‐   2011  
SECURITY STATS Brad Williams @williamsba In  Summary  –  Be  Scared!    
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     Hacker  bots  look  for  known  exploits  (SQL  Injeccon,  folder   permissions,  etc)   This  allows  them  to  insert  spam  files/links  into     your  WordPress  Themes,  plugins,  and  core  files.    
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     Hoscng  account  contained  two  separate  websites     WordPress   WordPress   Mulcsite  
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulcsite  install     WordPress   WordPress   Mulcsite  
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     WordPress  Mulcsite  starts  hacking  WordPress  install   Insercng  spam  links  into  the  theme,  plugins,  and  core  files     WordPress   WordPress   Mulcsite  
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     WP  Mulcsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminacon               Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     WordPress   WordPress   Mulcsite  
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     WP  Mulcsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminacon               Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     WordPress   WordPress   Mulcsite  
HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     375  spam  links  per  page,  only  shown  to  search  engines    
THIS IS A SAMPLE TITLE THIS  IS  THE  SUBTITLE   Brad Williams @williamsba Default  text  box   Scared  Yet?  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba That’s  It!    Good  luck!  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba Securing  WordPress  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 1  Update  Update  Update   Keep  WordPress  Updated!   Minor  WordPress  versions  (  ie  3.5.x  )  do  NOT  add  new  features.     They  contain  bug  fixes  and  security  patches  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 1  Update  Update  Update   Update  Those  Plugins!   The  plugin  Changelog  tab   makes  it  very  easy  to  view  what   has  changed  in  a  new  plugin   version  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 1.  Update  Update  Update   NO  EXCUSES!    UPDATE!  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 2.  Use  Secret  Keys   Some  secrets  should  remain  secrets  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 2.  Use  Secret  Keys   define('AUTH_KEY',                  'put  your  unique  phrase  here');   define('SECURE_AUTH_KEY',    'put  your  unique  phrase  here');   define('LOGGED_IN_KEY',        'put  your  unique  phrase  here');   define('NONCE_KEY',                'put  your  unique  phrase  here');   define('AUTH_SALT',                'put  your  unique  phrase  here');   define('SECURE_AUTH_SALT',  'put  your  unique  phrase  here');   define('LOGGED_IN_SALT',      'put  your  unique  phrase  here');   define('NONCE_SALT',              'put  your  unique  phrase  here');   1.  Edit  wp-­‐config.php   A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random   elements  to  the  password.   2.  Visit  this  URL  to  get  your  secret  keys:  h`ps://api.wordpress.org/secret-­‐key/1.1/salt   BEFORE   define('AUTH_KEY',                  '*8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD');   define('SECURE_AUTH_KEY',    'q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');   define('LOGGED_IN_KEY',        'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+');   define('NONCE_KEY',                'oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H');   define('AUTH_SALT',                'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');   define('SECURE_AUTH_SALT',  '3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐');   define('LOGGED_IN_SALT',      '`@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');   define('NONCE_SALT',              'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');   AFTER  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba Do  you  login  with  username  admin?  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 3.  Delete  the  Admin  user  account   UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Change  the  admin  username  in  MySQL:   Or  create  a  new  account  with  administrator  privileges.     1.   Create  a  new  account.    Make  the  username  very  unique   2.   Set  account  to  Administrator  role   3.   Log  out  and  log  back  in  with  new  account   4.   Delete  admin  account   WordPress  will  allow  you  to   reassign  all  content  wri`en  by   admin  to  an  account  of  your   choice.    
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 3.  Delete  the  Admin  user  account   WordPress  lets  you  set   the  username  during  the   installacon  process!   DON'T  USE  ADMIN!  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 3.  Delete  the  Admin  user  account   Knowing  your   username  is  half   the  ba`le.         Don't  make  it   easy  on  the   hackers.  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 4.  File  and  Folder  Permissions   What  folder  permissions  should  you  use?   Good  Rule  of  Thumb:   •   Files  should  be  set  to  644   •   Folders  should  be  set  to  755   Start  with  the  default  se„ngs  above     If  your  host  requires  777…SWITCH  HOSTS!  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 4.  File  and  Folder  Permissions   find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or  via  SSH  with  the  following  commands  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 5.  Move  wp-­‐config.php   WordPress  features  the  ability  to  move  the  wp-­‐config.php   file  one  directory  above  your  WordPress  root   This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php     file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory   You  can  move  your  wp-­‐config.php  file  to  here     WordPress  automaccally  checks  the  parent  directory  if  a     wp-­‐config.php  file  is  not  found  in  your  root  directory   public_html/wordpress/wp-config.php If  WordPress  is  located  here:   public_html/wp-config.php
