SlideShare ist ein Scribd-Unternehmen logo

Security + with WordPress.org Self-installation

Judy Wilson
Judy Wilson

You’re proud of your self-installed WordPress.org site but you can be sure that the hackers are already at the door, testing for vulnerabilities. With millions of WordPress.org sites in operation hackers have a gigantic, soft target for their redirects, downloads, backdoors and other sinister malware. And research shows that most WordPress site owners aren’t even aware they’ve been hacked — until the damage is done and evident. WordCamp Nashville 2013 speaker (and WordPress maven) Judy Wilson shows you how to protect your WordPress site with solid, best-pratice safeguards.

Technologie
1 von 39
____________________________ copyright 2013 Site Shack Web Design all rights reserved
Nashville native. Web site designer, developer. Writer. Photographer. Traveler. Gardener. Internet aficionado. First computer: Apple III (1985) First Web site: 1994. First Webmaster job: 1997 - 2000 Catholic Charities of the Archdiocese of San Francisco Second Webmaster job: 2000 - 2004 Owen Graduate School of Management - Vanderbilt University Opened Site Shack: 2004 www.site-shack.com Owner, Site Shack Web Design
Your WordPress site is living in a high crime neighborhood.* * Doesn’t matter if you’re on WordPress.comor using Wordpress.org. Access is the key.
Think it won’t happen to you?
What makes WordPress so vulnerable to hacks? WordPress is used by 54.8% of all the websites whose content management system we know. This is 17.6% of all websites. -- http://w3techs.com/technologies/details/cm-wordpress/all/all http://wordpress.org/download/counter/ How many times has Wordpress.org been downloaded?
How do they get in? Hacks are most often delivered through cheesy credentials, old and/or evil software, themes, plugins + vulnerable scripts (such as the “timthumb script”) and cheap, poor-security hosting environments. IMO: Most often the result of hackers exploiting (it’s a no-brainer) really bad credentials: WRONG: Username: admin Password: mypassword
Backdoors Drive-by Downloads Pharma Hacks Malicious Redirects Main Types of WordPress Hacks Phishing Defacements
Backdoors A backdoor in a computer system is a method of bypassing normal authentication to secure illegal remote access to a computer (or a WordPress site). Once they’re in, they will take over your site and the other sites around you (including via other sites on a shared server with poor security). Sometimes use to create “BotNets” or “MalNets.” The initial entry is typically made through compromised credentials or a vulnerable plugin etc. Detecting the hack and cleaning the site may not remove the backdoor.
Backdoors Backdoors can have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do. This is basically the same thing as having a Control Panel on the Web site. Why? It varies based on what the hacker does for a living. They might upload a couple of phishing pages to the site. Phishing pages have a very short shelf life and need to be regularly updated. If they’re spammers, they’re getting paid to add links so they might come in and add some pharma links on the sites they have access to. Backdoor site access can provide opportunities for introducing any type of malware. You can also be blacklisted by Google and other search engines and servers.
Drive-by Downloads Why? Once installed, malware delivered by a drive-by download can do a number of different things: log keystrokes, scan the system for files of a personal nature, herd the system into a botnet of similarly compromised machines, infect the Web browser with a banking Trojan that hijacks online-banking sessions, and install a "backdoor" that will let in even more malware. The point of a drive-by download is often to download a payload onto your user’s local machine. One of the most common payloads informs the user that their website has been infected and that they need to install an anti-virus product. The initial entry is typically made through compromised credentials and SQL injection in which a SQL command can be inserted into the database.
Pharma Hacks Gain access via a backdoor or compromised credentials, comment or other form injection. For this reason, it can take many months to recover from a pharma hack (they can be generated from your database) so it is important that you find and remove the hack as quickly as possible. The pharma hack is an exploit that takes advantage of vulnerabilities in WordPress (or Joomla) Web sites to cause search engines (usually Google) to return ads for pharmaceutical products (or other types of products and merchandise) along with legitimate listings. Can be hard to detect because it may appear only at specific times and does not affect the displayed pages of the compromised Web site. This latter method is referred to as a “Google conditional hack.” Pharma hacks are a multi-million dollar business. They’re not about spreading malware, viruses etc. Often used to increase ad impressions (not clicks) for Affiliate Marketing.
A malicious redirect sends a user to a site promoting malware (“It looks like you’re site has been compromised etc” like a big old rootkit virus). Unlike an iframe injection (for example, that executes in your browser.) Your entire site gets redirected (not just a page or link) and at the same time, you may be unable to login. You may be redirected to a site in Russia (Russian sites are popular destinations for malicious redirects). These sites may be selling something, or may be part of a larger MalNet (or BotNet) that is spreading malware. One of the easier ones to clean. Often found in your .htaccess file. May be part of a backdoor, which points to a larger problem. Malicious Redirects
