Learn the practical steps you'll need to take to safeguard against security hacks on your WordPress website. Too late? Gain valuable information on Clean-up and Remediation. WordPress wizard Judy Wilson provides the information that'll keep you and WordPress site safe and sound.
2. We’ve been designing and developing seo-
optimized websites and digital media in
Nashville since January, 2004.
WordPress too? Yep. And WordPress training,
tailored to your exact needs.
We are MyEMMA co-agents.
We provide customized HTML Email Design
and Account Management.
Our work is mobile-friendly.
Owner, Site Shack Web Design
Judy Wilson
Monday, June 17, 13
3. Your WordPress site
is living in a high crime neighborhood.*
* Doesn’t matter if you’re on WordPress.com or
using Wordpress.org.
Easy access is the key.
Monday, June 17, 13
4. How do they get in?
Hacks are most often delivered through cheesy
credentials, old and/or evil software, themes,
plugins + old, vulnerable scripts (such as the
“timthumb script”) and cheap, poor-security
hosting environments.
WRONG:
Username: admin
Password: mypassword
Monday, June 17, 13
6. The Installation:
Solid padlocks + lock your doors
and windows
Advanced Security: Multiple locks,+ burglar bars +
alarm systems + guard dog (see Appendix below)
Before You Install:
Map out your strategy
Monday, June 17, 13
7. 2. Good Theme. Do not use any old free theme! Vet your premium theme!
(including version appropriate)
Run a virus/malware check on the theme after you download/buy it.
Stay informed!
Before You Install:
Map out your Strategy
1. Good Host. Do not use a “soup kitchen” host = high risk of cross
contamination.
3. Good Plugins.
Highly rated, updated often, check WordPress repository, correspond to
your version of WordPress.
4. Backup regularly (your host should of course do this also)
See the plugin “Backup Buddy.”
Monday, June 17, 13
8. The Installation:
Lock Your Doors and Windows
1. Do NOT use “admin” for your user name.
2. Do NOT use a password that can be found in a dictionary or
that you’ve ever used anywhere else at any time.
3. Do NOT use sequential numbers and/or letters.
4. Hire Sucuri to monitor your site: www.sucuri.net
5. Use 2-factor authentication:
Already in place at Wordpress.com but you can use Google
2-step Authentication with Wordpress.org.
Monday, June 17, 13
9. The Installation:
Lock Your Doors and Windows
3. Stop using FTP. Use SFTP -- call your host if you’re not sure
about using SFTP. Note: There are multiple methods for FTP.
1. In your wp-config.php file: Salt your hashes aka use the
“secret words.”
2. Do not use “wp” for your table prefix. Make up something non-
sequential like “jnm.”
Monday, June 17, 13
10. The Installation:
Lock Your Doors and Windows
1. Turn off trackbacks and pingbacks.
2. Comments ONLY when appropriate and always use Akismet.
3. Use your Administrator accounts for Administrator work
(like setting up a new user). Use Editor, Author, Contributor and
Subscriber for their appropriate tasks.
4. Remove themes and plugins that are not being used.
Monday, June 17, 13
11. The Installation:
Lock Your Doors and Windows
2. Do you know where your backup is? Can you restore from it?
1. Confirm the correct folder permissions:
Folder permissions: 755
File permissions: 644
index.php: 666
wp-config.php: 600
3. Consider a sandbox site and test your backup and restore
procedure -- more than once. Then delete the website before you
forget about it.
Monday, June 17, 13
12. Appendix
•Before You Install
•Recommended Hosts
•Advanced Security Techniques
•How Can I Tell I’ve Been Hacked?
•Cleaning and Remediation
•Miscellaneous Help
Monday, June 17, 13
13. Setup Google Webmaster Tools:
Google Webmaster tools are an important resource for many
reasons. But for site security, one of their best features is their
email notifications of malware when it’s found on your site. As
the verified site owner, you’ll be notified by email if malware is
detected.
http://www.wpreads.com/2013/03/protecting-wp-config-and-
htaccess-files-for-wordpress.html
https://www.google.com/webmasters/tools/home?hl=en
http://codex.wordpress.org/Hardening_WordPress
BEFORE YOU INSTALL
Monday, June 17, 13
15. Advanced Security:
WP-app firewall
There are many security modifications you can make to your .htaccess file.
http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-
boost-your-wordpress-sites-security-1676
The .htaccess file
http://wordpress.org/extend/plugins/ose-firewall/
NOTE: .htaccess files (distributed configuration files) are processed first
before any other code on your website.