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 6.  Lock  Down  WP  Login  and  WP  Admin  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 6.  Lock  Down  WP  Login  and  WP  Admin   define('FORCE_SSL_LOGIN',  true);   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (h`ps)  on  login   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (h`ps)  on  all  admin  pages   define('FORCE_SSL_ADMIN',  true);   Using  SSL  (h`ps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data   transmi`ed  with  the  same  encrypcon  as  online  shopping  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 6.  Lock  Down  WP  Login  and  WP  Admin   AuthUserFile  /dev/null   AuthGroupFile  /dev/null   AuthName  "Access  Control"   AuthType  Basic   order  deny,allow   deny  from  all   #IP  address  to  Whitelist   allow  from  67.123.83.59   allow  from  123.123.123.*   1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory   Only  a  user  with  the  IP  67.123.83.59  or  123.123.123.*  can  access  wp-­‐admin   2.  Add  the  following  lines  of  code:  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 7.  Use  Trusted  Sources  for  Themes  &   Plugins   WPMU.org  reviewed  the  top   10  results  for  “free   wordpress  themes”  on   Google.         Out  of  the  ten  sites  reviewed     1.   Safe:  1   2.   Iffy:  1   3.   Avoid:  8   Source:  h`p://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 7.  Use  Trusted  Sources  for  Themes  &   Plugins   Source:  h`p://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   The  only  safe  site  reviewed  was  WordPress.org   Most  themes  included  base64()  encoded  text  links  to  promote  various  servies  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 8.  Be  Secure  Locally     Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or   king.  Your  kingdom  must  be  protected!     Keep  your  computer  up  to  date   •   Ensure  you’re  patching  or  installing  updates  ASAP   •   Automacc  updates  rock!   Install  an  anO-­‐virus  soluOon     •   Ensure  you’re  keeping  definicons  current   •   Automacc  updates  aren’t  a  bad  idea  here  either!   Yes,  personal  firewalls  sOll  apply!        
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 8.  Be  Secure  Locally     It’s  your  informacon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at   home,  but  what  happens  at  Starbucks?     Your  Internet  ConnecOon   Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.   •   HTTPS  is  a  great  way  to  ensure  your  transaccons  &  traffic  are  traveling  with  security  in  mind.     ConnecOng  To  Your  Site(s)   Consider  using  sFTP  or  SSH  vs.  FTP   • Scll  widely  marketed,  but  did  you  know  your  credencals  are  passed  unencrypted  when  using  FTP?   • If  unavoidable,  do  not  allow  anonymous  logins,  limit  conneccons,  praccce  least  privilege.   • Don’t  store  your  credencals  in  your  FTP  client.  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 9.  Use  a  Trusted  Host   You  get  what   you  pay  for…  
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 9.  Use  a  Trusted  Host  " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " " " Your Lovely Host! " • Cheap doesn’t always mean best, or safe!! • How many sites on their network are blacklisted for malware reasons?" • What version of software do they run and how often do they update?" • How are account credentials stored & who has access?" "
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 9.  Use  a  Trusted  Host   " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress specific hosting!"
TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 10.  Use  Common  Sense   •  Use a strong password" •  BAD: bradisawesome" •  GOOD: SCrEE79joLly$" •  A=@, E=3, S=$, O=0 (This is not unique, they know this)" •  Update passwords regularly (Monthly, make a schedule)" •  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" •  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Plugins  &  Services  
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Login  Lockdown   http://wordpress.org/extend/plugins/login-lockdown/
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba BulletProof  Security   http://wordpress.org/extend/plugins/bulletproof-security/ •  .htaccess  lockdown  rules  for   various  directories  (root,  wp-­‐ admin,  etc)   •  Security  status  scanner  for   folder/file  permissions  and   file  checks   •  Very  well  documented  
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Secure  WordPress   http://wordpress.org/extend/plugins/secure-wordpress/ •  Hides  login  error   messages   •  Adds  index.php  to  / themes  and  /plugins  to   prevent  directory  liscng   •  Removes  WP,  plugin,   and  theme  update   nocces  for  non-­‐admins   •  and  more!  
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Exploit  Scanner   http://wordpress.org/extend/plugins/exploit-scanner/ •  Scans  your  files  and   database  for  potencally   malicious  code   •  Does  not  remove  code,   only  detects  it  
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba http://Sucuri.net •  Free  Website  Malware  Scanner:  h`p://sitecheck.sucuri.net/scanner/   •  Website  monitoring   •  Hack  cleanup  services   •  Sucuri  Security  Plugin   •  Free  to  clients   •  Web  Applicacon  Firewall   •  Integrity  Monitoring   •  Audicng   •  Hardening   h`p://Sucuri.net  
PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba http://maintainn.com
RESOURCES FOR  WORDPRESS   Brad Williams @williamsba •  Security  Related  Arccles   •  h`p://codex.wordpress.org/Hardening_WordPress   •  h`p://blog.sucuri.net/2012/04/lockdown-­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html   •  h`p://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐ locked.html   •  h`p://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐ malware-­‐company.html     •  Clean  a  Hacked  Site   •  h`p://codex.wordpress.org/FAQ_My_site_was_hacked   •  h`p://www.markecngtechblog.com/wordpress-­‐hacked/   •  Support  Forums   •  Hacked:  h`p://wordpress.org/tags/hacked   •  Malware:  h`p://wordpress.org/tags/malware  
DRADCAST PLUG Brad Williams @williamsba Listen  to  the  DradCast  WordPress  Podcast                                            LIVE  every  Wednesday  @  8pm  EDT     DradCast.com  
CONTACT BRAD Brad Williams @williamsba Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   Twi`er:  @williamsba   IRC:  WDS-­‐Brad       Professional  WordPress   Second  Edicon  is  OUT!   h`p://bit.ly/prowp2  

