Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
2. WHO IS BRAD?
Brad Williams
@williamsba
Brad
Williams
Co-‐Founder
WebDevStudios.com
Co-‐Author
Professional
WordPress
&
Professional
WordPress
Plugin
Development
Co-‐Organizer
WordCamp
Philly
Co-‐Host
DradCast
5. SECURITY STATS
Brad Williams
@williamsba
700+
million
websites
May
2012
(NetcraU)
300
million
websites
in
2011
(Pingdom)
10+
billion
indexed
pages
(WorldWebSize)
Projected:
• 1
Billion
websites
by
2013
• 2
Billion
websites
by
2015
0
500
1000
1500
2000
2500
2011
2012
2013
2015
Websites
Websites
6. SECURITY STATS
Brad Williams
@williamsba
WordPress
Stats
• 73+
Million
WordPress
powered
websites
• 18%
of
all
websites
are
running
WordPress
• 22
out
of
every
100
new
domains
in
the
U.S.
launches
with
WordPress
• Projected
300-‐500
Million
WordPress
sites
by
2015
7. SECURITY STATS
Brad Williams
@williamsba
Web
Malware
Stats
• 403
Million
unique
variants
of
malware
in
2011
(Symantec)
• 140%
growth
since
2010
• 81%
increase
in
malicious
web-‐based
a`acks
between
2010
-‐
2011
9. HACK EXAMPLE
Brad Williams
@williamsba
Link
Injeccon
Hacker
bots
look
for
known
exploits
(SQL
Injeccon,
folder
permissions,
etc)
This
allows
them
to
insert
spam
files/links
into
your
WordPress
Themes,
plugins,
and
core
files.
12. HACK EXAMPLE
Brad Williams
@williamsba
Link
Injeccon
WordPress
Mulcsite
starts
hacking
WordPress
install
Insercng
spam
links
into
the
theme,
plugins,
and
core
files
WordPress
WordPress
Mulcsite
13. HACK EXAMPLE
Brad Williams
@williamsba
Link
Injeccon
WP
Mulcsite
contains
no
spam
links
Acts
as
a
carrier
to
spread
the
contaminacon
Cleaning
up
the
WordPress
website
only
resulted
in
more
spam
links
a
few
days
later
WordPress
WordPress
Mulcsite
14. HACK EXAMPLE
Brad Williams
@williamsba
Link
Injeccon
WP
Mulcsite
contains
no
spam
links
Acts
as
a
carrier
to
spread
the
contaminacon
Cleaning
up
the
WordPress
website
only
resulted
in
more
spam
links
a
few
days
later
WordPress
WordPress
Mulcsite
19. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
1
Update
Update
Update
Keep
WordPress
Updated!
Minor
WordPress
versions
(
ie
3.5.x
)
do
NOT
add
new
features.
They
contain
bug
fixes
and
security
patches
20. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
1
Update
Update
Update
Update
Those
Plugins!
The
plugin
Changelog
tab
makes
it
very
easy
to
view
what
has
changed
in
a
new
plugin
version
21. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
1.
Update
Update
Update
NO
EXCUSES!
UPDATE!
22. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
2.
Use
Secret
Keys
Some
secrets
should
remain
secrets
23. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
2.
Use
Secret
Keys
define('AUTH_KEY',
'put
your
unique
phrase
here');
define('SECURE_AUTH_KEY',
'put
your
unique
phrase
here');
define('LOGGED_IN_KEY',
'put
your
unique
phrase
here');
define('NONCE_KEY',
'put
your
unique
phrase
here');
define('AUTH_SALT',
'put
your
unique
phrase
here');
define('SECURE_AUTH_SALT',
'put
your
unique
phrase
here');
define('LOGGED_IN_SALT',
'put
your
unique
phrase
here');
define('NONCE_SALT',
'put
your
unique
phrase
here');
1.
Edit
wp-‐config.php
A
secret
key
is
a
hashing
salt
which
makes
your
site
harder
to
hack
by
adding
random
elements
to
the
password.
2.