Defacements Phishing Other Ugly Hacks
How Can I Tell if I’ve Been Hacked? Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any weird titles, text or spam type results returned on your search. Obvious words: Viagra, Vicodin, Dr. Dre’s headphones etc. The Backup Buddy plugin has a scan for malware tool. Google Webmaster Tools has a scan for malware tool. Sucuri.net has scan for malware tool that also tells you your blacklist status: i.e., if your site has been blacklisted. The Proactive Approach Oh, and by the way: Do not login to your WordPress site at your local coffee house over “http.”
• Displaying popups that you didn't implement. • Displaying odd text in your footer or in the "View Source." • Links to other sites or auto-linking of keywords that you didn't create links for. • Seeing obfuscated / encoded text in plugins. • Website redirecting (immediately or after a short length of time) to another URL. • A friend calls/texts/emails you that your site is directing users to Dr. Dre’s Headphones, or “performance enhancing” or pain medication drugs etc. • Style sheet formatting has disappeared. • You can’t login to your wp-admin. • New files appearing in themes folder or anywhere else (look for a recent or atypical date via FTP; when you open these pages, they may appear to contain binary code.) More: How Can I Tell if I’ve Been Hacked? Uh oh. I think it’s too late.
More: How Can I Tell if I’ve Been Hacked?
More: How Can I Tell if I’ve Been Hacked?
1. Before You Install: Map out your strategy 2. The Installation: Solid padlocks + lock your doors and windows 3. Advanced Security: Multiple locks,+ burglar bars + alarm systems + guard dog Prevention and Protection
Do not use a “soup kitchen” host = high risk of cross-contamination. Does your host disclose what software its running & what versions? How often do they patch/upgrade? What kind of security measures do they provide? Do they provide backups? How often? Where? Consider using a “Managed” WordPress host with malware scanning in place. These include curated plugins. Do not use any old free theme! Vet your premium theme! (including version appropriate) Run a virus/malware check on it after you buy it. Stay informed! Before You Install: Map out your Strategy
Don’t use 1-click install unless you are prepared to go back and make some changes to the installation. Before You Install: Map out Your Strategy cont. Consider a sandbox site and test your backup and restore procedure -- more than once. Then delete it before you forget about it. BTW: Do you know where your backup is? Can you restore from it? Optional but an excellent idea: Setup a monitor account: http://www.sucuri.net Think in terms of “Layered Defenses.”
The Installation: Solid padlocks and locked windows Do NOT use “admin”for your user name. Do NOT use a password that can be found in a dictionary or that you’ve ever used anywhere else at any time. Do NOT use sequential numbers and/or letters. Your wp-admin AND your FTPpassword should be at least 8-15 characters. MN&4^z%Kq94*BG6t Get insanely complicated with your credentials. Stop using FTP. Use SFTP -- call your host if you’re not sure about using SFTP. cont.
cont. The Installation: Solid padlocks + locked windows In your wp-config.php file: Salt your hashes aka the “secret words.” Do not use “wp” for your table prefix. Make up something non-sequential like “jnm.” The wp-config.php file <files wp-config.php> order allow,deny deny from all </files> If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for wp-config.php:
Folder permissions: 755 File permissions: 644 index.php: 666 wp-config.php: 600 cont. The Installation: Solid padlocks + locked windows Remove themes and plugins that are not being used. Use your Administrator accounts for Administrator work (like setting up a new user). Use Editor, Author, Contributor and Subscriber for their appropriate tasks. Turn off trackbacks and pingbacks. Comments ONLY when appropriate with Akismet. http://codex.wordpress.org/Changing_File_Permissions Check and set your folder and file permissions.
Advanced Security: Multiple locks + burglar bars + alarm system + guard dog Use 2-factor authentication: Already in place at Wordpress.com but you can use Google 2-step Authentication with Wordpress.org. WP-app firewall cont. There are many security modifications you can make to your .htaccess file. http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-s 6 The .htaccess file http://wordpress.org/extend/plugins/ose-firewall/ NOTE: .htaccess files (distributed configuration files) are processed first before any other code on your website. http://wordpress.org/extend/plugins/bulletproof-security/ http://wordpress.org/extend/plugins/wordfence/
<Files *.php>deny from all</Files> Disable PHPexecution in certain directories. Create a new .htaccess file and upload to your uploads and wp-includes folders. You can have as many .htaccess levels as you want, but they're processed in order of directory tree depth. Disable theme and plugin editing. define('DISALLOW_FILE_EDIT',true); In wp-config.php, add: Administration over SSL (You’ll need a SSL certificate) cont. Advanced Security: Multiple locks + burglar bars + alarm system + guard dog http://www.wpbeginner.com/wp-tutorials/how-to-limit-access-by-ip-to-your-wp-login-php-file-i IPWhitelist (uses .htaccess)
