"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
WordCamp 2012 WordPress Security: No Nonsense Edition
1. WordPress Security: No Nonsense Edition
Michael R. McNeill
Power Users Track
WordCamp Raleigh 2012
Saturday, November 3rd, 2012
@michaelrmcneill #WCRaleigh
2. A little about myself...
Lovely girlfriend, Allie, who is with me today.
From Wilkesboro, NC, right below Boone, NC.
First-Year at the University of North Carolina at
Chapel Hill with an intended business major. GO
HEELS!
Owner of Connected Site Solutions and Partner in Digital Strategy Works.
I LOVE WORDPRESS! I’ve been using it for almost 3 years now and I wouldn’t
use anything else.
I currently work for Apple, Inc. and I truly love both the product and relationship
we create!
I’ve worked on exciting and wide ranging projects, such as Black Enterprise
Magazine, DVJ Media, WiredHoods,smallbiztechnology.com, and MAXI
Promotion and Records. I’ve also contracted for DRS Technologies, the United
States Department of the Defense, and numerous other companies.
@michaelrmcneill #WCRaleigh
3. A quick note...
A question that is going to run through your head at
some point and time in this presentation is “Why use
WordPress when you have to do all this work to secure
it?” The short answer to that is all web sites, content
management systems, and web applications can and
will have vulnerabilities. (Many of which are much,
much, much, much worse than WordPress.) This
presentation could scare you ****less, but this is really
scary stuff. Sugarcoating it just makes it easier to
ignore.
@michaelrmcneill #WCRaleigh
4. WordPress Security 101
First and foremost, congratulations on using WordPress!
You’ve picked the most popular content management
system on the planet!
Security is taken very seriously in the WordPress
community, but no matter what the contributors to the
project do, there is always going to be someone
attacking both documented and undocumented
vulnerabilities on WordPress sites.
Although there can be no guarantees of complete
immunity, I’m going to help you do everything possible to
secure all the sites you maintain.
@michaelrmcneill #WCRaleigh
7. This is not true, the WordPress core is in fact very secure,
and when an issue arrises, the core team is quick to
patch the vulnerability, and push that to end users.
9. Most hacking attempts are automated and are rarely
related to personal or political motives. Almost all the
attacks I see have financial motives. Maybe you’re
thinking, “I don’t have any sensitive information. What
could they possibly steal from my site?” Emails,
usernames, passwords. And even worse, your
reputation.
11. No site that’s accessible on the internet will ever be 100%
secure. Security vulnerabilities will always exist.
12. Myth 4
I only use themes and plugins from the
WordPress repos, so they must be
secure.
13. Although WordPress plugins and themes are reviewed
before being added, that doesn’t prevent them from
having vulnerabilities and bugs. Even the best
programmers make mistakes.
14. Myth 5
I paid $35.00 for a premium theme from
ThemeForest. Since it was “premium” it
must be secure.
15. If you purchase a theme from somewhere like ThemeForest, be
weary. I’ve seen numerous themes from ThemeForest come
with embedded malware in the code, infecting your and your
client’s computer. If you do purchase a theme from
ThemeForest or a site like it, throughly examine it to ensure that
there is not any code that does not belong. When in doubt,
contact a trusted developer.
17. You need to keep WordPress core, plugins, and themes
updated at all times. Whenever a security update is
released the entire internet can see what the problem is and
how to exploit it. This obviously exposes any site that has
not been updated.
19. What does WordPress need to run?
LAMP STACK
Linux Apache MySQL PHP
Operating Web Database Scripting
System Server Server Language
All of these can and do have numerous vulnerabilities. Keeping your own systems up to date is not
an easy task, which is why most people (even myself) work with a web host to host their sites.
20. Who is your Host?
How do you connect to your server? Through FTP,
SFTP, SSH, Plesk, cPanel, etc?
What security does your host provide? Do they offer
advanced services to provide further protection?
What will your host do if you get hacked?
Will they shut you down or lock your account?
Does your host have a good track record?
Does your host have 24/7 support?
@michaelrmcneill #WCRaleigh
22. PASSWORDS...
Many potential vulnerabilities can be avoided with good security habits. A strong password
is an important aspect of this.