Recomendados

WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 

Recomendados

WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Website security
Website securityWebsite security
Website security
Akhilesh Kant
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and Tricks
Brad Williams
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
Plasterdog Web Design
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
Chetan Soni
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
amiable_indian
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
Salasanahygienia - jokamiehen kybervelvollisuus
Salasanahygienia - jokamiehen kybervelvollisuusSalasanahygienia - jokamiehen kybervelvollisuus
Salasanahygienia - jokamiehen kybervelvollisuus
Otto Kekäläinen
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
Brad Williams
 

Más contenido relacionado

La actualidad más candente

Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
Dre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 

La actualidad más candente (20)

WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Website security
Website securityWebsite security
Website security
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and Tricks
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 

Destacado

Destacado (6)

Salasanahygienia - jokamiehen kybervelvollisuus
Salasanahygienia - jokamiehen kybervelvollisuusSalasanahygienia - jokamiehen kybervelvollisuus
Salasanahygienia - jokamiehen kybervelvollisuus
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 

Similar a WordPress Security WordCamp OC 2013

Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
WordCamp Philly WordPress End-User Security
WordCamp Philly WordPress End-User SecurityWordCamp Philly WordPress End-User Security
WordCamp Philly WordPress End-User Security
Dre Armeda
 

Similar a WordPress Security WordCamp OC 2013 (20)

WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 201340 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress Security
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdf
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
WordCamp Philly WordPress End-User Security
WordCamp Philly WordPress End-User SecurityWordCamp Philly WordPress End-User Security
WordCamp Philly WordPress End-User Security
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners
 
Is your Wordpress safe enough?
Is your Wordpress safe enough? Is your Wordpress safe enough?
Is your Wordpress safe enough?
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 

