This document discusses securing a WordPress installation. It begins by explaining that simply installing WordPress is not enough and leaves the site vulnerable to attacks. It discusses threats like brute force attacks, malware infections, and how passwords and administrative users need to be properly secured. The document provides tips on creating strong passwords, using different passwords for all accounts, and updating WordPress and plugins regularly to prevent security issues. It emphasizes the importance of security for a WordPress site.
Presentation on how to chat with PDF using ChatGPT code interpreter
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
1. WHERE’S THE BEEF?
Beefing Up Your WordPress Installation
Tammy Valgardson – Senior Web Developer
@tammalee
2. INTRODUCTION
Introduction
Absolutely true! It will only take five minutes
to download and install WordPress.
But then what?
3. INTRODUCTION
Introduction
If you set up your blog and walk away,
you leave yourself vulnerable to malicious activity!
Further Reading
WordPress Codex – Hardening WordPress
http://codex.wordpress.org/Hardening_WordPress
How To: Stop The Hacker By Hardening WordPress
http://blog.sucuri.net/2012/06/how-to-stop-the-
hacker-by-hardening-wordpress.html
4. INTRODUCTION
What’s at Stake?
If you don’t follow password best practices your hacked WordPress account
could lead to other compromised accounts!
5. INTRODUCTION
What’s at Stake?
Shared hosting means more than just
sharing a server.
If one site gets hacked there is a chance
malware infecting one site can spread to
others on the same shared hosting
space!
6. INTRODUCTION
What’s at Stake?
If your site is compromised, and hackers get their way, your site will now
serve a nefarious purpose such as:
Redirect visitors to a web site that
will attempt to install malicious software.
Compromise a shared hosting (soup kitchen)
server and infect other web sites.
Phish for sensitive information.
Display spam to your visitors that you can’t see.
Hijack links to other sections of your web site, such as
‘Contact’, and send visitors to an entirely different site.
7. INTRODUCTION
What’s at Stake?
If your WordPress site is infected with malware it could be blacklisted by
Google and other search engines!
[ Source: http://www.malware-info.com/mal_faq_inject.html ]
8. THREATS EXPLAINED – BRUTE FORCE ATTACKS
a.k.a. When bored hackers with password cracking programs
decide to cruise for fun on a Friday night.
9. THREATS EXPLAINED – BRUTE FORCE ATTACKS
What is a brute force attack?
[ Source: http://www.inmotionhosting.com/support/website/wordpress/wordpress-security-preventing-brute-force-attacks-on-admin-
login ]
10. THREATS EXPLAINED – BRUTE FORCE ATTACKS
How often do brute force attacks happen?
Brute force attacks happen all the time!
Peter Abraham over at DNI Dynamic Net, Inc. wrote on October 15, 2012 “If you asked me from
September 2012 forward, the answer would change dramatically with WordPress Brute Force
Attacks now exceeding 50% of all attacks being reported.”
[source: http://www.dynamicnet.net/2012/10/wordpress-brute-force-attacks/]
[ Source: http://freethegnu.wordpress.com/2010/09/22/yet-another-ssh-brute-force-attack-and-how-to-protect-against-it-with-iptables-and-sshguard/ ]
11. THREATS EXPLAINED – BRUTE FORCE ATTACKS
What’s the purpose of a brute force attack?
If your account has administrator permissions they can do all sorts of ‘fun’ things to your site.
One of the most common reasons for a brute force attack is to inject malware into your files or
database.
12. THREATS EXPLAINED - MALWARE
Not Firefly-related.
Not that I’d mind Captain Malcolm Reynolds getting into my
WordPress installation.
#fullfrontalnerdity
13. THREATS EXPLAINED - MALWARE
What is Malware?
Malware is software designed to harvest sensitive information or gain access to computer
systems. On a WordPress installation malware can be injected into your source code, database,
.htaccess files etc.
Malware hijacks the purpose of visiting your site for its
programmed agenda.
Who Creates Malware? Why?
What sort of person creates malware? Why do people create malware?
• Young programmers with something • Petty theft
to prove • Cybercrime
• Older, more experienced, virus • Support for spammers
writers who write malware • Distributed network attacks
professionally
• Stealing electronic currency
• ‘Researchers’ who create malware
as proof of concept projects • ...and many more.