Cleaning & Remediation 1. Stay calm. You could make it worse by anxiously jumping in and trying to fix the problem. 2. Scan your local machine / hard drive. 3. Scan your site. There are many good tools and WordPress plugins to help with this. This will help identify the infected files and folder etc. 4. Check with your hosting provider. Call them. You can call them, yes? 5. You’ve already updated, changed all passwords? 6. Add new salts or “secret keys.” 7. Check your files. Start with your .htaccess file to being looking for malicious code. WordPress (with some help) suggests:
Cleaning & Remediation 1. Can you identify the type of hack? This may make the cleanup easier. 2. Run a fresh backup and then . . . 3. Backup from an older backup that you believe predates the hack. 4. No backup? Hmm. Seriously consider taking down and trashing the site. 5. Restored from backup? Change passwords again. 6. Secure your site with recommended security measures. 7. Do a post-mortem. How did this happen? Compare your WordPress files to those in a clean install. Open up files. Do you see something that refers to base64_decode? That’s at least one of the hack. Can’t find the malware? Disable your plugins (rename the directory). If the infection is in a plugin, the scan will show as clean. Have SSH root access? cont. http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/
Cleaning & Remediation: If all else fails (and before you torch the site): Hire someone: http://www.stopthehacker.com http://www.sucuri.net http://www.sparktrust.com
Appendix 1. Main Types of WordPress Hacks 2. How Can I Tell I’ve Been Hacked? 3. Prevention and Protection 4. Cleaning & Remediation
http://blog.page.ly/2012/12/wordpress-security-an-infographic-on-common-malwar Main Types of WordPress Hacks http://blog.aw-snap.info/2011/02/pharmacy-hack.html http://blog.aw-snap.info/p/example-of-backdoor-script.html http://www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniq
How Can I Tell I’ve Been Hacked? http://aw-snap.info/file-viewer/ Do some scanning: Allows you to scan from different User Agents: Use http://sitecheck.sucuri.net to run a scan to find malware and blacklist info. http://wordpress.org/extend/plugins/sucuri-scanner/ http://wordpress.org/extend/plugins/gotmls/ http://wordpress.org/extend/plugins/wordfence/ WordPress Plugins Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups. Wordfence is now Multi-Site compatible.
Prevention and Protection Map out a Strategy Setup Google Webmaster Tools Google Webmaster tools are an important resource for many reasons. But for site security, one of their best features is their email notifications of malware when it’s found on your site. As the verified site owner, you’ll be notified by email if malware is detected. http://www.wpreads.com/2013/03/protecting-wp-config-and-htaccess-files-for-wordpress.html https://www.google.com/webmasters/tools/home?hl=en http://codex.wordpress.org/Hardening_WordPress
http://www.wpbeginner.com/plugins/improve-wordpress-security-with-google-authenticator/ Setting up 2-step authentication for Wordpress.org http://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editor http://codex.wordpress.org/Editing_wp-config.php http://yoast.com/wordpress-ssl-setup/ SSL setup info and tips from Yoast Modifying the wp-config.file Prevention and Protection Multiple locks + burglar bars + alarmsystem+ guard dog Hire Sucuri to monitor your site http://www.sucuri.net
Cleaning & Remediation http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.unmaskparasites.com/ http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site- part-i-wordpress-and-the-pharma-hack.html http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html Know command line and have SSH access? Cleaning up your site at google  http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634 https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked-wordpress-website-via-ssh/
http://www.unmaskparasites.com/malware-warning-guide/#request 4. Cleaning & Remediation: Tools http://www.stopbadware.org/request-review StopBadware performs independent reviews of websites that are blacklisted for badware by our data providers. http://wordpress.org/extend/plugins/wordfence/ http://blog.aw-snap.info/2012/07/malware-removal-vendors.html Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups. Wordfence is now Multi-Site compatible.
http://wpengine.com/ http://websynthesis.com (Yoast hosts here.) http://page.ly Recommended Managed WP Hosts
Miscellaneous Help http://wp.smashingmagazine.com http://tonyonsecurity.com/ Excellent forum on malware: https://www.badwarebusters.org/ http://aw-snap.info/ Tony Perez’s blog COO/CFO Sucuri Smashing Magazine WordPress site Excellent hacked info and tools https://www.udemy.com/how-to-secure-wordpress-blog-or-website-for-beginners/ ? http://labs.sucuri.net/?malware See what Sucuri picks up in its malware scans. http://support.wpengine.com/sftp/ Using SFTP instead of FTP http://www.techblogistech.com/2012/03/enabling-sshsftp-updates-in- wordpress-on-amazon-ec2-and-centos/
Safe travels and happy trails with WordPress! Judy Wilson www.Site-Shack.com Nashville, TN

