SlideShare ist ein Scribd-Unternehmen logo

WordCamp 2012 WordPress Security: No Nonsense Edition

Michael McNeill
Michael McNeill

Michael R. McNeill's WordCamp 2012 presentation on "WordPress Security: No Nonsense Edition".

Technologie
1 von 39
Downloaden Sie, um offline zu lesen
WordPress Security: No Nonsense Edition Michael R. McNeill Power Users Track WordCamp Raleigh 2012 Saturday, November 3rd, 2012 @michaelrmcneill #WCRaleigh
A little about myself... Lovely girlfriend, Allie, who is with me today. From Wilkesboro, NC, right below Boone, NC. First-Year at the University of North Carolina at Chapel Hill with an intended business major. GO HEELS! Owner of Connected Site Solutions and Partner in Digital Strategy Works. I LOVE WORDPRESS! I’ve been using it for almost 3 years now and I wouldn’t use anything else. I currently work for Apple, Inc. and I truly love both the product and relationship we create! I’ve worked on exciting and wide ranging projects, such as Black Enterprise Magazine, DVJ Media, WiredHoods,smallbiztechnology.com, and MAXI Promotion and Records. I’ve also contracted for DRS Technologies, the United States Department of the Defense, and numerous other companies. @michaelrmcneill #WCRaleigh
A quick note... A question that is going to run through your head at some point and time in this presentation is “Why use WordPress when you have to do all this work to secure it?” The short answer to that is all web sites, content management systems, and web applications can and will have vulnerabilities. (Many of which are much, much, much, much worse than WordPress.) This presentation could scare you ****less, but this is really scary stuff. Sugarcoating it just makes it easier to ignore. @michaelrmcneill #WCRaleigh
WordPress Security 101 First and foremost, congratulations on using WordPress! You’ve picked the most popular content management system on the planet! Security is taken very seriously in the WordPress community, but no matter what the contributors to the project do, there is always going to be someone attacking both documented and undocumented vulnerabilities on WordPress sites. Although there can be no guarantees of complete immunity, I’m going to help you do everything possible to secure all the sites you maintain. @michaelrmcneill #WCRaleigh
Myths...
Myth 1 WordPress is not secure.
This is not true, the WordPress core is in fact very secure, and when an issue arrises, the core team is quick to patch the vulnerability, and push that to end users.
Myth 2 Nobody would want to hack my* site. *clients included
Most hacking attempts are automated and are rarely related to personal or political motives. Almost all the attacks I see have financial motives. Maybe you’re thinking, “I don’t have any sensitive information. What could they possibly steal from my site?” Emails, usernames, passwords. And even worse, your reputation.
Myth 3 My WordPress site is 100% secure.
No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.
Myth 4 I only use themes and plugins from the WordPress repos, so they must be secure.
Although WordPress plugins and themes are reviewed before being added, that doesn’t prevent them from having vulnerabilities and bugs. Even the best programmers make mistakes.
Myth 5 I paid $35.00 for a premium theme from ThemeForest. Since it was “premium” it must be secure.
If you purchase a theme from somewhere like ThemeForest, be weary. I’ve seen numerous themes from ThemeForest come with embedded malware in the code, infecting your and your client’s computer. If you do purchase a theme from ThemeForest or a site like it, throughly examine it to ensure that there is not any code that does not belong. When in doubt, contact a trusted developer.
Myth 6 Updating WordPress core, plugins, and themes aren’t urgent. They can wait.
You need to keep WordPress core, plugins, and themes updated at all times. Whenever a security update is released the entire internet can see what the problem is and how to exploit it. This obviously exposes any site that has not been updated.
Hosting...
What does WordPress need to run? LAMP STACK Linux Apache MySQL PHP Operating Web Database Scripting System Server Server Language All of these can and do have numerous vulnerabilities. Keeping your own systems up to date is not an easy task, which is why most people (even myself) work with a web host to host their sites.
Who is your Host? How do you connect to your server? Through FTP, SFTP, SSH, Plesk, cPanel, etc? What security does your host provide? Do they offer advanced services to provide further protection? What will your host do if you get hacked? Will they shut you down or lock your account? Does your host have a good track record? Does your host have 24/7 support? @michaelrmcneill #WCRaleigh
How do we protect ourselves?
PASSWORDS... Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many password generators are available that can be used to create secure passwords. Things to avoid when choosing a password: Any combination of your own real name, username, company name, or name of your website. A word from a dictionary, in any language. A short password. Any numeric-only or alphabetic-only password (a mixture of both is best). A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server and ruin your reputation. @michaelrmcneill #WCRaleigh
Look to your computer... Make sure to have anti-malware software installed on your computer, no matter if it is Windows, Mac OS X, or Linux. ALL computers can get some type of malware, and that can lead to an infected site. Always keep your operating system and the software on it, especially your web browser and SFTP/SSH/FTP client, up to date in order to protect against security vulnerabilities. @michaelrmcneill #WCRaleigh