Visit
this
URL
to
get
your
secret
keys:
h`ps://api.wordpress.org/secret-‐key/1.1/salt
BEFORE
define('AUTH_KEY',
'*8`:Balq!`,-‐j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-‐3$!N6be]-‐af|BD');
define('SECURE_AUTH_KEY',
'q+i-‐|3S~d?];6$[$!ZOXbw6c]0
!k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');
define('LOGGED_IN_KEY',
'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-‐I&-‐?pkeC_SaF0nw;m+');
define('NONCE_KEY',
'oJo8C&sc+
C7Yc,W1v
o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-‐H');
define('AUTH_SALT',
'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');
define('SECURE_AUTH_SALT',
'3s1|cIj
d7y<?]Z1n#
i1^FQ
*L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-‐');
define('LOGGED_IN_SALT',
'`@>+QdZhD!|AKk09*mr~-‐F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');
define('NONCE_SALT',
'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
AFTER
24. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
Do
you
login
with
username
admin?
26. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
3.
Delete
the
Admin
user
account
UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';
Change
the
admin
username
in
MySQL:
Or
create
a
new
account
with
administrator
privileges.
1.
Create
a
new
account.
Make
the
username
very
unique
2.
Set
account
to
Administrator
role
3.
Log
out
and
log
back
in
with
new
account
4.
Delete
admin
account
WordPress
will
allow
you
to
reassign
all
content
wri`en
by
admin
to
an
account
of
your
choice.
27. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
3.
Delete
the
Admin
user
account
WordPress
lets
you
set
the
username
during
the
installacon
process!
DON'T
USE
ADMIN!
28. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
3.
Delete
the
Admin
user
account
Knowing
your
username
is
half
the
ba`le.
Don't
make
it
easy
on
the
hackers.
29. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
4.
File
and
Folder
Permissions
What
folder
permissions
should
you
use?
Good
Rule
of
Thumb:
•
Files
should
be
set
to
644
•
Folders
should
be
set
to
755
Start
with
the
default
se„ngs
above
If
your
host
requires
777…SWITCH
HOSTS!
30. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
4.
File
and
Folder
Permissions
find [your path here] -type d -exec chmod 755 {} ;
find [your path here] -type f -exec chmod 644 {} ;
Or
via
SSH
with
the
following
commands
31. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
5.
Move
wp-‐config.php
WordPress
features
the
ability
to
move
the
wp-‐config.php
file
one
directory
above
your
WordPress
root
This
makes
it
nearly
impossible
for
anyone
to
access
your
wp-‐config.php
file
from
a
browser
as
it
now
resides
outside
of
your
website’s
root
directory
You
can
move
your
wp-‐config.php
file
to
here
WordPress
automaccally
checks
the
parent
directory
if
a
wp-‐config.php
file
is
not
found
in
your
root
directory
public_html/wordpress/wp-config.php
If
WordPress
is
located
here:
public_html/wp-config.php
32. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
6.
Lock
Down
WP
Login
and
WP
Admin
33. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
6.
Lock
Down
WP
Login
and
WP
Admin
define('FORCE_SSL_LOGIN',
true);
Add
the
code
below
to
wp-‐config.php
to
force
SSL
(h`ps)
on
login
Add
the
code
below
to
wp-‐config.php
to
force
SSL
(h`ps)
on
all
admin
pages
define('FORCE_SSL_ADMIN',
true);
Using
SSL
(h`ps)
on
all
admin
screens
in
WordPress
will
encrypt
all
data
transmi`ed
with
the
same
encrypcon
as
online
shopping
34. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
6.
Lock
Down
WP
Login
and
WP
Admin
AuthUserFile
/dev/null
AuthGroupFile
/dev/null
AuthName
"Access
Control"
AuthType
Basic
order
deny,allow
deny
from
all
#IP
address
to
Whitelist
allow
from
67.123.83.59
allow
from
123.123.123.*
1.
Create
an
.htaccess
file
in
your
wp-‐admin
directory
Only
a
user
with
the
IP
67.123.83.59
or
123.123.123.*
can
access
wp-‐admin
2.
Add
the
following
lines
of
code:
35. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
7.
Use
Trusted
Sources
for
Themes
&
Plugins
WPMU.org
reviewed
the
top
10
results
for
“free
wordpress
themes”
on
Google.
Out
of
the
ten
sites
reviewed
1.
Safe:
1
2.
Iffy:
1
3.
Avoid:
8
Source:
h`p://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/
36. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
7.