http://wordpress.org/extend/plugins/bulletproof-security/
http://wordpress.org/extend/plugins/wordfence/
Multiple locks + burglar bars + alarm system + guard dog
Monday, June 17, 13
16. http://www.wpbeginner.com/plugins/improve-wordpress-
security-with-google-authenticator/
Setting up 2-step authentication for Wordpress.org
http://codex.wordpress.org/Editing_wp-
config.php#Disable_the_Plugin_and_Theme_Editor
http://codex.wordpress.org/Editing_wp-config.php
http://yoast.com/wordpress-ssl-setup/
SSL setup info and tips from Yoast
Modifying the wp-config.file
Advanced Security:
Multiple locks + burglar bars + alarm system + guard dog
Monday, June 17, 13
17. How Can I Tell I’ve Been Hacked?
http://aw-snap.info/file-viewer/
Allows you to scan from different User Agents:
Use http://sitecheck.sucuri.net to run a scan to find
malware and blacklist info.
http://wordpress.org/extend/plugins/sucuri-scanner/
http://wordpress.org/extend/plugins/gotmls/
http://wordpress.org/extend/plugins/wordfence/
WordPress Plugins
Do some scanning:
Monday, June 17, 13
18. • Displaying popups that you didn't implement.
• Displaying odd text in your footer or in the "View Source."
• Links to other sites or auto-linking of keywords that you didn't create links for.
• Seeing obfuscated / encoded text in plugins.
• Website redirecting (immediately or after a short length of time) to another URL.
• A friend calls/texts/emails you that your site is directing users to Dr. Dre’s
Headphones, or “performance enhancing” or pain medication drugs etc.
• Style sheet formatting has disappeared.
• You can’t login to your wp-admin.
• New files appearing in themes folder or anywhere else (look for a recent or
atypical date via FTP; when you open these pages, they may appear to contain
binary code.)
Uh oh. I think it’s too late.
How Can I Tell I’ve Been Hacked?
Monday, June 17, 13
19. 1. Stay calm. You could make it worse by anxiously jumping in and trying
to fix the problem.
2. Scan your local machine / hard drive.
3. Scan your site. There are many good tools and WordPress plugins to
help with this. This will help identify the infected files and folder etc.
4. Check with your hosting provider. Call them. You can call them, yes?
5. You’ve already updated, changed all passwords?
6. Add new salts or “secret keys.”
7. Check your files. Start with your .htaccess file to being looking for
malicious code.
WordPress (with some help) suggests:
Cleaning & Remediation:
Have SSH root access?
http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-
wordpress/
Monday, June 17, 13
20. 1. Can you identify the type of hack? This may make the cleanup easier.
2. Run a fresh backup and then . . .
3. Backup from an older backup that you believe predates the hack.
4. No backup? Hmm. Seriously consider taking down and trashing the site.
5. Restored from backup? Change passwords again.
6. Secure your site with recommended security measures.
7. Do a post-mortem. How did this happen?
8. Compare your WordPress files to those in a clean install. Open up files.
Do you see something that refers to base64_decode? That’s at least one of
the hack.
9. Can’t find the malware? Disable your plugins (rename the directory). If
the infection is in a plugin, the scan will show as clean.
Cleaning & Remediation:
Monday, June 17, 13
23. http://www.unmaskparasites.com/malware-warning-guide/#request
Cleaning & Remediation: Tools
http://www.stopbadware.org/request-review
StopBadware performs independent reviews of websites that are
blacklisted for badware by our data providers.
http://wordpress.org/extend/plugins/wordfence/
http://blog.aw-snap.info/2012/07/malware-removal-vendors.html
Wordfence Security is a free enterprise class security plugin that
includes a firewall, anti-virus scanning, malicious URL scanning and
live traffic including crawlers. Wordfence is the only WordPress security
plugin that can verify and repair your core, theme and plugin files, even
if you don't have backups.
Wordfence is now Multi-Site compatible.
Monday, June 17, 13
24. Miscellaneous Help
http://blog.page.ly
http://wp.smashingmagazine.com
http://tonyonsecurity.com/
Excellent forum on malware:
https://www.badwarebusters.org/
http://aw-snap.info/
Tony Perez’s blog COO/CFO Sucuri
Smashing Magazine WordPress site
Excellent hacked info and tools
https://www.udemy.com/how-to-secure-wordpress-blog-or-
website-for-beginners/?
http://labs.sucuri.net/?malware
See what Sucuri picks up in its malware scans.
Monday, June 17, 13
25. Safe travels and happy trails with WordPress!
Judy Wilson
www.Site-Shack.com
Nashville, TN
from site-shack
Monday, June 17, 13