Connecting to your site... SFTP/SSH is greatly preferred over standard FTP. If you must use FTP, check if your host offers FTP-SSL. SFTP/SSH/FTP username and password SHOULD NOT be the same as your WordPress Administration username or password. You don’t need to log in as the administrator/root user all the time. Less access means less to exploit. Use isolated SFTP/SSH/FTP accounts that can only access certain necessary parts of the site. @michaelrmcneill #WCRaleigh
User Restrictions are important! Everyone DOES NOT need to be an administrator. Focus on the role that you are assigning users, only assign their role with what they NEED at the current time, you can always change their permissions later. Get rid of generic account names (e.x. admin, administrator, root, etc.) and use something custom. Create two accounts for yourself, one as an administrator account for managing and administering the site, and the other for common tasks. Everyone DOES NOT need to access the site via SFTP/ SSH/FTP. @michaelrmcneill #WCRaleigh
Backup, Backup, Backup... You must backup your site! Your WordPress database contains every post, every comment and every link you have on your blog. If something goes wrong, you will lose everything you have ever written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal. You should be backing up at least once a week and storing one backup per month off the main web server (either your computer or a cloud storage provider like Amazon Web Services). Disaster will strike at some point and time and you need to be in a position to take action when it happens. Spending a few minutes to set up an easy, convenient backup of your site will make your life much easier in the long run. @michaelrmcneill #WCRaleigh
Kill PHP execution permissions. Try this in your ~/wp-includes/ and ~/wp-content/ uploads/ folders. Be aware, it could break your theme and/or plugins, so try it and if it breaks anything, delete it. #PROTECT PHP EXECUTION <Files *.php> Order Allow, Deny Deny from all </Files> @michaelrmcneill #WCRaleigh
Disable Plugin/Theme Editing. Add this to your wp-config.php file before the “/* That's all, stop editing! Happy blogging. */”. #Disable Plugin and Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); @michaelrmcneill #WCRaleigh
Move wp-config.php file. To add an extra layer of protection, you can move the wp-config.php file up one directory. This protects you if your PHP handler gets broken or modified in some way. This will prevent your DB information from being exposed. @michaelrmcneill #WCRaleigh
Use salts. Use the online generator (https://api.wordpress.org/ secret-key/1.1/salt/) to generate salts, and place them in your wp-config.php file. define('AUTH_KEY', '=(jUjXE=,sZxY-+@_YX]OyDuo-`%}eQeQ jE-A-ZHo`A,B%*D+^3@~&5%X!>+&R+'); define('SECURE_AUTH_KEY', '6e)tLmd#ogG8@|)A8UNhl%Ql+gNR++Frg,#am4_rWY9)bcT$uk]`g7`FA(2%AIn9'); define('LOGGED_IN_KEY', 'bkW+7S+-Fsk y&A|gl{D=|Yv3h,U5uj,72{0%/&~VD.um R/8VRzGM9_!?l])rw,'); define('NONCE_KEY', 'Y4 HXcx6t|3-2%&[/daW~V%QK<{KxH<|SVf|otwbh(9U-!RpY^7sbds+qWC4dISb'); define('AUTH_SALT', 'x[Tl$wtoJ]FKZawPiR&m%etK%.!N=8;?5?NUZO*g.mUL;6.v`biw+Z%DkL[2sp*&'); define('SECURE_AUTH_SALT', '~JO0w%;$jrM}<n1+T)R:lM1-+y;n7F86*5)JDe@YqdL]6I@<I9Ve8R[Y&Kz?H{O&'); define('LOGGED_IN_SALT', 'x6aoLDs:NO]%uF(N|G`iK{$#j.*&.0hL)C:C&dHwP*&X[k|h<oeI}b$b4l175/nB'); define('NONCE_SALT', ' 9L[)xS=-<^YKV/d~JUA28Q]k;ibu#yB|%mMOG98:gwiD*`FZem%yHaq+NyyKD0<'); @michaelrmcneill #WCRaleigh
Secure wp-includes. Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file in ~/wp-includes/ # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] @michaelrmcneill #WCRaleigh
Change the database prefix. Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks. You can change it with this plugin: http://wordpress.org/extend/plugins/db-prefix-change/. Once you use that plugin to change the prefix, go into your wp-config.php file and change the line $table_prefix = 'wp_'; // Only numbers, letters, and underscores please! to reflect what you selected through the plugin. @michaelrmcneill #WCRaleigh
Implement CloudFlare. A little about CloudFlare: CloudFlare protects and accelerates any website online by taking control of your DNS and separating your DNS from your domain registrar. Once your website is a part of the CloudFlare community, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks. @michaelrmcneill #WCRaleigh
Plugins...
Wordfence (Pro Version - $17.95 per year) Wordfence scans your site for viruses, malware, trojans, malicious links, protects your site against scrapers, aggressive robots, fake Googlebots, protects against brute force attacks and much much more. Duo Two-Factor Mobile Authentication (First 10 users free, then $3.00/per user/per month) Duo Security enables your users to secure their logins with their phones. @michaelrmcneill #WCRaleigh
VaultPress (Starts at $15.00 per month) VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dashboard setting. BackupBuddy (Starts at $75.00) Back up your entire WordPress installation and move it, store it, and restore it as much as you’d like!
Know what to do if the inevitable happens... Stay calm! You are going to be upset, but panicking and being frantic about the situation just makes things worse. Visit these sites: http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.wordfence.com/docs/how-to-clean-a-hacked- wordpress-site-using-wordfence/ If you are lost, or at any point and time feel uncomfortable with what you are doing STOP and contact a professional (like myself) to get your issues resolved. It might cost a few pennies, but it will be worth avoiding the headache, wasted time, and frustration in the end. @michaelrmcneill #WCRaleigh
Who do you recommend I host with? I host all my sites with Media Temple, and I recommend for you to do the same. Because I trust them with my sites, you know you can trust them with yours. If you do decide to sign up here is a coupon code for 15% off (gs) Grid-Service (kirupa07). The link to sign up is here: http://bit.ly/RzXwDE (DISCLAIMER: this gives me affiliate credit.)
Contact info. Michael R. McNeill Connected Site Solutions michael@michaelryanmcneill.com 336.818.9540