[Source: http://www.securelist.com/en/threats/detect?chapter=72 ]
14. THREATS EXPLAINED - MALWARE
Malware - Backdoors Malware - Drive-by Downloads
“A backdoor lets an attacker gain access to “The point of a drive-by download is often to
your environment via what you would download a payload onto your user’s local
consider to be abnormal methods — FTP, machine. One of the most common payloads
SFTP, WP-ADMIN, etc…” informs the user that their website has been
[ Source: infected and that they need to install an anti-
http://wp.smashingmagazine.com/2012/10/09/four- virus product...”
malware-infections-wordpress/ ]
[ Source:
http://wp.smashingmagazine.com/2012/10/09/four-
malware-infections-wordpress/ ]
Malware – Malicious Redirects
“When a visitor is redirected to a website other
than the main one, the website may or may not
contain a malicious payload. Suppose you have a
website at myhappysite.com; when someone
visits it, the website could take the visitor to
meansite.com/stats.php, where the malicious
payload is in that website’s stats.php file. Or it
could be a harmless website with just ads and no
malicious payload.”
[ Source: http://wp.smashingmagazine.com/2012/10/09/four-
malware-infections-wordpress/ ]
15. THREATS EXPLAINED - MALWARE
Malware – Pharma Hacks
“Pharma hack is one of the most prevalent infections around. It should not be confused with
malware; it’s actually categorized as SPAM — “stupid pointless annoying messages.” If you’re
found to be distributing SPAM, you run the risk of being flagged by Google…”
[ Source: http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ ]
[ Source: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php ]
16. THREATS EXPLAINED - MALWARE
How does malware infect WordPress?
Old and outdated plugins, themes, and WordPress installations may have holes in their security
that can be exploited.
Malware is injected into a file or your database where it hijacks your visitors experience when
they visit your web site. It's written using a Web 2.0 language, usually PHP, Javascript, Ruby,
Perl, etc. Because WordPress is so widely distributed and open-source there is not only an
excellent chance there are outdated installations with security holes but the code of those
installations is free for a hacker to study.
Third-party plugins and themes may have backdoors coded into them that allow access to
hackers. (eg. Tim Thumb hack)
[ Source: http://www.intechgrity.com/timthumb-vulerability-how-it-got-hacked-how-to-recover/# ]
17. THREATS EXPLAINED - MALWARE
How do I know I’m infected? Plugins that help scan your site
• Formatting/theme is altered Sucuri Sitecheck Malware Scaner
• You run a plugin that tells you http://wordpress.org/extend/plugins/sucuri-
• Links/text have been inserted at the scanner/
bottom of the website
• Warning in search results WordFence Security
• Browsing the website with Google http://wordpress.org/extend/plugins/wordfe
Chrome results in a warning nce/ (Multi-site support in beta!)
18. THREATS EXPLAINED - MALWARE
How do I know I’m infected?
• Google Webmaster Tools messages [ www.google.com/webmasters/tools/ ]
• Google’s pretty good about notifying webmasters when it sees weird stuff going on.
Example:
Notice of Suspected Hacking on http://www.yourwebsite.com/
May 17, 2012
Dear owner or webmaster of http://www.yourwebsite.com/,
We are writing to let you know that some pages from
http://www.yourwebsite.com/ will be labeled as potentially
compromised in our search results. This is because some of your
pages contain content which may harm the quality and relevance of
our search results. It appears that these pages were created or
modified by a third party, who may have hacked all or part of your
site. Many times, they will upload files or modify existing ones,
which then show up as spam in our index.
The following are some example URLs which exhibit this behavior:
19. THREATS EXPLAINED - MALWARE
How do I get rid of Malware?
Scan your Web site for possible infections by using the free service below:
sitecheck.sucuri.net/scanner
If you have an infection, I highly recommend hiring Sucuri.net to
clean it up for you. They specialize in removing malware
infections and they’re quick, specialized, and inexpensive.
You could hire a developer to comb through your infected code, database, and
.htaccess files. However, most developers don’t specialize in malware removal
and when you pay an hourly rate for that inexperience you may be better off
hiring a specialist.