The goal with your password is to make it hard for other people to guess and hard for a
brute force attack to succeed. Many password generators are available that can be used to
create secure passwords.
Things to avoid when choosing a password:
Any combination of your own real name, username, company name, or name of your
website.
A word from a dictionary, in any language.
A short password.
Any numeric-only or alphabetic-only password (a mixture of both is best).
A strong password is necessary not just to protect your blog content. A hacker who gains
access to your administrator account is able to install malicious scripts that can potentially
compromise your entire server and ruin your reputation.
@michaelrmcneill #WCRaleigh
23. Look to your computer...
Make sure to have anti-malware software installed on
your computer, no matter if it is Windows, Mac OS X,
or Linux. ALL computers can get some type of
malware, and that can lead to an infected site.
Always keep your operating system and the software
on it, especially your web browser and SFTP/SSH/FTP
client, up to date in order to protect against security
vulnerabilities.
@michaelrmcneill #WCRaleigh
24. Connecting to your site...
SFTP/SSH is greatly preferred over standard FTP.
If you must use FTP, check if your host offers FTP-SSL.
SFTP/SSH/FTP username and password SHOULD
NOT be the same as your WordPress Administration
username or password.
You don’t need to log in as the administrator/root
user all the time. Less access means less to exploit.
Use isolated SFTP/SSH/FTP accounts that can only
access certain necessary parts of the site.
@michaelrmcneill #WCRaleigh
25. User Restrictions are important!
Everyone DOES NOT need to be an administrator.
Focus on the role that you are assigning users, only
assign their role with what they NEED at the current
time, you can always change their permissions later.
Get rid of generic account names (e.x. admin,
administrator, root, etc.) and use something custom.
Create two accounts for yourself, one as an administrator
account for managing and administering the site, and the
other for common tasks.
Everyone DOES NOT need to access the site via SFTP/
SSH/FTP.
@michaelrmcneill #WCRaleigh
26. Backup, Backup, Backup...
You must backup your site!
Your WordPress database contains every post, every comment and every
link you have on your blog. If something goes wrong, you will lose everything
you have ever written. There are many reasons why this could happen and
not all are things you can control. With a proper backup of your WordPress
database and files, you can quickly restore things back to normal.
You should be backing up at least once a week and storing one backup per
month off the main web server (either your computer or a cloud storage
provider like Amazon Web Services).
Disaster will strike at some point and time and you need to be in a position to
take action when it happens. Spending a few minutes to set up an easy,
convenient backup of your site will make your life much easier in the long run.
@michaelrmcneill #WCRaleigh
27. Kill PHP execution permissions.
Try this in your ~/wp-includes/ and ~/wp-content/
uploads/ folders. Be aware, it could break your theme
and/or plugins, so try it and if it breaks anything, delete
it.
#PROTECT PHP EXECUTION
<Files *.php>
Order Allow, Deny
Deny from all
</Files>
@michaelrmcneill #WCRaleigh
28. Disable Plugin/Theme Editing.
Add this to your wp-config.php file before the “/* That's
all, stop editing! Happy blogging. */”.
#Disable Plugin and Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);
@michaelrmcneill #WCRaleigh
29. Move wp-config.php file.
To add an extra layer of protection, you can move the
wp-config.php file up one directory. This protects you if
your PHP handler gets broken or modified in some
way. This will prevent your DB information from being
exposed.
@michaelrmcneill #WCRaleigh
30. Use salts.
Use the online generator (https://api.wordpress.org/
secret-key/1.1/salt/) to generate salts, and place them
in your wp-config.php file.