Empfohlen

Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsPablo Godel
 
Optimization of Adol Adduct
Optimization of Adol AdductOptimization of Adol Adduct
Optimization of Adol AdductDan Betts
 
Indigenous Economic Development: Paper presented to IDB Indigenous Developme...
Indigenous Economic Development: Paper presented to IDB Indigenous Developme...Indigenous Economic Development: Paper presented to IDB Indigenous Developme...
Indigenous Economic Development: Paper presented to IDB Indigenous Developme...Wayne Dunn
 
ภาคผนวก
ภาคผนวกภาคผนวก
ภาคผนวกอติมา อุ่นจิตร
 
Powerpoint Presentatie Arvalis
Powerpoint Presentatie ArvalisPowerpoint Presentatie Arvalis
Powerpoint Presentatie Arvalisastridma
 
The cut scenes
The cut scenesThe cut scenes
The cut scenesJackMeadows
 
Project presentation1
Project presentation1Project presentation1
Project presentation1Suvimol Lhuangpraditkul
 
4 Ways To Save Big Money in Your Data Center and Private Cloud
4 Ways To Save Big Money in Your Data Center and Private Cloud4 Ways To Save Big Money in Your Data Center and Private Cloud
4 Ways To Save Big Money in Your Data Center and Private Cloudtervela
 

Empfohlen

Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsPablo Godel
 
Optimization of Adol Adduct
Optimization of Adol AdductOptimization of Adol Adduct
Optimization of Adol AdductDan Betts
 
Indigenous Economic Development: Paper presented to IDB Indigenous Developme...
Indigenous Economic Development: Paper presented to IDB Indigenous Developme...Indigenous Economic Development: Paper presented to IDB Indigenous Developme...
Indigenous Economic Development: Paper presented to IDB Indigenous Developme...Wayne Dunn
 
ภาคผนวก
ภาคผนวกภาคผนวก
ภาคผนวกอติมา อุ่นจิตร
 
Powerpoint Presentatie Arvalis
Powerpoint Presentatie ArvalisPowerpoint Presentatie Arvalis
Powerpoint Presentatie Arvalisastridma
 
