2. I’m Justin Jones
0 Teacher
0 Church Worker
0 WordPress hobbyist
0 Podcast cohost at
“The Weekly Theme Show”
http://wpcandy.com
0 @jjonesftw
0 justinjones.net
3. Why would someone want to
hack my site?
0 The world doesn’t revolve around you
0 Crime of opportunity
0 Don’t leave your front door unlocked
4. Why would someone want to
hack my site?
0 Imperva selected 50 sites at random, July 2012:
0 Expect attack incidents 120 days per year (33%) of the
time, some can experienced 292 days (80%)
0 Attacked 274 times per year
0 Attack campaigns averages 7 minutes 42 seconds, can
range upward from there
0 SQL Injection is the most frequent attack
5. Why would someone want to
hack my site?
0 “Black Hat” SEO
0 Hidden links, footer credit links, back links, etc…
0 To make money directly
0 Affiliate sales
0 Rogue virus scanners
6. Why would someone want to
hack my site?
0 Serve up images and content for SPAM email
8. What do they do while they’re
poking around my site?
0 Alter robots.txt, .htaccess
0 Some are specific to “robots” or HTTP Referrer
0 Create backdoors in unsuspecting .php files
0 Add their own .php files and images to serve up their
payload content
10. What do they do while they’re
poking around my site?
0 Inject code into theme files, like header.php
<a href="http://oakhurstchurch.com/news/index.php?p=alison-carroll-hot">alison carroll hot</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-lowndes">Jessica Lowndes</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=zelda-williams">zelda williams</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=bush">bush</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=teresa-scanlan">Teresa Scanlan</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=leyla">leyla</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=heather-mills">Heather Mills</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=keshia-knight-pulliam-polly">keshia knight pulliam polly</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=moira-kelly-biography">moira kelly biography</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=smurfs">smurfs</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=laurene-jobs">Laurene jobs</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=bransales-importadora">bransales importadora</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=boo-boo-stewart">boo boo stewart</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=irina-shayk-y-cristiano-ronaldo">irina shayk y cristiano ronaldo</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=vanessa-angel">Vanessa Angel</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lineas-del-metro-mexico-df">lineas del metro mexico df</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=brian-urlacher">brian urlacher</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">jessie palmer</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">Jessie Palmer</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=mark-hamill-before-and-after-crash">mark hamill before and after crash</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-jane-clement">jessica-jane clement</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ashanti">ashanti</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=linea-del-metro-ciudad-de-mexico">linea del metro ciudad de mexico</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lady-antebellum-photos">lady antebellum photos</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=heidi-range">heidi range</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=miley-cyrus-nude">miley cyrus nude</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=elizabeth-hurley">elizabeth hurley</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ty-pennington-girlfriend">Ty Pennington Girlfriend</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lsm05">lsm05</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-magazine-pics">ls magazine pics</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=megan-mullally-naked">megan mullally naked</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-model">ls model</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=mensagens-lindas">mensagens lindas</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=justin-bieber-bulge">justin bieber bulge</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lg-esteem-review">lg esteem review</a>
11. How Do They Get In?
0 Outdated versions of WordPress
0 Outdated themes and plugins
0 Hosting providers behind the times
0 Insecure password / brute force
0 Compromised computer
0 Passwords cached in FTP clients, passwords stored in an
unencrypted text file etc…
0 Unsecure internet connection
0 Rogue access points
0 Packet sniffers on public WiFi
12. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action
13. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action
14. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action
15. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action
16. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action
17. What are the consequences?
0 Other “blacklisting” like Norton Safe Web, Phish Tank,
Opera, Sucuri, and many others
0 Spammy content will get indexed with every search
engine
0 Don’t forget about directory listing sites, like Google
Places / Google Maps
0 Your host may dump you for violating TOS
18. What are the consequences?
0 Be a good neighbor! Security is everyone’s
responsibility
19. What are the consequences?
0 Malware cost the US economy 2.2 billion dollars in
lost productivity in 2011
0 Are you an ecommerce site?
0 Payment gateway is probably offsite, but what about
people’s email addresses?