Más de Brad Williams

Más de Brad Williams (12)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

WordPress Security WordCamp OC 2013

  • 1. WORDPRESS SECURITY BY  BRAD  WILLIAMS   Brad Williams @williamsba
  • 2. WHO IS BRAD? Brad Williams @williamsba Brad  Williams     Co-­‐Founder  WebDevStudios.com   Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development   Co-­‐Organizer  WordCamp  Philly   Co-­‐Host  DradCast  
  • 3. TODAY’S TOPICS Brad Williams @williamsba   • Security  Stats   • Example  Hack   • Top  Security  Tips   • Recommended  Plugins  &  Services   • Resources  
  • 4. SECURITY STATS FOR  WORDPRESS   Brad Williams @williamsba Security  Stats  
  • 5. SECURITY STATS Brad Williams @williamsba 700+  million  websites  May  2012  (NetcraU)   300  million  websites  in  2011  (Pingdom)   10+  billion  indexed  pages  (WorldWebSize)     Projected:   •  1  Billion  websites  by  2013   •  2  Billion  websites  by  2015   0   500   1000   1500   2000   2500   2011   2012   2013   2015   Websites   Websites  
  • 6. SECURITY STATS Brad Williams @williamsba WordPress  Stats     •  73+  Million  WordPress  powered  websites   •  18%  of  all  websites  are  running  WordPress   •  22  out  of  every  100  new  domains  in  the  U.S.   launches  with  WordPress   •  Projected  300-­‐500  Million  WordPress  sites  by   2015  
  • 7. SECURITY STATS Brad Williams @williamsba Web  Malware  Stats   •  403  Million  unique  variants  of  malware  in  2011  (Symantec)   •  140%  growth  since  2010   •  81%  increase  in  malicious  web-­‐based  a`acks  between  2010  -­‐   2011  
  • 8. SECURITY STATS Brad Williams @williamsba In  Summary  –  Be  Scared!    
  • 9. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     Hacker  bots  look  for  known  exploits  (SQL  Injeccon,  folder   permissions,  etc)   This  allows  them  to  insert  spam  files/links  into     your  WordPress  Themes,  plugins,  and  core  files.    
  • 10. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     Hoscng  account  contained  two  separate  websites     WordPress   WordPress   Mulcsite  
  • 11. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     Hacker  bot  dropped  a  malicious  file  on  a  WP  Mulcsite  install     WordPress   WordPress   Mulcsite  
  • 12. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     WordPress  Mulcsite  starts  hacking  WordPress  install   Insercng  spam  links  into  the  theme,  plugins,  and  core  files     WordPress   WordPress   Mulcsite  
  • 13. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     WP  Mulcsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminacon               Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     WordPress   WordPress   Mulcsite  
  • 14. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     WP  Mulcsite  contains  no  spam  links   Acts  as  a  carrier  to  spread  the  contaminacon               Cleaning  up  the  WordPress  website  only   resulted  in  more  spam  links  a  few  days  later     WordPress   WordPress   Mulcsite  
  • 15. HACK EXAMPLE Brad Williams @williamsba Link  Injeccon     375  spam  links  per  page,  only  shown  to  search  engines    
  • 16. THIS IS A SAMPLE TITLE THIS  IS  THE  SUBTITLE   Brad Williams @williamsba Default  text  box   Scared  Yet?  
  • 17. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba That’s  It!    Good  luck!  
  • 18. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba Securing  WordPress  
  • 19. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 1  Update  Update  Update   Keep  WordPress  Updated!   Minor  WordPress  versions  (  ie  3.5.x  )  do  NOT  add  new  features.     They  contain  bug  fixes  and  security  patches  
  • 20. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 1  Update  Update  Update   Update  Those  Plugins!   The  plugin  Changelog  tab   makes  it  very  easy  to  view  what   has  changed  in  a  new  plugin   version  