The cut scenes
The cut scenesThe cut scenes
The cut scenesJackMeadows
 
Project presentation1
Project presentation1Project presentation1
Project presentation1Suvimol Lhuangpraditkul
 
4 Ways To Save Big Money in Your Data Center and Private Cloud
4 Ways To Save Big Money in Your Data Center and Private Cloud4 Ways To Save Big Money in Your Data Center and Private Cloud
4 Ways To Save Big Money in Your Data Center and Private Cloudtervela
 
Juodosios Neli istorija
Juodosios Neli istorijaJuodosios Neli istorija
Juodosios Neli istorijaievute112233
 
Cooll usersguide 3
Cooll usersguide 3Cooll usersguide 3
Cooll usersguide 3Yasuhito Kishi
 
Escape1
Escape1Escape1
Escape1Dorcas Rosales
 
Zyeta profile
Zyeta profileZyeta profile
Zyeta profileshilparevankar
 
Presentasi RHK di Bali
Presentasi RHK di BaliPresentasi RHK di Bali
Presentasi RHK di Baliandrianroult
 
Sweet pizza
Sweet pizzaSweet pizza
Sweet pizzaycho168
 
Mindtech Presentation
Mindtech PresentationMindtech Presentation
Mindtech PresentationPT. Rasuna Residence Development
 
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...OpenCity Community
 
Anna
AnnaAnna
AnnaFaisal Siddiqui
 
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016Giorgio Cassarà
 
Mass, volume and density labs day 1
Mass, volume and density labs day 1Mass, volume and density labs day 1
Mass, volume and density labs day 1jmori1
 
Brazil in African agriculture - Lídia Cabral
Brazil in African agriculture - Lídia CabralBrazil in African agriculture - Lídia Cabral
Brazil in African agriculture - Lídia Cabralfutureagricultures
 
There is no accidental DBA
There is no accidental DBAThere is no accidental DBA
There is no accidental DBAWally Pons
 
Brazil in Africa - Kojo Amanor
Brazil in Africa - Kojo AmanorBrazil in Africa - Kojo Amanor
Brazil in Africa - Kojo Amanorfutureagricultures
 
Verlichting
VerlichtingVerlichting
Verlichtingkjill
 
Resultados 2015 y metas para el 2016
Resultados 2015 y metas para el 2016Resultados 2015 y metas para el 2016
Resultados 2015 y metas para el 2016La liga de las Sonrisas
 
English iii rules powerpoint
English iii rules powerpointEnglish iii rules powerpoint
English iii rules powerpointafitzgee95
 
Ts 4783 1
Ts 4783 1Ts 4783 1
Ts 4783 1Alexandre de Castro Alves
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Weitere ähnliche Inhalte

Andere mochten auch

Juodosios Neli istorija
Juodosios Neli istorijaJuodosios Neli istorija
Juodosios Neli istorijaievute112233
 
Presentasi RHK di Bali
Presentasi RHK di BaliPresentasi RHK di Bali
Presentasi RHK di Baliandrianroult
 
Sweet pizza
Sweet pizzaSweet pizza
Sweet pizzaycho168
 
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...OpenCity Community
 
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016Giorgio Cassarà
 
Mass, volume and density labs day 1
Mass, volume and density labs day 1Mass, volume and density labs day 1
Mass, volume and density labs day 1jmori1
 
Brazil in African agriculture - Lídia Cabral
Brazil in African agriculture - Lídia CabralBrazil in African agriculture - Lídia Cabral
Brazil in African agriculture - Lídia Cabralfutureagricultures
 
There is no accidental DBA
There is no accidental DBAThere is no accidental DBA
There is no accidental DBAWally Pons
 
Brazil in Africa - Kojo Amanor
Brazil in Africa - Kojo AmanorBrazil in Africa - Kojo Amanor
Brazil in Africa - Kojo Amanorfutureagricultures
 
Verlichting
VerlichtingVerlichting
Verlichtingkjill
 
English iii rules powerpoint
English iii rules powerpointEnglish iii rules powerpoint
English iii rules powerpointafitzgee95
 

Andere mochten auch (18)

Juodosios Neli istorija
Juodosios Neli istorijaJuodosios Neli istorija
Juodosios Neli istorija
 
Cooll usersguide 3
Cooll usersguide 3Cooll usersguide 3
Cooll usersguide 3
 
Escape1
Escape1Escape1
Escape1
 
Zyeta profile
Zyeta profileZyeta profile
Zyeta profile
 
Presentasi RHK di Bali
Presentasi RHK di BaliPresentasi RHK di Bali
Presentasi RHK di Bali
 
Sweet pizza
Sweet pizzaSweet pizza
Sweet pizza
 
Mindtech Presentation
Mindtech PresentationMindtech Presentation
Mindtech Presentation
 
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
Assign, commit, and review - A developer’s guide to OpenStack contribution-20...
 