0 Membership site?
0 Many people re-use passwords
0 Linked In, Last.fm, many others recently
0 Business or organization?
0 How much street cred will you earn serving content
from exotic-dildos.co.cc
20. Is WordPress insecure?
0 No.
0 Pharma hack had a patch out before exploited
0 WordPress has a target on its back
0 WordPress is used by over 14.7% of Alexa Internet's
"top 1 million" websites and as of August 2011 manages
22% of all new websites.
0 Some theme and plugin authors are lazy/sloppy, or
use depreciated/inefficient methods
0 You are your own worst enemy!
0 Think about Windows XP back in like 2002
21. Is WordPress insecure?
0 Be careful who you trust
0 Everyone is a “developer” now
0 NEVER download and install a theme for free that you
should have paid for
0 Shady scraper sites, torrents, etc…
0 “Having a website *should* cost you more than $300 a year.
If it doesn’t, then you’re doing it wrong.” --Otto
22. Is WordPress insecure?
0 Be careful who you trust
0 Be very wary of downloading a free theme outside of the
WordPress.org theme repo
0 Use “Theme Authenticity Checker” and “Theme Check”
0 Siobhan McKeown at WPMU.org Google’d “free wordpress
themes”
0 Top 10 results: 1=wordpress.org; 1=poorly coded; 8=actively using
encrypted code to insert spammy links
0 Use trusted theme marketplaces or commercial shops
23. Is WordPress insecure?
0 Be careful who you trust
0 Choose plugins carefully
0 Trusted commercial plugin shops
0 WordPress.org directory
0 More plugins != insecure
0 Check user ratings
0 Support forum requests
0 Check community blogs
0 WordPress.org profile pages for favorites and others by same author
28. Prepare for Disaster
0 It’s going to happen
0 Maintain regular
backups
0 Server side or Plugins
0 Be registered with
Google Webmaster Tools
0 Know how to contact
your hosting provider
0 Know a developer
0 Visit your site
0 Watch your stats
30. Update. Update. Update.
0 August 2011, so 3.2.1
was most current
0 Less than half of the top
100k sites running
WordPress were up to
date!
0 WordPress interates
quickly to patch security
holes. Keep updated to
benefit from their work
0 Source: http://churchm.ag/wordpress-updates/
31. Update. Update. Update.
0 WordPress core, .org plugins and .org themes can use
the core update functionality
0 Some commercial theme and plugins have their own
way of one click upgrade, some are manual only
0 Some have notifications, some don’t
0 Sign up for WordPress.org release notifications from
download page
32. Here’s Where This Gets Technical
0 I’ll have these slides up on Slide Share
0 I’ve reserved time at the end for questions, and I’ll be
available after for individual questions
33. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Take a deep breath and crack open a beer. You’ve got
some work ahead of you.
0 Get back control of your site
0 Get the site offline if you can!
34. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Change *every* single one of your passwords