  • 21. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 1.  Update  Update  Update   NO  EXCUSES!    UPDATE!  
  • 22. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 2.  Use  Secret  Keys   Some  secrets  should  remain  secrets  
  • 23. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 2.  Use  Secret  Keys   define('AUTH_KEY',                  'put  your  unique  phrase  here');   define('SECURE_AUTH_KEY',    'put  your  unique  phrase  here');   define('LOGGED_IN_KEY',        'put  your  unique  phrase  here');   define('NONCE_KEY',                'put  your  unique  phrase  here');   define('AUTH_SALT',                'put  your  unique  phrase  here');   define('SECURE_AUTH_SALT',  'put  your  unique  phrase  here');   define('LOGGED_IN_SALT',      'put  your  unique  phrase  here');   define('NONCE_SALT',              'put  your  unique  phrase  here');   1.  Edit  wp-­‐config.php   A  secret  key  is  a  hashing  salt  which  makes  your  site  harder  to  hack  by  adding  random   elements  to  the  password.   2.  Visit  this  URL  to  get  your  secret  keys:  h`ps://api.wordpress.org/secret-­‐key/1.1/salt   BEFORE   define('AUTH_KEY',                  '*8`:Balq!`,-­‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-­‐3$!N6be]-­‐af|BD');   define('SECURE_AUTH_KEY',    'q+i-­‐|3S~d?];6$[$!ZOXbw6c]0  !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');   define('LOGGED_IN_KEY',        'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-­‐I&-­‐?pkeC_SaF0nw;m+');   define('NONCE_KEY',                'oJo8C&sc+  C7Yc,W1v  o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-­‐H');   define('AUTH_SALT',                'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');   define('SECURE_AUTH_SALT',  '3s1|cIj  d7y<?]Z1n#  i1^FQ  *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-­‐');   define('LOGGED_IN_SALT',      '`@>+QdZhD!|AKk09*mr~-­‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');   define('NONCE_SALT',              'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');   AFTER  
  • 24. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba Do  you  login  with  username  admin?  
  • 25. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba
  • 26. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 3.  Delete  the  Admin  user  account   UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Change  the  admin  username  in  MySQL:   Or  create  a  new  account  with  administrator  privileges.     1.   Create  a  new  account.    Make  the  username  very  unique   2.   Set  account  to  Administrator  role   3.   Log  out  and  log  back  in  with  new  account   4.   Delete  admin  account   WordPress  will  allow  you  to   reassign  all  content  wri`en  by   admin  to  an  account  of  your   choice.    
  • 27. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 3.  Delete  the  Admin  user  account   WordPress  lets  you  set   the  username  during  the   installacon  process!   DON'T  USE  ADMIN!  
  • 28. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 3.  Delete  the  Admin  user  account   Knowing  your   username  is  half   the  ba`le.         Don't  make  it   easy  on  the   hackers.  
  • 29. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 4.  File  and  Folder  Permissions   What  folder  permissions  should  you  use?   Good  Rule  of  Thumb:   •   Files  should  be  set  to  644   •   Folders  should  be  set  to  755   Start  with  the  default  se„ngs  above     If  your  host  requires  777…SWITCH  HOSTS!  
  • 30. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 4.  File  and  Folder  Permissions   find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ; Or  via  SSH  with  the  following  commands  