define('AUTH_KEY', '=(jUjXE=,sZxY-+@_YX]OyDuo-`%}eQeQ jE-A-ZHo`A,B%*D+^3@~&5%X!>+&R+');
define('SECURE_AUTH_KEY', '6e)tLmd#ogG8@|)A8UNhl%Ql+gNR++Frg,#am4_rWY9)bcT$uk]`g7`FA(2%AIn9');
define('LOGGED_IN_KEY', 'bkW+7S+-Fsk y&A|gl{D=|Yv3h,U5uj,72{0%/&~VD.um R/8VRzGM9_!?l])rw,');
define('NONCE_KEY', 'Y4 HXcx6t|3-2%&[/daW~V%QK<{KxH<|SVf|otwbh(9U-!RpY^7sbds+qWC4dISb');
define('AUTH_SALT', 'x[Tl$wtoJ]FKZawPiR&m%etK%.!N=8;?5?NUZO*g.mUL;6.v`biw+Z%DkL[2sp*&');
define('SECURE_AUTH_SALT', '~JO0w%;$jrM}<n1+T)R:lM1-+y;n7F86*5)JDe@YqdL]6I@<I9Ve8R[Y&Kz?H{O&');
define('LOGGED_IN_SALT', 'x6aoLDs:NO]%uF(N|G`iK{$#j.*&.0hL)C:C&dHwP*&X[k|h<oeI}b$b4l175/nB');
define('NONCE_SALT', ' 9L[)xS=-<^YKV/d~JUA28Q]k;ibu#yB|%mMOG98:gwiD*`FZem%yHaq+NyyKD0<');
@michaelrmcneill #WCRaleigh
31. Secure wp-includes.
Place the below code outside the # BEGIN WordPress and #
END WordPress tags in the .htaccess file in ~/wp-includes/
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
@michaelrmcneill #WCRaleigh
32. Change the database prefix.
Many published WordPress-specific SQL-injection
attacks make the assumption that the table_prefix is wp_,
the default. Changing this can block at least some SQL
injection attacks. You can change it with this plugin:
http://wordpress.org/extend/plugins/db-prefix-change/.
Once you use that plugin to change the prefix, go into
your wp-config.php file and change the line
$table_prefix = 'wp_'; // Only numbers, letters, and underscores please!
to reflect what you selected through the plugin.
@michaelrmcneill #WCRaleigh
33. Implement CloudFlare.
A little about CloudFlare:
CloudFlare protects and accelerates any website online by taking
control of your DNS and separating your DNS from your domain
registrar. Once your website is a part of the CloudFlare community,
its web traffic is routed through their intelligent global network.
They automatically optimize the delivery of your web pages so your
visitors get the fastest page load times and best performance.
They also block threats and limit abusive bots and crawlers from
wasting your bandwidth and server resources. The result:
CloudFlare-powered websites see a significant improvement in
performance and a decrease in spam and other attacks.
@michaelrmcneill #WCRaleigh
35. Wordfence (Pro Version - $17.95 per year)
Wordfence scans your site for viruses, malware,
trojans, malicious links, protects your site against
scrapers, aggressive robots, fake Googlebots, protects
against brute force attacks and much much more.
Duo Two-Factor Mobile Authentication
(First 10 users free, then $3.00/per user/per month)
Duo Security enables your users to secure their logins
with their phones.
@michaelrmcneill #WCRaleigh
36. VaultPress (Starts at $15.00 per month)
VaultPress provides realtime, continuous backup and
synchronization of every post, comment, media file,
revision and dashboard setting.
BackupBuddy (Starts at $75.00)
Back up your entire WordPress installation
and move it, store it, and restore it as
much as you’d like!
37. Know what to do if the inevitable
happens...
Stay calm! You are going to be upset, but panicking and being
frantic about the situation just makes things worse.
Visit these sites:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://www.wordfence.com/docs/how-to-clean-a-hacked-
wordpress-site-using-wordfence/
If you are lost, or at any point and time feel uncomfortable with
what you are doing STOP and contact a professional (like myself)
to get your issues resolved. It might cost a few pennies, but it will
be worth avoiding the headache, wasted time, and frustration in
the end.
@michaelrmcneill #WCRaleigh
38. Who do you recommend I host
with?
I host all my sites with Media Temple, and I recommend
for you to do the same.
Because I trust them with my sites, you know you can
trust them with yours.
If you do decide to sign up here is a coupon code for
15% off (gs) Grid-Service (kirupa07). The link to sign up
is here: http://bit.ly/RzXwDE (DISCLAIMER: this gives me
affiliate credit.)
39. Contact info.
Michael R. McNeill
Connected Site Solutions
michael@michaelryanmcneill.com
336.818.9540