0 Domain registrar, hosting account, all WordPress users,
SQL database username and password, FTP account
password
0 I suggest changing your email account passwords
0 Hire a professional
0 Check out http://sucuri.net/
0 Many others out there, Google them up!
35. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Regenerate WordPress secret keys / salts
0 Manually in wp-config.php or use a plugin
define('AUTH_KEY', 'n%foh;/v6$)0<t]=Be]o~2L?nopubK;b1-P(x=~dCyY[pL]^Ry//=I$y.w-8&HGP');
define('SECURE_AUTH_KEY', 'q#h,K.OZ=-IT)(-`3`)G1Kr-&ZP,!CEM1<sMx-1eDI<H*BfO2G@~ bD<)]8rW|{/');
define('LOGGED_IN_KEY', 'Vuvu|_`AGu@) >*7K~l]B1v-d3-e}<Qo#hki8Fy(Bov:T~wOm#8hqHZbWP2khxR}');
define('NONCE_KEY', 'B&8:S*:tZR700I9]3~sWI0Rv1+9e_O{KXcc+`a!eB-wV$+Cctv$q*Yb+c.5w<xns');
define('AUTH_SALT', 'bpx*[xMhU<FjufQ*``oc&NNdvz,-FJ=|~+$G:i9qaCFRY>u,-}%-Cc-G|!5r0|D@');
define('SECURE_AUTH_SALT', 'S+C/f6B6[Y+uGJt!@K|c:49tA}xB!5_zE6RZ+ AT.bsFNvD^-YGOI@HG8V:YbR?q');
define('LOGGED_IN_SALT', '~oP,M4HQ8 ,M$<A[(`HZ@>_BC,Yo/Y].kw+{g^KnLPzB[UAI_Z6h6M+KbZ|.|<$-');
define('NONCE_SALT', 'KW*LbM<2qL7LAZZ!vdto?c?!(5eSb)|o$BA;{F-CLZB=M%_QfbdW[@lSDT_]ImE[');
36. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Backup
0 Restore from a previous backup
0 Find and delete all the junk they added
0 Very insidious. Creating rogue sitemaps, modifying
.htaccess files, creating backdoors, adding index.php
files to override permalinks, etc…
0 Posts and images now in database
0 Reinstall WordPress core, plugins and themes
37.
38. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Begin the process of restoring your good name
0 Request delisting of bogus content from Google and
other search engines
0 Very tedious, manual process
0 Request reevaluation from blacklisting services
0 Don’t forget about other services that pull content from
your site, like Google places
0 Wait it out. This will take weeks and months
0 Prepare better for next time
39. Harden Your Site.
The Easy Stuff.
0 Keep up to date! WordPress, plugins, themes – but
also PHP version on your host
0 Use strong passwords – no words! Not P@$$woRd
either.
0 Consider using a password manager
0 Remove “admin” user
40. Harden Your Site.
The Easy Stuff.
0 Only connect using SFTP
0 Never ever hack core WordPress files
0 Keep a clean house!
0 Other WP installs, other PHP services, plugins, old
themes
0 Disable user registration
41. Harden Your Site.
The More Complicated Stuff.
0 Store your wp-config file outside of public_html
0 Done at install or can be moved later
0 Change the database prefix
0 Use strong database passwords
0 Use proper 755 file permissions
0 If a plugin or theme asks you to set 777, avoid.
0 Only log in to site using SSL (https://...)
42. Harden Your Site.
The More Complicated Stuff.
0 Plugins! Plugins! Plugins!
0 Monitor core / template files
0 “WordPress File Monitor Plus”
0 Scan template files for suspicious code
0 “AntiVirus”
0 WP and server security settings
0 “WebsiteDefender WordPress Security”
0 Keep up to date
0 “Update Notifications”
43. Harden Your Site.
The More Complicated Stuff.
0 Plugins! Plugins! Plugins!
0 “WordPress Firewall 2”
0 “Block Bad Queries”
0 Backup
0 VaultPress
0 BackupBuddy
0 Login Lockdown
0 Lock out excessive retries and mask login errors
0 Many others available for two factor auth, etc…
0 Sucuri plugin has a firewall to block known bad IP’s
44. Should you really be hosting
your own site?
0 Do you like to change your own oil in your car or take
it to the Jiffy Lube?
0 WordPress.com is a great resource for most personal
bloggers. Focus on writing your content.
0 Consider a WordPress managed host.
0 WP Engine, ZippyKid, Pagely, etc…
0 Don’t be afraid to pay someone!
0 How important is this project?
0 What is your time worth?
46. Resources
0 These slides on Slide Share
0 Search for slides from Dre Armeda and Brad Williams
0 WordPress.org Codex
0 Otto on WordPress
0 Sucuri.net – service and blog
0 Lockdown WordPress – A Security Webinar with Dre
Armeda
0 1.5 hour interview – great resource!
0 Countless plugins on the WordPress.org repo
0 http://sitecheck.sucuri.net/scanner/
47. Questions?
0 No question is stupid. We’re all here to learn!
0 If you’re smarter than I am, please jump in here.