WordPress Security

Transcript

1. WordPress Security David Parsons @david_j_parsons Saturday, December 1, 12

2. About • David Justice Parsons III • Coder • Developer

   • Open Sourcer • davidparsons.me • @david_j_parsons • [email protected] Saturday, December 1, 12

3. The Life of a Hacker • 1. Reconnaissance • 2.

   Scanning • 3. Gain Access • 4. Secure Access • 5. Cover Tracks Saturday, December 1, 12

4. Some Examples of WordPress Vulnerabilities • TimThumb (PHP Image Library

   used in many themes and plugins) • Uploadify (jQuery plugin with many themes and plugins) • Other Plugins: Adserve, WassUp, Is Human • User Error (writing bad code) • pre written exploits • You want to secure your files that are sensitive Saturday, December 1, 12

5. Risk Risk = Vulnerability * Threat Saturday, December 1, 12

6. Possible Vulnerabilities • Your Server - Hosting • Your OS

   and Wifi • Passwords • PHP & SQL Database • WordPress • Plugins, Themes, and Custom Code • Yourself Saturday, December 1, 12

7. Your First Defense - Your Hosting • Are they staying

   up to date? - Linux, Apache, MySql, and PHP versions • Are they quick to respond to security problems? • Is the support good? • Do they backup? • How many hosting accounts on each server? • Is security a big deal to them? Saturday, December 1, 12

8. How are you updating your server? • You are usually

   connecting to your site via some application bought or made by any particular hosting company • cPanel • FTP vs SFTP vs SSH • You run these applications though your Operating System (OS) Saturday, December 1, 12

9. The Ideal Update OS Your Server Saturday, December 1, 12

10. How you are probably updating OS Your Server FTP Client

    Saturday, December 1, 12

11. How You Work With WordPress OS WP Browser Saturday, December

    1, 12

12. How You Work With WordPress Database WP WP Files +

    = Saturday, December 1, 12

13. Your OS • Hope your not using Windows XP •

    Allow-by-default • Open Source is Awesome • Linux - Ubuntu is my suggestion • Macs • Windows Vista & 7 Saturday, December 1, 12

14. Securing the OS • Keeping everything up-to-date and Backuped •

    Use WPA2 • Windows new User Account Control (Vista and Windows 7) • Your may want to consider (Comodo Internet Security - comodo.com) • 2 way firewall (check ingoing and outgoing traffic) • antivirus (known threats), HIPS & Behavioral Scanner (find new threats) • Run untrusted applications though Sandbox Saturday, December 1, 12

15. Secure Applications • FileZilla - SFTP • Firefox • Open

    Office • PuTTY - SSH Connection • Thunderbird • Local WordPress • XAMPP for windows and MAMP for mac Saturday, December 1, 12

16. Passwords • Lets stop those brute force attempts • Lowercase

    Letters • Uppercase Letter • Numbers • Special Characters Saturday, December 1, 12

17. PHP and SQL Database Security • Stay Updated! • This

    is mostly up to your host! Saturday, December 1, 12

18. Securing WordPress (Install) - ‘admin’ • Many scripts/attacks target the

    default ‘admin’ and ‘root’ username • Don’t use the username admin when installing • If after install • Create new user with admin privileges • Move the old admin account to be a subscriber • Delete ‘admin’ • Change your new admin account display name to be something different Saturday, December 1, 12

19. Securing WordPress (Install) - Change Database Table Prefix • Defaults

    to “wp_” • Change that to anything else • Make those SQL injects a little more tricky for them Saturday, December 1, 12

20. Securing WordPress (Install) - File Changes • Delete ..\wp-admin\install.php •

    wp-config.php (add secret key) • api.wordpress.org/secret-key/1.1/ Saturday, December 1, 12

21. Securing WordPress (After Install) - File Permissions • Change the

    directory privileges • 755 for directories and 644 for files Saturday, December 1, 12

22. Securing WordPress (After Install) - Lock Down the WordPress Login

    • Secure wp-login • Impermeable computer to server encryption with SSH / SSL Certificate • FTP vs SFTP vs SSH • ssh -p 54321 [email protected] • mod_access and .htaccess ( terminal --> nano /path/to/wp-root/wp- admin/.htaccess ) order deny,allow deny from all allow from 123.22.33.44.123 Saturday, December 1, 12

23. Securing WordPress (After Install) - Update • Keep Everything up-to-date

    • Browser • WordPress • Plugins • Themes Saturday, December 1, 12

24. Securing WordPress (Advanced) • Get SSL Certificate (HTTPS) in wp-admin

    • your cookies can’t be stolen • can be self signed certificate • .htaccess • restrict login to only computers you use Saturday, December 1, 12

25. Securing WordPress (Advanced) - Hack or Be Hacked! • Applications

    • HTTrack - http://httrack.com (examine site locally) • Maltego - http://paterva.com (map out relational references fast) • SiteDigger - http://www.mcafee.com/us/downloads/free-tools/ sitedigger.aspx (looks at database and hacking database) Saturday, December 1, 12

26. Securing WordPress (Advanced) - Mapping Out your network! • Nmap

    - http://nmap.org • nmap -sP 192.168.1.1-254 (Checks for ip vulnerabilities) • nmap -sS 192.168.1.127 (Checks open and closed ports) • nmap -sV 192.168.1.127 (Details about Ports) • Other Scanners • Angry IP Scanner, Sam Spade, SuperScan, • Paid Option - Nessus ($1200/year) - http://nessus.org/nessus Saturday, December 1, 12