Anna
AnnaAnna
Anna
 
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
MONTEFARMACO_INTERNO_Position_Paper_Lactoflorene_DEF_10112016
 
Mass, volume and density labs day 1
Mass, volume and density labs day 1Mass, volume and density labs day 1
Mass, volume and density labs day 1
 
Brazil in African agriculture - Lídia Cabral
Brazil in African agriculture - Lídia CabralBrazil in African agriculture - Lídia Cabral
Brazil in African agriculture - Lídia Cabral
 
There is no accidental DBA
There is no accidental DBAThere is no accidental DBA
There is no accidental DBA
 
Brazil in Africa - Kojo Amanor
Brazil in Africa - Kojo AmanorBrazil in Africa - Kojo Amanor
Brazil in Africa - Kojo Amanor
 
Verlichting
VerlichtingVerlichting
Verlichting
 
Resultados 2015 y metas para el 2016
Resultados 2015 y metas para el 2016Resultados 2015 y metas para el 2016
Resultados 2015 y metas para el 2016
 
English iii rules powerpoint
English iii rules powerpointEnglish iii rules powerpoint
English iii rules powerpoint
 
Ts 4783 1
Ts 4783 1Ts 4783 1
Ts 4783 1
 

Kürzlich hochgeladen

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Kürzlich hochgeladen (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