Empfohlen

Content strategy wordcampnash2013
Content strategy wordcampnash2013Content strategy wordcampnash2013
Content strategy wordcampnash2013Middle Tennessee State University
 
WCSTL 2014 - Powerful Deployments
WCSTL 2014 - Powerful DeploymentsWCSTL 2014 - Powerful Deployments
WCSTL 2014 - Powerful DeploymentsMyke Bates
 
Let's Build a Custom Theme
Let's Build a Custom ThemeLet's Build a Custom Theme
Let's Build a Custom ThemeAndy Stratton
 
"Which WordPress Job Is Right For You?" WordCamp Orange County 2015
"Which WordPress Job Is Right For You?" WordCamp Orange County 2015"Which WordPress Job Is Right For You?" WordCamp Orange County 2015
"Which WordPress Job Is Right For You?" WordCamp Orange County 2015Suzette Franck
 
GeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGGDBologna
 
Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014Brian Krogsgard
 
Build your site tonight, be blogging tomorrow
Build your site tonight, be blogging tomorrowBuild your site tonight, be blogging tomorrow
Build your site tonight, be blogging tomorrowWarren Denley
 
Working with WP_Query in WordPress
Working with WP_Query in WordPressWorking with WP_Query in WordPress
Working with WP_Query in WordPresstopher1kenobe
 

Empfohlen

Content strategy wordcampnash2013
Content strategy wordcampnash2013Content strategy wordcampnash2013
Content strategy wordcampnash2013Middle Tennessee State University
 
WCSTL 2014 - Powerful Deployments
WCSTL 2014 - Powerful DeploymentsWCSTL 2014 - Powerful Deployments
WCSTL 2014 - Powerful DeploymentsMyke Bates
 
Let's Build a Custom Theme
Let's Build a Custom ThemeLet's Build a Custom Theme
Let's Build a Custom ThemeAndy Stratton
 
"Which WordPress Job Is Right For You?" WordCamp Orange County 2015
"Which WordPress Job Is Right For You?" WordCamp Orange County 2015"Which WordPress Job Is Right For You?" WordCamp Orange County 2015
"Which WordPress Job Is Right For You?" WordCamp Orange County 2015Suzette Franck
 
GeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGGDBologna
 
Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014Brian Krogsgard
 
Build your site tonight, be blogging tomorrow
Build your site tonight, be blogging tomorrowBuild your site tonight, be blogging tomorrow
Build your site tonight, be blogging tomorrowWarren Denley
 
Working with WP_Query in WordPress
Working with WP_Query in WordPressWorking with WP_Query in WordPress
Working with WP_Query in WordPresstopher1kenobe
 
WordPress in a Time of Crisis
WordPress in a Time of CrisisWordPress in a Time of Crisis
WordPress in a Time of CrisisMichelle Amaral
 
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...Kick Point
 
Gerenciamento de sites/blogs com o WordPress 3.4
Gerenciamento de sites/blogs com o WordPress 3.4Gerenciamento de sites/blogs com o WordPress 3.4
Gerenciamento de sites/blogs com o WordPress 3.4Mayara Alanna Pereira Martins
 
WordPress for Designers
WordPress for DesignersWordPress for Designers
WordPress for DesignersRed8 Interactive
 
Open Source Entrepreneurship
Open Source EntrepreneurshipOpen Source Entrepreneurship
Open Source EntrepreneurshipJimmy Rosén
 
Just Press Publish
Just Press PublishJust Press Publish
Just Press PublishAlycia Mitchell
 
My first 3 months working with word press
My first 3 months working with word pressMy first 3 months working with word press
My first 3 months working with word pressNoe Lopez
 
Can You Go Commercial
Can You Go CommercialCan You Go Commercial
Can You Go Commercialgarthkoyle
 
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV GGDBologna
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescueMarko Heijnen
 
Customizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffCustomizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffAlexander Sapountzis
 
Leveraging Wordpress for an Ecommerce Website
Leveraging Wordpress for an Ecommerce WebsiteLeveraging Wordpress for an Ecommerce Website
Leveraging Wordpress for an Ecommerce WebsiteWill Hanke
 
SEO para Wordpress (WordCamp Salvador)
SEO para Wordpress (WordCamp Salvador)SEO para Wordpress (WordCamp Salvador)
SEO para Wordpress (WordCamp Salvador)Ian Castro
 
Options, and Transients, and Theme Mods — Oh my!
Options, and Transients, and Theme Mods — Oh my!Options, and Transients, and Theme Mods — Oh my!
Options, and Transients, and Theme Mods — Oh my!Konstantin Obenland
 
Responsive Images (STL WordCamp 2014)
Responsive Images (STL WordCamp 2014)Responsive Images (STL WordCamp 2014)
Responsive Images (STL WordCamp 2014)joemcgill
 
Wc norrkoping-2015
Wc norrkoping-2015Wc norrkoping-2015
Wc norrkoping-2015pelmered
 
