SlideShare a Scribd company logo

WordPress Security Essentials

Angela Bowman
Angela Bowman

What you need to know and the simple things you can do to protect your WordPress site from being hacked.

Internet
1 of 35
Download to read offline
WORDPRESS SECURITY ESSENTIALS ! Boulder Digital Arts Lunch June 12, 2014 By Angela Bowman, Ask WP Girl
About me • Hi! My name is Angela Bowman @askwpgirl • WordPress Instructor at Boulder Digital Arts • Started using WordPress in 2007 • Used to think: “After I build a site, my job is done.” • Now take a common sense approach to security that isn’t overwhelming or super technical
Why do we need to have this talk? • PHP and MySQL are inherently vulnerable • MySQL: A database where all your content is stored • PHP: The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window. • Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
Why are you vulnerable? • Because your site is on the Internet • Because it’s easy to exploit known vulnerabilities • Because we are human NOT Vulcan •We live by our beliefs rather than logic
WHAT DOES A HACKED FILE LOOK LIKE? UGLY!
VIAGRA ANYONE?
HACKED COMMENTS.PHP
A FILE THAT DOESN’T BELONG - COMMON.PHP
TIMTHUMB HACK
THE MYTHS WE LIVE BY Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security- myths/ by Anders Vinther of The WordPress Security Checklist.
Myth #1 “WordPress is (is not) secure.” Truth • Both things are true! Old versions of WordPress are NOT secure Current WordPress version is secure
Myth #2 Myth #2 my site isn’t launched yet, so it can’t be hacked “My site isn’t launched, so it can’t be hacked.” Truth • You have an Internet presence even if the pages of your site aren’t indexed by Google yet • You need to protect ALL installations of WordPress on your hosting account even if you don’t use them • Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed
Myth #3 “I only use plugins and themes from WordPress.org, so I am safe!” Truth • Plugins and themes are the #1 way hackers gain access to your site • Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
Myth #4 “Updating my themes and plugins whenever I login is good enough.” Truth • Exploits are published IMMEDIATELY to the web. • Outdated version of WordPress, themes, and plugins are immediately vulnerable to attack. • Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS and is still exploited!
Myth #5 “My site is small. It’s not worth hacking.” Truth “… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the smaller sites yet – like my girlfriend’s food blog. “And, word to the wise, your girlfriend’s food blog should always be a top priority.” http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
Myth # 6 “If I de-activate a theme or plugin, there is no risk.” Truth • De-activated themes and plugins are just as risky if they have vulnerable code. • Because even files of deactivated plugins and themes can be access via the Internet
Myth # 7 “If my site is compromised, I’ll find out right away!” Truth • Only if you use a site monitoring service or plugin (maybe) • Your site can be compromised months before you find out • Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted • Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL ! http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
Myth #8 “I can use a security plugin and that will cover me.” Truth • Some security plugins can provide a layer of protection • Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files • Security plugins won’t help if the web hosting server is compromised
Truth “Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.” Myth # 9 “My passwords are good enough.” http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
Myth #10 “If my site is hacked, my web host can restore it for me.” Truth • If you discover the hack quickly enough, your web host may have a backup of the site made before the hack • Most hosts store one day backup and one weekly backup • Your host may not be able to help you discover why you were hacked in the first place. You’ll end up restoring hackable files.
WHAT CAN YOU DO TO PROTECT YOUR SITE?
Options • Set up an altar to the WordPress Gods and do daily puja and offerings • Throw up your hands and cry • Drink another beer and try to forget • Delegate to Tony (Sucuri.net) • DIY using the following steps
1 – Secure Your Own Computer • Why bother securing WordPress if you give the keys away? • Run anti-virus software regularly • Don’t login via insecure or public WIFI networks • Use a Virtual Private Network when traveling (such as Astrill) • Secure your home WIFI network • Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
2 – Update to Current Versions • Backup database and files • Delete unused plugins and themes • Update plugins first (check compatibility) • Update theme (might be tricky) • Update WordPress • Rename plugins folder if site crashes
3 – Protect Login • If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin • Use strong passwords on WordPress, FTP, hosting, and email: • Online Generator: http://www.pctools.com/guides/password/ • Track Passwords: http://agilebits.com/products/1Password
3 – Protect Login, continued • Enable two-way authentication: Using Google Authenticator: http://wordpress.org/extend/plugins/google-authenticator/ http://askwpgirl.com/secure-wordpress-two-step-authentication/ • Login using https:// (will need dedicated SSL certificate for domain, which is free with Business level web hosting at Host Gator)
4 – Backup Database and Uploads • Use backup plugin or service: • Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php • BackWPUp: https://wordpress.org/plugins/backwpup/ • VaultPress.com – Backup, one-click restore, and site monitoring • Backup database (daily or weekly) and full site (weekly or monthly) • Store backups on remote server (eg Amazon S3) • Must backup database and wp-content folder
5 – Install Security Plugins • Install Wordfence http://wordpress.org/extend/plugins/wordfence/ • Settings: http://optimwise.com/wordfence-security-plugin- wordpress-firewall-anti-malware/
6 – Create a Maintenance Plan • Update sites frequently (as updates available) • Use Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/
7 – Best Practices • Don’t allow users to register (Settings > General) • Always hold comments for moderation and use spam filtering (aka Akismet) • Don’t use your username as your Display Name • Use SFTP for file transfers and secure SMTP for email (ask web host)
7 – Best Practices, continued • Turn off pingbacks/trackbacks (Settings > Discussion) • Host site with good web host • Use plugins and themes with caution - recently updated, going concern. Delete unused ones. but keep one TwentySomething theme installed as a default. • Submit sites to Google Webmaster Tools. Turn ON email notifications: http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
Summary • Update, update, update! • Use caution w/ plugins and themes, delete unused • Strong usernames and passwords • Backup! Today! • Be a smart web user
If you get hacked… • Contact your web host and see if they can restore the site from a backup (don’t rely on this) • Contact sucuri.net to scan and clean the hack • Change all passwords, reset wp-config.php encryption salts • Check blacklisting status, request review
Resources •Hacked: http://wordpress.org/tags/hacked •Malware: http://wordpress.org/tags/malware •http://codex.wordpress.org/Hardening_WordPres •http://codex.wordpress.org/WordPress_Backups •http://codex.wordpress.org/FAQ_My_site_was_hacked •wpsecuritylock.com - resources and services for securing sites •sucuri.net - free scan, hack recovering, site monitoring •Wpsecuritychecklist.com – off-site monitoring
Contact • Angela Bowman askwpgirl.com moongoosedesigns.com • 303.931.8191 angela@askwpgirl.com twitter.com/askwpgirl facebook.com/askwpgirl.com