WordCamp 2012 WordPress Security: No Nonsense Edition

  • 1. WordPress Security: No Nonsense Edition Michael R. McNeill Power Users Track WordCamp Raleigh 2012 Saturday, November 3rd, 2012 @michaelrmcneill #WCRaleigh
  • 2. A little about myself... Lovely girlfriend, Allie, who is with me today. From Wilkesboro, NC, right below Boone, NC. First-Year at the University of North Carolina at Chapel Hill with an intended business major. GO HEELS! Owner of Connected Site Solutions and Partner in Digital Strategy Works. I LOVE WORDPRESS! I’ve been using it for almost 3 years now and I wouldn’t use anything else. I currently work for Apple, Inc. and I truly love both the product and relationship we create! I’ve worked on exciting and wide ranging projects, such as Black Enterprise Magazine, DVJ Media, WiredHoods,smallbiztechnology.com, and MAXI Promotion and Records. I’ve also contracted for DRS Technologies, the United States Department of the Defense, and numerous other companies. @michaelrmcneill #WCRaleigh
  • 3. A quick note... A question that is going to run through your head at some point and time in this presentation is “Why use WordPress when you have to do all this work to secure it?” The short answer to that is all web sites, content management systems, and web applications can and will have vulnerabilities. (Many of which are much, much, much, much worse than WordPress.) This presentation could scare you ****less, but this is really scary stuff. Sugarcoating it just makes it easier to ignore. @michaelrmcneill #WCRaleigh
  • 4. WordPress Security 101 First and foremost, congratulations on using WordPress! You’ve picked the most popular content management system on the planet! Security is taken very seriously in the WordPress community, but no matter what the contributors to the project do, there is always going to be someone attacking both documented and undocumented vulnerabilities on WordPress sites. Although there can be no guarantees of complete immunity, I’m going to help you do everything possible to secure all the sites you maintain. @michaelrmcneill #WCRaleigh
  • 6. Myth 1 WordPress is not secure.
  • 7. This is not true, the WordPress core is in fact very secure, and when an issue arrises, the core team is quick to patch the vulnerability, and push that to end users.
  • 8. Myth 2 Nobody would want to hack my* site. *clients included
  • 9. Most hacking attempts are automated and are rarely related to personal or political motives. Almost all the attacks I see have financial motives. Maybe you’re thinking, “I don’t have any sensitive information. What could they possibly steal from my site?” Emails, usernames, passwords. And even worse, your reputation.
  • 10. Myth 3 My WordPress site is 100% secure.
  • 11. No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.
  • 12. Myth 4 I only use themes and plugins from the WordPress repos, so they must be secure.
  • 13. Although WordPress plugins and themes are reviewed before being added, that doesn’t prevent them from having vulnerabilities and bugs. Even the best programmers make mistakes.
  • 14. Myth 5 I paid $35.00 for a premium theme from ThemeForest. Since it was “premium” it must be secure.
  • 15. If you purchase a theme from somewhere like ThemeForest, be weary. I’ve seen numerous themes from ThemeForest come with embedded malware in the code, infecting your and your client’s computer. If you do purchase a theme from ThemeForest or a site like it, throughly examine it to ensure that there is not any code that does not belong. When in doubt, contact a trusted developer.
  • 16. Myth 6 Updating WordPress core, plugins, and themes aren’t urgent. They can wait.
  • 17. You need to keep WordPress core, plugins, and themes updated at all times. Whenever a security update is released the entire internet can see what the problem is and how to exploit it. This obviously exposes any site that has not been updated.
  • 19. What does WordPress need to run? LAMP STACK Linux Apache MySQL PHP Operating Web Database Scripting System Server Server Language All of these can and do have numerous vulnerabilities. Keeping your own systems up to date is not an easy task, which is why most people (even myself) work with a web host to host their sites.
  • 20. Who is your Host? How do you connect to your server? Through FTP, SFTP, SSH, Plesk, cPanel, etc? What security does your host provide? Do they offer advanced services to provide further protection? What will your host do if you get hacked? Will they shut you down or lock your account? Does your host have a good track record? Does your host have 24/7 support? @michaelrmcneill #WCRaleigh
  • 21. How do we protect ourselves?
  • 22. PASSWORDS... Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many password generators are available that can be used to create secure passwords. Things to avoid when choosing a password: Any combination of your own real name, username, company name, or name of your website. A word from a dictionary, in any language. A short password. Any numeric-only or alphabetic-only password (a mixture of both is best). A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server and ruin your reputation. @michaelrmcneill #WCRaleigh
  • 23. Look to your computer... Make sure to have anti-malware software installed on your computer, no matter if it is Windows, Mac OS X, or Linux. ALL computers can get some type of malware, and that can lead to an infected site. Always keep your operating system and the software on it, especially your web browser and SFTP/SSH/FTP client, up to date in order to protect against security vulnerabilities. @michaelrmcneill #WCRaleigh
  • 24. Connecting to your site... SFTP/SSH is greatly preferred over standard FTP. If you must use FTP, check if your host offers FTP-SSL. SFTP/SSH/FTP username and password SHOULD NOT be the same as your WordPress Administration username or password. You don’t need to log in as the administrator/root user all the time. Less access means less to exploit. Use isolated SFTP/SSH/FTP accounts that can only access certain necessary parts of the site. @michaelrmcneill #WCRaleigh