Wordpress Plugin Development Practices
Wordpress Plugin Development PracticesWordpress Plugin Development Practices
Wordpress Plugin Development Practicesserversideup
 
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...Sergio Costa
 
Questions you’re too afraid to ask
Questions you’re too afraid to askQuestions you’re too afraid to ask
Questions you’re too afraid to askEric Mann
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Weitere ähnliche Inhalte

Andere mochten auch

WordPress in a Time of Crisis
WordPress in a Time of CrisisWordPress in a Time of Crisis
WordPress in a Time of CrisisMichelle Amaral
 
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...Kick Point
 
Open Source Entrepreneurship
Open Source EntrepreneurshipOpen Source Entrepreneurship
Open Source EntrepreneurshipJimmy Rosén
 
My first 3 months working with word press
My first 3 months working with word pressMy first 3 months working with word press
My first 3 months working with word pressNoe Lopez
 
Can You Go Commercial
Can You Go CommercialCan You Go Commercial
Can You Go Commercialgarthkoyle
 
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV GGDBologna
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescueMarko Heijnen
 
Customizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffCustomizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffAlexander Sapountzis
 
Leveraging Wordpress for an Ecommerce Website
Leveraging Wordpress for an Ecommerce WebsiteLeveraging Wordpress for an Ecommerce Website
Leveraging Wordpress for an Ecommerce WebsiteWill Hanke
 
SEO para Wordpress (WordCamp Salvador)
SEO para Wordpress (WordCamp Salvador)SEO para Wordpress (WordCamp Salvador)
SEO para Wordpress (WordCamp Salvador)Ian Castro
 
Options, and Transients, and Theme Mods — Oh my!
Options, and Transients, and Theme Mods — Oh my!Options, and Transients, and Theme Mods — Oh my!
Options, and Transients, and Theme Mods — Oh my!Konstantin Obenland
 
Responsive Images (STL WordCamp 2014)
Responsive Images (STL WordCamp 2014)Responsive Images (STL WordCamp 2014)
Responsive Images (STL WordCamp 2014)joemcgill
 
Wc norrkoping-2015
Wc norrkoping-2015Wc norrkoping-2015
Wc norrkoping-2015pelmered
 
Wordpress Plugin Development Practices
Wordpress Plugin Development PracticesWordpress Plugin Development Practices
Wordpress Plugin Development Practicesserversideup
 
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...Sergio Costa
 
Questions you’re too afraid to ask
Questions you’re too afraid to askQuestions you’re too afraid to ask
Questions you’re too afraid to askEric Mann
 

Andere mochten auch (19)

WordPress in a Time of Crisis
WordPress in a Time of CrisisWordPress in a Time of Crisis
WordPress in a Time of Crisis
 
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
Everything You Ever Wanted to Know About Keyword Research (And Probably a Few...
 
Gerenciamento de sites/blogs com o WordPress 3.4
Gerenciamento de sites/blogs com o WordPress 3.4Gerenciamento de sites/blogs com o WordPress 3.4
Gerenciamento de sites/blogs com o WordPress 3.4
 
WordPress for Designers
WordPress for DesignersWordPress for Designers
WordPress for Designers
 
Open Source Entrepreneurship
Open Source EntrepreneurshipOpen Source Entrepreneurship
Open Source Entrepreneurship
 
Just Press Publish
Just Press PublishJust Press Publish
Just Press Publish
 
My first 3 months working with word press
My first 3 months working with word pressMy first 3 months working with word press
My first 3 months working with word press
 
Can You Go Commercial
Can You Go CommercialCan You Go Commercial
Can You Go Commercial
 
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
Responsività e integrazioni social: l’utente al centro nel nuovo sito Volvo TV
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
 
Customizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeffCustomizing the custom loop wordcamp 2012-jeff
Customizing the custom loop wordcamp 2012-jeff
 
Leveraging Wordpress for an Ecommerce Website
Leveraging Wordpress for an Ecommerce WebsiteLeveraging Wordpress for an Ecommerce Website
Leveraging Wordpress for an Ecommerce Website
 
SEO para Wordpress (WordCamp Salvador)
SEO para Wordpress (WordCamp Salvador)SEO para Wordpress (WordCamp Salvador)
SEO para Wordpress (WordCamp Salvador)
 
Options, and Transients, and Theme Mods — Oh my!
Options, and Transients, and Theme Mods — Oh my!Options, and Transients, and Theme Mods — Oh my!
Options, and Transients, and Theme Mods — Oh my!
 
Responsive Images (STL WordCamp 2014)
Responsive Images (STL WordCamp 2014)Responsive Images (STL WordCamp 2014)
Responsive Images (STL WordCamp 2014)
 
Wc norrkoping-2015
Wc norrkoping-2015Wc norrkoping-2015
Wc norrkoping-2015
 
Wordpress Plugin Development Practices
Wordpress Plugin Development PracticesWordpress Plugin Development Practices
Wordpress Plugin Development Practices
 
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
WordCamp Salvador 2014 - O essencial para o bom desempenho do seu projeto em ...
 