Recommended

WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?
Michele Butcher-Jones
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALC
Michele Butcher-Jones
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 

Recommended

WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?
Michele Butcher-Jones
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALC
Michele Butcher-Jones
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you check
Angela Bowman
 
Really Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutReally Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know About
Angela Bowman
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
Mykl Roventine
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
Digamber Pradhan
 
So i have a website now what?
So i have a website now what?So i have a website now what?
So i have a website now what?
Michele Butcher-Jones
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User Meetup
Chris Burgess
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPress
Jeremy Green
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
Michele Butcher-Jones
 
Are You Safe From Hackers
Are You Safe From HackersAre You Safe From Hackers
Are You Safe From Hackers
Michele Butcher-Jones
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
Jonathan Hall
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
Best Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress MultisiteBest Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress Multisite
Taylor McCaslin
 
Prabhanjan Panigrahi
Prabhanjan PanigrahiPrabhanjan Panigrahi
Prabhanjan Panigrahi
Anirban Saha
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
Liam O'Saurus
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress Security
Chris Burgess
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
Robert Vidal
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate Workshop
The Toolbox, Inc.
 

More Related Content

What's hot

Best Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress MultisiteBest Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress Multisite
Taylor McCaslin
 
Prabhanjan Panigrahi
Prabhanjan PanigrahiPrabhanjan Panigrahi
Prabhanjan Panigrahi
Anirban Saha
 

What's hot (20)

Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you check
 
Really Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know AboutReally Awesome WordPress Plugins You Should Know About
Really Awesome WordPress Plugins You Should Know About
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
 
So i have a website now what?
So i have a website now what?So i have a website now what?
So i have a website now what?
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User Meetup
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPress
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Are You Safe From Hackers
Are You Safe From HackersAre You Safe From Hackers
Are You Safe From Hackers
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
Best Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress MultisiteBest Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress Multisite
 
Prabhanjan Panigrahi
Prabhanjan PanigrahiPrabhanjan Panigrahi
Prabhanjan Panigrahi
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress Security
 