  • 25. User Restrictions are important! Everyone DOES NOT need to be an administrator. Focus on the role that you are assigning users, only assign their role with what they NEED at the current time, you can always change their permissions later. Get rid of generic account names (e.x. admin, administrator, root, etc.) and use something custom. Create two accounts for yourself, one as an administrator account for managing and administering the site, and the other for common tasks. Everyone DOES NOT need to access the site via SFTP/ SSH/FTP. @michaelrmcneill #WCRaleigh
  • 26. Backup, Backup, Backup... You must backup your site! Your WordPress database contains every post, every comment and every link you have on your blog. If something goes wrong, you will lose everything you have ever written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal. You should be backing up at least once a week and storing one backup per month off the main web server (either your computer or a cloud storage provider like Amazon Web Services). Disaster will strike at some point and time and you need to be in a position to take action when it happens. Spending a few minutes to set up an easy, convenient backup of your site will make your life much easier in the long run. @michaelrmcneill #WCRaleigh
  • 27. Kill PHP execution permissions. Try this in your ~/wp-includes/ and ~/wp-content/ uploads/ folders. Be aware, it could break your theme and/or plugins, so try it and if it breaks anything, delete it. #PROTECT PHP EXECUTION <Files *.php> Order Allow, Deny Deny from all </Files> @michaelrmcneill #WCRaleigh
  • 28. Disable Plugin/Theme Editing. Add this to your wp-config.php file before the “/* That's all, stop editing! Happy blogging. */”. #Disable Plugin and Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); @michaelrmcneill #WCRaleigh
  • 29. Move wp-config.php file. To add an extra layer of protection, you can move the wp-config.php file up one directory. This protects you if your PHP handler gets broken or modified in some way. This will prevent your DB information from being exposed. @michaelrmcneill #WCRaleigh
  • 30. Use salts. Use the online generator (https://api.wordpress.org/ secret-key/1.1/salt/) to generate salts, and place them in your wp-config.php file. define('AUTH_KEY', '=(jUjXE=,sZxY-+@_YX]OyDuo-`%}eQeQ jE-A-ZHo`A,B%*D+^3@~&5%X!>+&R+'); define('SECURE_AUTH_KEY', '6e)tLmd#ogG8@|)A8UNhl%Ql+gNR++Frg,#am4_rWY9)bcT$uk]`g7`FA(2%AIn9'); define('LOGGED_IN_KEY', 'bkW+7S+-Fsk y&A|gl{D=|Yv3h,U5uj,72{0%/&~VD.um R/8VRzGM9_!?l])rw,'); define('NONCE_KEY', 'Y4 HXcx6t|3-2%&[/daW~V%QK<{KxH<|SVf|otwbh(9U-!RpY^7sbds+qWC4dISb'); define('AUTH_SALT', 'x[Tl$wtoJ]FKZawPiR&m%etK%.!N=8;?5?NUZO*g.mUL;6.v`biw+Z%DkL[2sp*&'); define('SECURE_AUTH_SALT', '~JO0w%;$jrM}<n1+T)R:lM1-+y;n7F86*5)JDe@YqdL]6I@<I9Ve8R[Y&Kz?H{O&'); define('LOGGED_IN_SALT', 'x6aoLDs:NO]%uF(N|G`iK{$#j.*&.0hL)C:C&dHwP*&X[k|h<oeI}b$b4l175/nB'); define('NONCE_SALT', ' 9L[)xS=-<^YKV/d~JUA28Q]k;ibu#yB|%mMOG98:gwiD*`FZem%yHaq+NyyKD0<'); @michaelrmcneill #WCRaleigh
  • 31. Secure wp-includes. Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file in ~/wp-includes/ # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] @michaelrmcneill #WCRaleigh
  • 32. Change the database prefix. Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks. You can change it with this plugin: http://wordpress.org/extend/plugins/db-prefix-change/. Once you use that plugin to change the prefix, go into your wp-config.php file and change the line $table_prefix = 'wp_'; // Only numbers, letters, and underscores please! to reflect what you selected through the plugin. @michaelrmcneill #WCRaleigh
  • 33. Implement CloudFlare. A little about CloudFlare: CloudFlare protects and accelerates any website online by taking control of your DNS and separating your DNS from your domain registrar. Once your website is a part of the CloudFlare community, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks. @michaelrmcneill #WCRaleigh
  • 35. Wordfence (Pro Version - $17.95 per year) Wordfence scans your site for viruses, malware, trojans, malicious links, protects your site against scrapers, aggressive robots, fake Googlebots, protects against brute force attacks and much much more. Duo Two-Factor Mobile Authentication (First 10 users free, then $3.00/per user/per month) Duo Security enables your users to secure their logins with their phones. @michaelrmcneill #WCRaleigh
  • 36. VaultPress (Starts at $15.00 per month) VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dashboard setting. BackupBuddy (Starts at $75.00) Back up your entire WordPress installation and move it, store it, and restore it as much as you’d like!
  • 37. Know what to do if the inevitable happens... Stay calm! You are going to be upset, but panicking and being frantic about the situation just makes things worse. Visit these sites: http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.wordfence.com/docs/how-to-clean-a-hacked- wordpress-site-using-wordfence/ If you are lost, or at any point and time feel uncomfortable with what you are doing STOP and contact a professional (like myself) to get your issues resolved. It might cost a few pennies, but it will be worth avoiding the headache, wasted time, and frustration in the end. @michaelrmcneill #WCRaleigh
  • 38. Who do you recommend I host with? I host all my sites with Media Temple, and I recommend for you to do the same. Because I trust them with my sites, you know you can trust them with yours. If you do decide to sign up here is a coupon code for 15% off (gs) Grid-Service (kirupa07). The link to sign up is here: http://bit.ly/RzXwDE (DISCLAIMER: this gives me affiliate credit.)
  • 39. Contact info. Michael R. McNeill Connected Site Solutions michael@michaelryanmcneill.com 336.818.9540