Questions you’re too afraid to ask
Questions you’re too afraid to askQuestions you’re too afraid to ask
Questions you’re too afraid to ask
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Security + with WordPress.org Self-installation

  • 1. ____________________________ copyright 2013 Site Shack Web Design all rights reserved
  • 2. Nashville native. Web site designer, developer. Writer. Photographer. Traveler. Gardener. Internet aficionado. First computer: Apple III (1985) First Web site: 1994. First Webmaster job: 1997 - 2000 Catholic Charities of the Archdiocese of San Francisco Second Webmaster job: 2000 - 2004 Owen Graduate School of Management - Vanderbilt University Opened Site Shack: 2004 www.site-shack.com Owner, Site Shack Web Design
  • 3. Your WordPress site is living in a high crime neighborhood.* * Doesn’t matter if you’re on WordPress.comor using Wordpress.org. Access is the key.
  • 4. Think it won’t happen to you?
  • 5.
  • 6. What makes WordPress so vulnerable to hacks? WordPress is used by 54.8% of all the websites whose content management system we know. This is 17.6% of all websites. -- http://w3techs.com/technologies/details/cm-wordpress/all/all http://wordpress.org/download/counter/ How many times has Wordpress.org been downloaded?
  • 7. How do they get in? Hacks are most often delivered through cheesy credentials, old and/or evil software, themes, plugins + vulnerable scripts (such as the “timthumb script”) and cheap, poor-security hosting environments. IMO: Most often the result of hackers exploiting (it’s a no-brainer) really bad credentials: WRONG: Username: admin Password: mypassword
  • 8. Backdoors Drive-by Downloads Pharma Hacks Malicious Redirects Main Types of WordPress Hacks Phishing Defacements
  • 9. Backdoors A backdoor in a computer system is a method of bypassing normal authentication to secure illegal remote access to a computer (or a WordPress site). Once they’re in, they will take over your site and the other sites around you (including via other sites on a shared server with poor security). Sometimes use to create “BotNets” or “MalNets.” The initial entry is typically made through compromised credentials or a vulnerable plugin etc. Detecting the hack and cleaning the site may not remove the backdoor.
  • 10. Backdoors Backdoors can have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do. This is basically the same thing as having a Control Panel on the Web site. Why? It varies based on what the hacker does for a living. They might upload a couple of phishing pages to the site. Phishing pages have a very short shelf life and need to be regularly updated. If they’re spammers, they’re getting paid to add links so they might come in and add some pharma links on the sites they have access to. Backdoor site access can provide opportunities for introducing any type of malware. You can also be blacklisted by Google and other search engines and servers.
  • 11. Drive-by Downloads Why? Once installed, malware delivered by a drive-by download can do a number of different things: log keystrokes, scan the system for files of a personal nature, herd the system into a botnet of similarly compromised machines, infect the Web browser with a banking Trojan that hijacks online-banking sessions, and install a "backdoor" that will let in even more malware. The point of a drive-by download is often to download a payload onto your user’s local machine. One of the most common payloads informs the user that their website has been infected and that they need to install an anti-virus product. The initial entry is typically made through compromised credentials and SQL injection in which a SQL command can be inserted into the database.
  • 12. Pharma Hacks Gain access via a backdoor or compromised credentials, comment or other form injection. For this reason, it can take many months to recover from a pharma hack (they can be generated from your database) so it is important that you find and remove the hack as quickly as possible. The pharma hack is an exploit that takes advantage of vulnerabilities in WordPress (or Joomla) Web sites to cause search engines (usually Google) to return ads for pharmaceutical products (or other types of products and merchandise) along with legitimate listings. Can be hard to detect because it may appear only at specific times and does not affect the displayed pages of the compromised Web site. This latter method is referred to as a “Google conditional hack.” Pharma hacks are a multi-million dollar business. They’re not about spreading malware, viruses etc. Often used to increase ad impressions (not clicks) for Affiliate Marketing.
  • 13. A malicious redirect sends a user to a site promoting malware (“It looks like you’re site has been compromised etc” like a big old rootkit virus). Unlike an iframe injection (for example, that executes in your browser.) Your entire site gets redirected (not just a page or link) and at the same time, you may be unable to login. You may be redirected to a site in Russia (Russian sites are popular destinations for malicious redirects). These sites may be selling something, or may be part of a larger MalNet (or BotNet) that is spreading malware. One of the easier ones to clean. Often found in your .htaccess file. May be part of a backdoor, which points to a larger problem. Malicious Redirects