Similar to WordPress Security Essentials

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 

Similar to WordPress Security Essentials (20)

WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate Workshop
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress Troubleshooting
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019
 
WordPress Complete Tutorial
WordPress Complete TutorialWordPress Complete Tutorial
WordPress Complete Tutorial
 
Everything WordPress
Everything WordPressEverything WordPress
Everything WordPress
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With Love
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
 

More from Angela Bowman

More from Angela Bowman (6)

Creating a style guide for website using Elementor
Creating a style guide for website using ElementorCreating a style guide for website using Elementor
Creating a style guide for website using Elementor
 
Using Custom Post Types and Advanced Custom Fields with Elementor
Using Custom Post Types and Advanced Custom Fields with Elementor Using Custom Post Types and Advanced Custom Fields with Elementor
Using Custom Post Types and Advanced Custom Fields with Elementor
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core Safely
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
Web designtrends 5-29-2013
Web designtrends 5-29-2013Web designtrends 5-29-2013
Web designtrends 5-29-2013
 

Recently uploaded

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 

Recently uploaded (20)

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 

WordPress Security Essentials

  • 1. WORDPRESS SECURITY ESSENTIALS ! Boulder Digital Arts Lunch June 12, 2014 By Angela Bowman, Ask WP Girl
  • 2. About me • Hi! My name is Angela Bowman @askwpgirl • WordPress Instructor at Boulder Digital Arts • Started using WordPress in 2007 • Used to think: “After I build a site, my job is done.” • Now take a common sense approach to security that isn’t overwhelming or super technical
  • 3. Why do we need to have this talk? • PHP and MySQL are inherently vulnerable • MySQL: A database where all your content is stored • PHP: The scripting language used by WordPress, themes and plugins use to access your data and display it in the browser window. • Hackers exploit poor PHP coding (and other vulnerabilities) to inject content into your database and files via the browser URL and interface
  • 4. Why are you vulnerable? • Because your site is on the Internet • Because it’s easy to exploit known vulnerabilities • Because we are human NOT Vulcan •We live by our beliefs rather than logic
  • 5. WHAT DOES A HACKED FILE LOOK LIKE? UGLY!
  • 8. A FILE THAT DOESN’T BELONG - COMMON.PHP
  • 10. THE MYTHS WE LIVE BY Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security- myths/ by Anders Vinther of The WordPress Security Checklist.
  • 11. Myth #1 “WordPress is (is not) secure.” Truth • Both things are true! Old versions of WordPress are NOT secure Current WordPress version is secure
  • 12. Myth #2 Myth #2 my site isn’t launched yet, so it can’t be hacked “My site isn’t launched, so it can’t be hacked.” Truth • You have an Internet presence even if the pages of your site aren’t indexed by Google yet • You need to protect ALL installations of WordPress on your hosting account even if you don’t use them • Hackers will attempt to exploit things that aren’t even on your site, such as plugins you don’t even have installed
  • 13. Myth #3 “I only use plugins and themes from WordPress.org, so I am safe!” Truth • Plugins and themes are the #1 way hackers gain access to your site • Why? From ProBlogger.com: “Experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs.”
  • 14. Myth #4 “Updating my themes and plugins whenever I login is good enough.” Truth • Exploits are published IMMEDIATELY to the web. • Outdated version of WordPress, themes, and plugins are immediately vulnerable to attack. • Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS and is still exploited!
  • 15. Myth #5 “My site is small. It’s not worth hacking.” Truth “… Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the smaller sites yet – like my girlfriend’s food blog. “And, word to the wise, your girlfriend’s food blog should always be a top priority.” http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
  • 16. Myth # 6 “If I de-activate a theme or plugin, there is no risk.” Truth • De-activated themes and plugins are just as risky if they have vulnerable code. • Because even files of deactivated plugins and themes can be access via the Internet
  • 17. Myth # 7 “If my site is compromised, I’ll find out right away!” Truth • Only if you use a site monitoring service or plugin (maybe) • Your site can be compromised months before you find out • Many hacks are invisible to visitors to the site and only visible to bots, so you may not know you’ve been hacked until your site is blacklisted • Some hacks redirect search engine traffic, so you won’t notice if you just go to a specific URL ! http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