20. PASSWORDS & ADMINISTRATIVE USERS
If you’re starting to fall asleep, wake up!
This is the most important section I’ll be talking about today.
21. YOUR PASSWORD & ADMINISTRATIVE USERS
Creating your Password Further Reading
When creating a password, do NOT use: Common passwords to avoid
• Your birthdate, wedding http://www.labnol.org/internet/common-
anniversary, or dates of birth of your passwords-to-avoid/14136/
children or spouse
• Your name, username, company Avoiding Common Passwords
name, names of your children or http://www.passworddragon.com/avoid-
spouse common-passwords
• Your SIN number
• Only numbers or only letters
• A short, easy to remember,
password
• The word, ‘password’. No, not even
‘password01’ or ‘password2012’
• No words found in a dictionary of
any language (BUT WAIT! We’ll talk
about multi-word passwords very
soon!)
22. YOUR PASSWORD & ADMINISTRATIVE USERS
Creating your Password
When creating a password, do use:
• At least 10 characters
• A mix of numbers, upper and lower case letters, and special characters
• A password you have never used before
• Have a system or mnemonic
Password Generatorwww.StrongPasswordGenerator.com
Got to Password Meter to test the strength of your new password - www.PasswordMeter.com
Brute Force calculator: https://www.grc.com/haystack.htm
Further Reading
Salting Passwords
http://www.onextrapixel.com/2011/11/02/w
ordpress-security-how-to-secure-wordpress-
thoroughly/
23. YOUR PASSWORD & ADMINISTRATIVE USERS
Creating your Password – Multi-word combo passwords
[ Source: http://xkcd.com/936/ ]
24. YOUR PASSWORD & ADMINISTRATIVE USERS
Multi-word combo passwords Test your password out
Multi-word combo passwords are more likely https://www.grc.com/haystack.htm
to be remembered but there are a few things
to consider: My coworker came up with and tested:
• The words must be random Staple2Deers@dawn
• The words must not relate And found it would take 1.34 billion trillion
• Throw in upper & lower cases centuries to crack using brute force.
• Throw in numbers
• Throw in special characters
Further Reading
“Numbers substituted for letters is really, Which are more secure, multi-word
really bad. Most password applications will passwords or passwords made using a
try that before they do plain English,...” combination of letters, numbers and
[ Source: http://www.nettechblog.com/yes-your- symbols?
passwords-suck-hints-on-creating-solid-passwords/ ]
http://www.quora.com/Which-are-more-
secure-multi-word-passwords-or-passwords-
made-using-a-combination-of-letters-
numbers-and-symbols
25. YOUR PASSWORD & ADMINISTRATIVE USERS
Remembering your Password
DO NOT store it in an obvious place!
• NOT on a sticky note on your monitor
• NOT in your daily planner
Use a Password Keeper
• www.keepass.info
• https://agilebits.com/OnePassword
• http://www.lastpass.com
Don’t Panic!
Password recovery is built into WordPress!
26. YOUR PASSWORD & ADMINISTRATIVE USERS
Password Recovery
Always keep your email up to date on your WordPress site!
27. YOUR PASSWORD & ADMINISTRATIVE USERS
Strong, Unique Passwords aren’t just for WordPress
The way you communicate with your web host should also be secure. You want strong
passwords for:
• Your cPanel user
• Your FTP user (which you should make different from your cPanel user)
• Your MySQL database user
• Your PHPMyAdmin user
Use SFTP to move files to your hosting space Every password should be different!
Try to use SFTP for your file transfers. SFTP If you use a different password for
stands for Secure File Transfer Protocol and it
every service you have accounts for,
uses encrypted SSH transport for it’s
operations. you minimize the amount of
damage a hacker can do!
http://filezilla-project.org/
28. YOUR PASSWORD & ADMINISTRATIVE USERS
Administration Users
If you have an administrator-level user
named ‘Admin’ or ‘Administrator’
get rid of it!