  • 15. How Can I Tell if I’ve Been Hacked? Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any weird titles, text or spam type results returned on your search. Obvious words: Viagra, Vicodin, Dr. Dre’s headphones etc. The Backup Buddy plugin has a scan for malware tool. Google Webmaster Tools has a scan for malware tool. Sucuri.net has scan for malware tool that also tells you your blacklist status: i.e., if your site has been blacklisted. The Proactive Approach Oh, and by the way: Do not login to your WordPress site at your local coffee house over “http.”
  • 16. • Displaying popups that you didn't implement. • Displaying odd text in your footer or in the "View Source." • Links to other sites or auto-linking of keywords that you didn't create links for. • Seeing obfuscated / encoded text in plugins. • Website redirecting (immediately or after a short length of time) to another URL. • A friend calls/texts/emails you that your site is directing users to Dr. Dre’s Headphones, or “performance enhancing” or pain medication drugs etc. • Style sheet formatting has disappeared. • You can’t login to your wp-admin. • New files appearing in themes folder or anywhere else (look for a recent or atypical date via FTP; when you open these pages, they may appear to contain binary code.) More: How Can I Tell if I’ve Been Hacked? Uh oh. I think it’s too late.
  • 17. More: How Can I Tell if I’ve Been Hacked?
  • 18. More: How Can I Tell if I’ve Been Hacked?
  • 19. 1. Before You Install: Map out your strategy 2. The Installation: Solid padlocks + lock your doors and windows 3. Advanced Security: Multiple locks,+ burglar bars + alarm systems + guard dog Prevention and Protection
  • 20. Do not use a “soup kitchen” host = high risk of cross-contamination. Does your host disclose what software its running & what versions? How often do they patch/upgrade? What kind of security measures do they provide? Do they provide backups? How often? Where? Consider using a “Managed” WordPress host with malware scanning in place. These include curated plugins. Do not use any old free theme! Vet your premium theme! (including version appropriate) Run a virus/malware check on it after you buy it. Stay informed! Before You Install: Map out your Strategy
  • 21. Don’t use 1-click install unless you are prepared to go back and make some changes to the installation. Before You Install: Map out Your Strategy cont. Consider a sandbox site and test your backup and restore procedure -- more than once. Then delete it before you forget about it. BTW: Do you know where your backup is? Can you restore from it? Optional but an excellent idea: Setup a monitor account: http://www.sucuri.net Think in terms of “Layered Defenses.”
  • 22. The Installation: Solid padlocks and locked windows Do NOT use “admin”for your user name. Do NOT use a password that can be found in a dictionary or that you’ve ever used anywhere else at any time. Do NOT use sequential numbers and/or letters. Your wp-admin AND your FTPpassword should be at least 8-15 characters. MN&4^z%Kq94*BG6t Get insanely complicated with your credentials. Stop using FTP. Use SFTP -- call your host if you’re not sure about using SFTP. cont.
  • 23. cont. The Installation: Solid padlocks + locked windows In your wp-config.php file: Salt your hashes aka the “secret words.” Do not use “wp” for your table prefix. Make up something non-sequential like “jnm.” The wp-config.php file <files wp-config.php> order allow,deny deny from all </files> If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for wp-config.php:
  • 24. Folder permissions: 755 File permissions: 644 index.php: 666 wp-config.php: 600 cont. The Installation: Solid padlocks + locked windows Remove themes and plugins that are not being used. Use your Administrator accounts for Administrator work (like setting up a new user). Use Editor, Author, Contributor and Subscriber for their appropriate tasks. Turn off trackbacks and pingbacks. Comments ONLY when appropriate with Akismet. http://codex.wordpress.org/Changing_File_Permissions Check and set your folder and file permissions.
  • 25. Advanced Security: Multiple locks + burglar bars + alarm system + guard dog Use 2-factor authentication: Already in place at Wordpress.com but you can use Google 2-step Authentication with Wordpress.org. WP-app firewall cont. There are many security modifications you can make to your .htaccess file. http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-s 6 The .htaccess file http://wordpress.org/extend/plugins/ose-firewall/ NOTE: .htaccess files (distributed configuration files) are processed first before any other code on your website. http://wordpress.org/extend/plugins/bulletproof-security/ http://wordpress.org/extend/plugins/wordfence/
  • 26. <Files *.php>deny from all</Files> Disable PHPexecution in certain directories. Create a new .htaccess file and upload to your uploads and wp-includes folders. You can have as many .htaccess levels as you want, but they're processed in order of directory tree depth. Disable theme and plugin editing. define('DISALLOW_FILE_EDIT',true); In wp-config.php, add: Administration over SSL (You’ll need a SSL certificate) cont. Advanced Security: Multiple locks + burglar bars + alarm system + guard dog http://www.wpbeginner.com/wp-tutorials/how-to-limit-access-by-ip-to-your-wp-login-php-file-i IPWhitelist (uses .htaccess)