  • 18. Myth #8 “I can use a security plugin and that will cover me.” Truth • Some security plugins can provide a layer of protection • Security plugins won’t help much if a hacker gains access to your online session, passwords, or sensitive files • Security plugins won’t help if the web hosting server is compromised
  • 19. Truth “Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of cracking programs.” Myth # 9 “My passwords are good enough.” http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
  • 20. Myth #10 “If my site is hacked, my web host can restore it for me.” Truth • If you discover the hack quickly enough, your web host may have a backup of the site made before the hack • Most hosts store one day backup and one weekly backup • Your host may not be able to help you discover why you were hacked in the first place. You’ll end up restoring hackable files.
  • 21. WHAT CAN YOU DO TO PROTECT YOUR SITE?
  • 22. Options • Set up an altar to the WordPress Gods and do daily puja and offerings • Throw up your hands and cry • Drink another beer and try to forget • Delegate to Tony (Sucuri.net) • DIY using the following steps
  • 23. 1 – Secure Your Own Computer • Why bother securing WordPress if you give the keys away? • Run anti-virus software regularly • Don’t login via insecure or public WIFI networks • Use a Virtual Private Network when traveling (such as Astrill) • Secure your home WIFI network • Be careful of sites you click on. More than 55,000 malicious web domains existed in 2011.
  • 24. 2 – Update to Current Versions • Backup database and files • Delete unused plugins and themes • Update plugins first (check compatibility) • Update theme (might be tricky) • Update WordPress • Rename plugins folder if site crashes
  • 25. 3 – Protect Login • If “admin” is the Administrative username, create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin • Use strong passwords on WordPress, FTP, hosting, and email: • Online Generator: http://www.pctools.com/guides/password/ • Track Passwords: http://agilebits.com/products/1Password
  • 26. 3 – Protect Login, continued • Enable two-way authentication: Using Google Authenticator: http://wordpress.org/extend/plugins/google-authenticator/ http://askwpgirl.com/secure-wordpress-two-step-authentication/ • Login using https:// (will need dedicated SSL certificate for domain, which is free with Business level web hosting at Host Gator)
  • 27. 4 – Backup Database and Uploads • Use backup plugin or service: • Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php • BackWPUp: https://wordpress.org/plugins/backwpup/ • VaultPress.com – Backup, one-click restore, and site monitoring • Backup database (daily or weekly) and full site (weekly or monthly) • Store backups on remote server (eg Amazon S3) • Must backup database and wp-content folder
  • 28. 5 – Install Security Plugins • Install Wordfence http://wordpress.org/extend/plugins/wordfence/ • Settings: http://optimwise.com/wordfence-security-plugin- wordpress-firewall-anti-malware/
  • 29. 6 – Create a Maintenance Plan • Update sites frequently (as updates available) • Use Infinite WP to manage multiple sites from a single control panel: http://infinitewp.com/
  • 30. 7 – Best Practices • Don’t allow users to register (Settings > General) • Always hold comments for moderation and use spam filtering (aka Akismet) • Don’t use your username as your Display Name • Use SFTP for file transfers and secure SMTP for email (ask web host)
  • 31. 7 – Best Practices, continued • Turn off pingbacks/trackbacks (Settings > Discussion) • Host site with good web host • Use plugins and themes with caution - recently updated, going concern. Delete unused ones. but keep one TwentySomething theme installed as a default. • Submit sites to Google Webmaster Tools. Turn ON email notifications: http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
  • 32. Summary • Update, update, update! • Use caution w/ plugins and themes, delete unused • Strong usernames and passwords • Backup! Today! • Be a smart web user
  • 33. If you get hacked… • Contact your web host and see if they can restore the site from a backup (don’t rely on this) • Contact sucuri.net to scan and clean the hack • Change all passwords, reset wp-config.php encryption salts • Check blacklisting status, request review
  • 34. Resources •Hacked: http://wordpress.org/tags/hacked •Malware: http://wordpress.org/tags/malware •http://codex.wordpress.org/Hardening_WordPres •http://codex.wordpress.org/WordPress_Backups •http://codex.wordpress.org/FAQ_My_site_was_hacked •wpsecuritylock.com - resources and services for securing sites •sucuri.net - free scan, hack recovering, site monitoring •Wpsecuritychecklist.com – off-site monitoring
  • 35. Contact • Angela Bowman askwpgirl.com moongoosedesigns.com • 303.931.8191 angela@askwpgirl.com twitter.com/askwpgirl facebook.com/askwpgirl.com