Create a new administrator user Remove your old administrator user
1. Log into WordPress as your current 1. Log into WordPress as your new admin
admin user
2. Create a new user 2. Go to Users and delete your old admin
3. Give it a name other than Admin or user
Administrator 3. Or, set your old Admin user’s role to
4. Assign your new user an ‘administrator’ ‘subscriber’ and change the password to
role something ridiculously long and complex
29. YOUR PASSWORD & ADMINISTRATIVE USERS
Administration Users
You don’t need to write posts as an administrator! Keep your administrator user separate from
your blog-writing user. Hackers can find your username from your posts
If you go to Your Profile you can change what your name is displayed as. I recommend changing
this from the default of your username to something else.
Clean up old admin accounts PASSWORD STRENGTH IS KEY!
If you’ve got old admin accounts sitting The best security for your administration user
around – like ones that you’ve created for is having a strong password
developers to work on your site with, remove
them.
Make sure you reset your admin passwords
Not all of your users need to be on a regular basis and make sure you haven't
administrators, either. If you have used that password elsewhere before!
contributors to your site, test out various
settings to see how much access they really
need.
31. UPDATES & HOUSEKEEPING
Updates
The majority of hacked WordPress sites
are not updated!
Updates include:
• Core WordPress files
• Themes
• Plugins
Outdated WordPress files, themes,
and plugins can have holes in security
that can be exploited by malware!
[ Source: WPbeginner.com ]
32. UPDATES & HOUSEKEEPING
Challenges to Updating Recommended Reading
Theme hasn’t been coded according to WP WordPress Codex: Updating WordPress
best guidelines and the site breaks if you http://codex.wordpress.org/Updating_Word
upgrade. Press
Plug-in has been abandoned by the
developer and you’re afraid to update your
core files or you continue using the plugin
years after it’s been abandoned.
You’re afraid to update because you’re not
very web-savvy.
Abandoned Plugin Suggestion
Matt Jones (http://pluginchief.com/)
suggests a plugin adoption program:
http://digwp.com/2012/10/abandoned-
plugin-adoption-program/
33. UPDATES & HOUSEKEEPING
Backing up before updating
Using an SFTP program (filezilla-project.org),
back up all your web files to your
Computer.
Using PHPMyAdmin or cPanel to back your
database up.
Never leave .sql or other database backup
files on your server!
http://vaultpress.com/ Update Now!
It’s not free but it’s highly recommended. WordPress Codex: WordPressBackups
http://codex.wordpress.org/WordPress_Back
ups
34. UPDATES & HOUSEKEEPING
Safety First! Safe themes and plugins
Curtis McHale, who spoke at WordCamp Edmonton 2011 (you can view his slide show here:
http://www.slideshare.net/curtismchale) is part of a team that checks themes submitted to the
WordPrss.org repository to make sure they are secure and well-formed.
If you are interested in joining the WordPress Theme Review Team:
http://make.wordpress.org/themes/about/how-to-join-wptrt/ This page has a list of useful
plugins that they use to examine a theme and may be useful for anyone developing their own
theme.
http://www.woothemes.com/ http://wordpress.org/extend/themes/
Has a good reputation for paid themes. Themes are vetted by teams of
Volunteers and are free.
Nothing is 100% un-hackable!
35. UPDATES & HOUSEKEEPING
Housekeeping Removing WordPress Version
Don't leave files on your server that may give Altering your functions.php file:
hackers information about yours site or old http://www.wpbeginner.com/wp-
code that may be exploitable: tutorials/the-right-way-to-remove-
• .sql backups wordpress-version-number/
• readme files
• inactive plugins and themes
• Phpinfo.php
Further Reading
http://resources.infosecinstitute.com/harden
ing-wordpress/
http://wiki.dreamhost.com/Harden_WordPre
ss
How to: Stop the Hacker by Hardening WP
http://blog.sucuri.net/2012/06/how-to-stop-
the-hacker-by-hardening-wordpress.html
36. UPDATES & HOUSEKEEPING
Use a plugin to change your database prefix Manually change your database prefix
Also this plugin can help you change your Change your database prefix
database prefix: http://digwp.com/2010/10/change-
http://wordpress.org/extend/plugins/wp- database-prefix/
security-scan/
If you are setting up a new WordPress site
I use this plugin to scan my site on a regular the option is there to change your database
basis. prefix when you first set it up.
WP Security Scan
37. UPDATES & HOUSEKEEPING
The scary world of CHMOD Equally scary .htaccess!