  • 31. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 5.  Move  wp-­‐config.php   WordPress  features  the  ability  to  move  the  wp-­‐config.php   file  one  directory  above  your  WordPress  root   This  makes  it  nearly  impossible  for  anyone  to  access  your  wp-­‐config.php     file  from  a  browser  as  it  now  resides  outside  of  your  website’s  root  directory   You  can  move  your  wp-­‐config.php  file  to  here     WordPress  automaccally  checks  the  parent  directory  if  a     wp-­‐config.php  file  is  not  found  in  your  root  directory   public_html/wordpress/wp-config.php If  WordPress  is  located  here:   public_html/wp-config.php
  • 32. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 6.  Lock  Down  WP  Login  and  WP  Admin  
  • 33. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 6.  Lock  Down  WP  Login  and  WP  Admin   define('FORCE_SSL_LOGIN',  true);   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (h`ps)  on  login   Add  the  code  below  to  wp-­‐config.php  to  force  SSL  (h`ps)  on  all  admin  pages   define('FORCE_SSL_ADMIN',  true);   Using  SSL  (h`ps)  on  all  admin  screens  in  WordPress  will  encrypt  all  data   transmi`ed  with  the  same  encrypcon  as  online  shopping  
  • 34. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 6.  Lock  Down  WP  Login  and  WP  Admin   AuthUserFile  /dev/null   AuthGroupFile  /dev/null   AuthName  "Access  Control"   AuthType  Basic   order  deny,allow   deny  from  all   #IP  address  to  Whitelist   allow  from  67.123.83.59   allow  from  123.123.123.*   1.  Create  an  .htaccess  file  in  your  wp-­‐admin  directory   Only  a  user  with  the  IP  67.123.83.59  or  123.123.123.*  can  access  wp-­‐admin   2.  Add  the  following  lines  of  code:  
  • 35. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 7.  Use  Trusted  Sources  for  Themes  &   Plugins   WPMU.org  reviewed  the  top   10  results  for  “free   wordpress  themes”  on   Google.         Out  of  the  ten  sites  reviewed     1.   Safe:  1   2.   Iffy:  1   3.   Avoid:  8   Source:  h`p://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/  
  • 36. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 7.  Use  Trusted  Sources  for  Themes  &   Plugins   Source:  h`p://wpmu.org/why-­‐you-­‐should-­‐never-­‐search-­‐for-­‐free-­‐wordpress-­‐themes-­‐in-­‐google-­‐or-­‐anywhere-­‐else/   The  only  safe  site  reviewed  was  WordPress.org   Most  themes  included  base64()  encoded  text  links  to  promote  various  servies  
  • 37. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 8.  Be  Secure  Locally     Think  of  your  local  environment  as  if  it  was  a  medieval  castle  and  you’re  the  queen  or   king.  Your  kingdom  must  be  protected!     Keep  your  computer  up  to  date   •   Ensure  you’re  patching  or  installing  updates  ASAP   •   Automacc  updates  rock!   Install  an  anO-­‐virus  soluOon     •   Ensure  you’re  keeping  definicons  current   •   Automacc  updates  aren’t  a  bad  idea  here  either!   Yes,  personal  firewalls  sOll  apply!        
  • 38. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 8.  Be  Secure  Locally     It’s  your  informacon,  but  who’s  watching  &  listening?  You  may  be  a  network  geek  at   home,  but  what  happens  at  Starbucks?     Your  Internet  ConnecOon   Use  SSL  whenever  possible,  especially  on  an  unverified  connecOon.   •   HTTPS  is  a  great  way  to  ensure  your  transaccons  &  traffic  are  traveling  with  security  in  mind.     ConnecOng  To  Your  Site(s)   Consider  using  sFTP  or  SSH  vs.  FTP   • Scll  widely  marketed,  but  did  you  know  your  credencals  are  passed  unencrypted  when  using  FTP?   • If  unavoidable,  do  not  allow  anonymous  logins,  limit  conneccons,  praccce  least  privilege.   • Don’t  store  your  credencals  in  your  FTP  client.  
  • 39. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 9.  Use  a  Trusted  Host   You  get  what   you  pay  for…  