Use
Trusted
Sources
for
Themes
&
Plugins
Source:
h`p://wpmu.org/why-‐you-‐should-‐never-‐search-‐for-‐free-‐wordpress-‐themes-‐in-‐google-‐or-‐anywhere-‐else/
The
only
safe
site
reviewed
was
WordPress.org
Most
themes
included
base64()
encoded
text
links
to
promote
various
servies
37. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
8.
Be
Secure
Locally
Think
of
your
local
environment
as
if
it
was
a
medieval
castle
and
you’re
the
queen
or
king.
Your
kingdom
must
be
protected!
Keep
your
computer
up
to
date
•
Ensure
you’re
patching
or
installing
updates
ASAP
•
Automacc
updates
rock!
Install
an
anO-‐virus
soluOon
•
Ensure
you’re
keeping
definicons
current
•
Automacc
updates
aren’t
a
bad
idea
here
either!
Yes,
personal
firewalls
sOll
apply!
38. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
8.
Be
Secure
Locally
It’s
your
informacon,
but
who’s
watching
&
listening?
You
may
be
a
network
geek
at
home,
but
what
happens
at
Starbucks?
Your
Internet
ConnecOon
Use
SSL
whenever
possible,
especially
on
an
unverified
connecOon.
•
HTTPS
is
a
great
way
to
ensure
your
transaccons
&
traffic
are
traveling
with
security
in
mind.
ConnecOng
To
Your
Site(s)
Consider
using
sFTP
or
SSH
vs.
FTP
• Scll
widely
marketed,
but
did
you
know
your
credencals
are
passed
unencrypted
when
using
FTP?
• If
unavoidable,
do
not
allow
anonymous
logins,
limit
conneccons,
praccce
least
privilege.
• Don’t
store
your
credencals
in
your
FTP
client.
39. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
9.
Use
a
Trusted
Host
You
get
what
you
pay
for…
40. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
9.
Use
a
Trusted
Host
"
At the end of the day, hosting providers market the world. You in turn, should
have opportunity to know how they’re going to protect you."
"
"
"
"
Your Lovely Host!
"
• Cheap doesn’t always mean best, or
safe!!
• How many sites on their network are
blacklisted for malware reasons?"
• What version of software do they run and
how often do they update?"
• How are account credentials stored &
who has access?"
"
41. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
9.
Use
a
Trusted
Host
"
Only use a trusted host that clearly states their security policies. "
Bonus points if they specialize in WordPress specific hosting!"
42. TOP SECURITY TIPS
FOR
WORDPRESS
Brad Williams
@williamsba
10.
Use
Common
Sense
• Use a strong password"
• BAD: bradisawesome"
• GOOD: SCrEE79joLly$"
• A=@, E=3, S=$, O=0 (This is not unique, they know this)"
• Update passwords regularly (Monthly, make a schedule)"
• Know your admins, limit number of accounts (WP, FTP, Hosting, etc)"
• Backup, Backup, Backup (Use BackupBuddy for scheduled backups)"
44. PLUGINS & SERVICES
FOR
WORDPRESS
Brad Williams
@williamsba
Login
Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
45. PLUGINS & SERVICES
FOR
WORDPRESS
Brad Williams
@williamsba
BulletProof
Security
http://wordpress.org/extend/plugins/bulletproof-security/
• .htaccess
lockdown
rules
for
various
directories
(root,
wp-‐
admin,
etc)
• Security
status
scanner
for
folder/file
permissions
and
file
checks
• Very
well
documented
46. PLUGINS & SERVICES
FOR
WORDPRESS
Brad Williams
@williamsba
Secure
WordPress
http://wordpress.org/extend/plugins/secure-wordpress/
• Hides
login
error
messages
• Adds
index.php
to
/
themes
and
/plugins
to
prevent
directory
liscng
• Removes
WP,
plugin,
and
theme
update
nocces
for
non-‐admins
• and
more!
47. PLUGINS & SERVICES
FOR
WORDPRESS
Brad Williams
@williamsba
Exploit
Scanner
http://wordpress.org/extend/plugins/exploit-scanner/
• Scans
your
files
and
database
for
potencally
malicious
code
• Does
not
remove
code,
only
detects
it
52. CONTACT BRAD
Brad Williams
@williamsba
Brad
Williams
brad@webdevstudios.com
Blog:
strangework.com
Twi`er:
@williamsba
IRC:
WDS-‐Brad
Professional
WordPress
Second
Edicon
is
OUT!
h`p://bit.ly/prowp2