Check permissions of upload, upgrade, and .htaccess is a powerful file when used
backup directories correctly! You can use it to secure:
• wp-config.php
WordPress Codex – Changing File • set up admin access from your IP only
Permissions: • ban bad users
http://codex.wordpress.org/Changing_File_P • stop directory browsing
ermissions • prevent access to /wp-content/
• protect your .htaccess file!
Protect Your WordPress Site with .htaccess
http://www.netmagazine.com/tutorials/prot
If you change your permalink ect-your-wordpress-site-htaccess
structure any customization
Securing directories with .htaccess:
on your .htaccess file may be http://digwp.com/2012/09/secure-media-
overwritten! uploads/
How to Password Protect your WP Admin
http://www.wpbeginner.com/wp-
tutorials/how-to-password-protect-your-
wordpress-admin-wp-admin-directory/
38. HOSTING
Hosting Good Hosts (caveat emptor)
When it comes to hosting, you get what you
Recommended on WordPress.org
pay for. $5/month hosting is cheap but it’s
Bluehost: http://www.bluehost.com/
not terribly secure. You take your chances
with shared hosting. DreamHost: http://www.dreamhost.com/
Laughing Squid: http://laughingsquid.us/
How to identify a good WordPress host?
A good WordPress host will mention what Recommended by WooThemes
steps they take to provide you with a secure WPEngine: http://wpengine.com/
hosting environment or how they cater
specifically to WordPress installations.
Examples of good hosts
Sadly, many bloggers are paid to shill for Hardening WordPress on Dreamhost
hosting companies so you have to do your http://wiki.dreamhost.com/Harden_WordPre
due diligence when it comes to picking a ss
host.
WP Engine’s list of disallowed plugins
http://support.wpengine.com/disallowed-
plugins/
39. PLUG-INS
Plugins Brute Force Blocking
Plugins are not the be all and end all when it User Locker:
comes to security. http://wordpress.org/extend/plugins/user-
locker/
That being said, here are some plugins you
may find useful. Don’t use them all at once! Limit Login Attempts:
http://wordpress.org/extend/plugins/limit-
login-attempts/
Malware Scanning / Blocking General Security
Sucuri Sitecheck Malware Scanner Wordfence Security:
http://wordpress.org/extend/plugins/sucuri- http://wordpress.org/extend/plugins/wordfe
scanner/ nce/
Block Bad Queries: WP Security Scan:
http://wordpress.org/extend/plugins/block- http://wordpress.org/extend/plugins/wp-
bad-queries/ security-scan/
40. CONCLUSION
In Conclusion Recommended Reading
There are many more tips and tricks than http://my.safaribooksonline.com/book/-
what I’ve covered here but I’m trying to keep /9781849512107
things simple.
http://blog.sucuri.net/category/wordpress
Try as you might your security will never be
perfect but the good news is you can easily http://codex.wordpress.org/Hardening_Wor
make yourself less of a target by taking a few, dPress
simple, security precautions.
http://blogvault.net/wordpress-security-1-
securing-wp-config-php/
Knowing how to protect yourself is the first
step towards a safe, secure WordPress site.
http://www.copyblogger.com/wordpress-
website-security/
(The second step is to actually implement
some of this advice.) http://www.wpsecuritylock.com/dreamhost-
one-click-wordpress-installed-timthumb-
vulnerability-and-security-risks/
http://www.instantfundas.com/2011/12/qui
ck-guide-to-secure-wordpress-setup.html
41. CREDIT WHERE CREDIT IS DUE
Credits:
Cow hide photo in title graphic by Sherrie Thai of ShaireProductions
http://www.flickr.com/photos/shaireproductions/3766840922/
Bashful Cow purchased from istockphoto.com
“Let’s have fun” scary graphic purchased from istockphoto.com
Herd Infection photo purchased from istockphoto.com
Social Media icons from respective social media web sites
‘Common passwords to avoid’ poster
http://www.etsy.com/listing/52531459/500-worst-passwords-poster-fold-down
Special thanks to:
Adriel Michaud @ TopDraw.com for his input
Sarah Sinfield @ KickPoint.ca for encouraging me
Curtis McHale @ CurtisMcHale.com for inspiring me
My partner who makes sure my fuzzy blanket supply never runs out