  • 27. Cleaning & Remediation 1. Stay calm. You could make it worse by anxiously jumping in and trying to fix the problem. 2. Scan your local machine / hard drive. 3. Scan your site. There are many good tools and WordPress plugins to help with this. This will help identify the infected files and folder etc. 4. Check with your hosting provider. Call them. You can call them, yes? 5. You’ve already updated, changed all passwords? 6. Add new salts or “secret keys.” 7. Check your files. Start with your .htaccess file to being looking for malicious code. WordPress (with some help) suggests:
  • 28. Cleaning & Remediation 1. Can you identify the type of hack? This may make the cleanup easier. 2. Run a fresh backup and then . . . 3. Backup from an older backup that you believe predates the hack. 4. No backup? Hmm. Seriously consider taking down and trashing the site. 5. Restored from backup? Change passwords again. 6. Secure your site with recommended security measures. 7. Do a post-mortem. How did this happen? Compare your WordPress files to those in a clean install. Open up files. Do you see something that refers to base64_decode? That’s at least one of the hack. Can’t find the malware? Disable your plugins (rename the directory). If the infection is in a plugin, the scan will show as clean. Have SSH root access? cont. http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/
  • 29. Cleaning & Remediation: If all else fails (and before you torch the site): Hire someone: http://www.stopthehacker.com http://www.sucuri.net http://www.sparktrust.com
  • 30. Appendix 1. Main Types of WordPress Hacks 2. How Can I Tell I’ve Been Hacked? 3. Prevention and Protection 4. Cleaning & Remediation
  • 31. http://blog.page.ly/2012/12/wordpress-security-an-infographic-on-common-malwar Main Types of WordPress Hacks http://blog.aw-snap.info/2011/02/pharmacy-hack.html http://blog.aw-snap.info/p/example-of-backdoor-script.html http://www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniq
  • 32. How Can I Tell I’ve Been Hacked? http://aw-snap.info/file-viewer/ Do some scanning: Allows you to scan from different User Agents: Use http://sitecheck.sucuri.net to run a scan to find malware and blacklist info. http://wordpress.org/extend/plugins/sucuri-scanner/ http://wordpress.org/extend/plugins/gotmls/ http://wordpress.org/extend/plugins/wordfence/ WordPress Plugins Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups. Wordfence is now Multi-Site compatible.
  • 33. Prevention and Protection Map out a Strategy Setup Google Webmaster Tools Google Webmaster tools are an important resource for many reasons. But for site security, one of their best features is their email notifications of malware when it’s found on your site. As the verified site owner, you’ll be notified by email if malware is detected. http://www.wpreads.com/2013/03/protecting-wp-config-and-htaccess-files-for-wordpress.html https://www.google.com/webmasters/tools/home?hl=en http://codex.wordpress.org/Hardening_WordPress
  • 34. http://www.wpbeginner.com/plugins/improve-wordpress-security-with-google-authenticator/ Setting up 2-step authentication for Wordpress.org http://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editor http://codex.wordpress.org/Editing_wp-config.php http://yoast.com/wordpress-ssl-setup/ SSL setup info and tips from Yoast Modifying the wp-config.file Prevention and Protection Multiple locks + burglar bars + alarmsystem+ guard dog Hire Sucuri to monitor your site http://www.sucuri.net
  • 35. Cleaning & Remediation http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.unmaskparasites.com/ http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site- part-i-wordpress-and-the-pharma-hack.html http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html Know command line and have SSH access? Cleaning up your site at google  http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634 https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked-wordpress-website-via-ssh/
  • 36. http://www.unmaskparasites.com/malware-warning-guide/#request 4. Cleaning & Remediation: Tools http://www.stopbadware.org/request-review StopBadware performs independent reviews of websites that are blacklisted for badware by our data providers. http://wordpress.org/extend/plugins/wordfence/ http://blog.aw-snap.info/2012/07/malware-removal-vendors.html Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups. Wordfence is now Multi-Site compatible.
  • 38. Miscellaneous Help http://wp.smashingmagazine.com http://tonyonsecurity.com/ Excellent forum on malware: https://www.badwarebusters.org/ http://aw-snap.info/ Tony Perez’s blog COO/CFO Sucuri Smashing Magazine WordPress site Excellent hacked info and tools https://www.udemy.com/how-to-secure-wordpress-blog-or-website-for-beginners/ ? http://labs.sucuri.net/?malware See what Sucuri picks up in its malware scans. http://support.wpengine.com/sftp/ Using SFTP instead of FTP http://www.techblogistech.com/2012/03/enabling-sshsftp-updates-in- wordpress-on-amazon-ec2-and-centos/
  • 39. Safe travels and happy trails with WordPress! Judy Wilson www.Site-Shack.com Nashville, TN