  • 40. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 9.  Use  a  Trusted  Host  " At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you." " " " " Your Lovely Host! " • Cheap doesn’t always mean best, or safe!! • How many sites on their network are blacklisted for malware reasons?" • What version of software do they run and how often do they update?" • How are account credentials stored & who has access?" "
  • 41. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 9.  Use  a  Trusted  Host   " Only use a trusted host that clearly states their security policies. " Bonus points if they specialize in WordPress specific hosting!"
  • 42. TOP SECURITY TIPS FOR  WORDPRESS   Brad Williams @williamsba 10.  Use  Common  Sense   •  Use a strong password" •  BAD: bradisawesome" •  GOOD: SCrEE79joLly$" •  A=@, E=3, S=$, O=0 (This is not unique, they know this)" •  Update passwords regularly (Monthly, make a schedule)" •  Know your admins, limit number of accounts (WP, FTP, Hosting, etc)" •  Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"
  • 43. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Plugins  &  Services  
  • 44. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Login  Lockdown   http://wordpress.org/extend/plugins/login-lockdown/
  • 45. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba BulletProof  Security   http://wordpress.org/extend/plugins/bulletproof-security/ •  .htaccess  lockdown  rules  for   various  directories  (root,  wp-­‐ admin,  etc)   •  Security  status  scanner  for   folder/file  permissions  and   file  checks   •  Very  well  documented  
  • 46. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Secure  WordPress   http://wordpress.org/extend/plugins/secure-wordpress/ •  Hides  login  error   messages   •  Adds  index.php  to  / themes  and  /plugins  to   prevent  directory  liscng   •  Removes  WP,  plugin,   and  theme  update   nocces  for  non-­‐admins   •  and  more!  
  • 47. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba Exploit  Scanner   http://wordpress.org/extend/plugins/exploit-scanner/ •  Scans  your  files  and   database  for  potencally   malicious  code   •  Does  not  remove  code,   only  detects  it  
  • 48. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba http://Sucuri.net •  Free  Website  Malware  Scanner:  h`p://sitecheck.sucuri.net/scanner/   •  Website  monitoring   •  Hack  cleanup  services   •  Sucuri  Security  Plugin   •  Free  to  clients   •  Web  Applicacon  Firewall   •  Integrity  Monitoring   •  Audicng   •  Hardening   h`p://Sucuri.net  
  • 49. PLUGINS & SERVICES FOR  WORDPRESS   Brad Williams @williamsba http://maintainn.com
  • 50. RESOURCES FOR  WORDPRESS   Brad Williams @williamsba •  Security  Related  Arccles   •  h`p://codex.wordpress.org/Hardening_WordPress   •  h`p://blog.sucuri.net/2012/04/lockdown-­‐wordpress-­‐a-­‐security-­‐webinar-­‐with-­‐dre-­‐armeda.html   •  h`p://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐how-­‐to-­‐stop-­‐the-­‐hacker-­‐and-­‐ensure-­‐your-­‐site-­‐is-­‐ locked.html   •  h`p://blog.sucuri.net/2012/04/ask-­‐sucuri-­‐what-­‐should-­‐i-­‐know-­‐when-­‐engaging-­‐a-­‐web-­‐ malware-­‐company.html     •  Clean  a  Hacked  Site   •  h`p://codex.wordpress.org/FAQ_My_site_was_hacked   •  h`p://www.markecngtechblog.com/wordpress-­‐hacked/   •  Support  Forums   •  Hacked:  h`p://wordpress.org/tags/hacked   •  Malware:  h`p://wordpress.org/tags/malware  
  • 51. DRADCAST PLUG Brad Williams @williamsba Listen  to  the  DradCast  WordPress  Podcast                                            LIVE  every  Wednesday  @  8pm  EDT     DradCast.com  
  • 52. CONTACT BRAD Brad Williams @williamsba Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   Twi`er:  @williamsba   IRC:  WDS-­‐Brad       Professional  WordPress   Second  Edicon  is  OUT!   h`p://bit.ly/prowp2