27. Securing WordPress (Advanced) - Backups • What to backup? •

    Backup the DataBase • Backup the Files Saturday, December 1, 12

28. Plugins, Themes, and 3rd Party Code Saturday, December 1, 12

29. Plugins, Themes, and 3rd Party Code • Make sure all

    plugin and theme directories have index.php in there • If not, add it • Delete plugins you are not using • Wasting Bandwidth and Weakening Security Saturday, December 1, 12

30. Protecting Yourself • Dont use the same password for everything

    • Where you can be found: • google.com, groups.google.com, earth.google.com, maps.google.com, google.com/streetview, archive.org, ixquick.com, aboutus.org, alexa.com, linkedin.com, facebook.com, pipl.com, blackbookonline.com, who.is • Google Search • site:somesitename.com “wordpress version” 2.9.2 Saturday, December 1, 12

31. What if we can’t stop them • Most likely this

    is because your Threat is way too high • Risk = Vulnerability * Threat • Backup!!! • Database - WP-DB-Backup • Images & Theme - WordPress Backup Saturday, December 1, 12

32. What if we can’t stop them - Restore • Need

    to start from fresh code if hacked • Save wp-config.php and wp-content/uploads • Reinstall data from backups • Backup the following: • Database, media, custom theme, custom plugin, wp-config.php, 3rd party code Saturday, December 1, 12

33. Developer Security • Use API, nonces, and validation handlers •

    escape! --> esc_*( ) • esc_html( ) • esc_attr ( ) • esc_sql ( ) • esc_url ( ) and esc_url_raw ( ) • esc_js Saturday, December 1, 12

34. Let’s Do This (1) - Login Lockdown I would just

    install a plugin for this one! Saturday, December 1, 12

35. Let’s Do This (2) - Backup! • What to backup?

    • Backup the Database • Backup Files • Plugins • BackWPup • VaultPress • By Hand? - scp -rpP 54321 [email protected]:/path/... ~/backup Saturday, December 1, 12

36. Let’s Do This (3) - Destroy Admin! • You can

    now specify ‘admin’ name in install! • Rename admin though command line or just Demote privileges: • UPDATE wp_users SET user_login = ‘username’ WHERE user_login = ‘admin’; • Or just use php-my-admin • Change ‘admin’ display name Users: Super Admin, Administrator, Editor, Author, Contributor, Subscriber Saturday, December 1, 12

37. Let’s Do This (3) - More about users • Set

    Custom Roles • Plugin - Role Scoper • Plugnin 2 - User Access Manager • Some other options: • Deny Subscribers (not anyone can register) Saturday, December 1, 12

38. Let’s Do This (4) - Change Permissions • 755 for

    directories and 644 for files • Command Line: • find /full/path-to-wordpress -type d -exec chmod 755 {} \; • find /full/path-to-wordpress -type f -exec chmod 644 {} \; • wp-config.php permissions • set to 750 (denying access entirely) Saturday, December 1, 12

39. Let’s Do This (5) - Hide the WordPress Version •

    This is currently in your WordPress Install: • lets fix this: <meta name=”generator” content=”WordPress 3.0.2 /> <?php function hide_version() { return ‘’; } add_filter(‘the_generator’, ‘hide_version’); ?> Saturday, December 1, 12

40. Let’s Do This (5) - More on Hiding WP Version

    • go to http://yoursite.com/readme.html • has useful info on how to work with WordPress • but bad for security (displays WordPress version) • Cloaking the login page and the version: • wp-login.php (ver=’20100601’) • why not move wp-login? Saturday, December 1, 12

41. Let’s Do This (6) - Moving wp-login.php Move it anywhere

    else! Saturday, December 1, 12

42. Let’s Do This (7) - Destroy Default ‘wp_’ database prefix

    • examples: wp_options, wp_posts, wp_users • I would go with whatever your host suggests • Option 1 - php-my-admin • wp-config.php changes: • change $table_prefix =‘wp_’ to $table_prefix =‘newPrefix_’ • Option 2 - plugin (WP Security Scan) Saturday, December 1, 12

43. Let’s Do This (8) - Add Secret Key https://api.wordpress.org/secret-key/1.1/salt Saturday,

    December 1, 12

44. Let’s Do This (9) - Deny access to wp-config.php •

    .htaccess <Files wp-config.php> Order deny,allow Deny from all </files> Saturday, December 1, 12

45. Let’s Do This (9) - Harden wp-content and includes •

    .htaccess Order Allow,Deny Deny from all <Files ~ “\. (gif|jpe?g|png|css|js|xml)$”> Allow from all </Files> Saturday, December 1, 12

46. Let’s Do This (9) - One more .htaccess rule •

    Some plugins need additional lock exceptions (cashe) <Files “/path-to-plugin/plugin.php> Allow from all </Files> Saturday, December 1, 12

47. Let’s Do This (10) - Custom Coding <?php the_title(); ?>

    <a href=”<?php the_permalink();” ?> <?php the title(); ?></a> Saturday, December 1, 12

48. Some Last Min Warnings • Fantastico and other 1 click

    installs • Develop Locally • MAMP and XAMPP • Ports (reset port 22) • Restart SSH Service - sudo /etc/init.d/ssh reload • ssh -p 72837 [email protected] • Close unused ports --> sudo iptables -L INPUT Input# Saturday, December 1, 12

49. Security Plugins - PLESE CHECK SECURITY OF SECURITY PLUGINS! •

    Anit-malware: AntiVirus, AskApache Password Protect, BulletProof Security, Exploit Scanner, Secure WordPress, Ultimate Security Checker, WordPress File Monitor, WordPRess Firewall 2, WP Security Scan • Backup: BackWPup, Updraft, WP-DB-Backup • Content: Content Security Policy, Copyright Proof, Creative Commons Configurator • Login: Authenticator, Chap Secure Login, Limit Login Attempts, Member Access, One-Time Password, Restricted Site Access Semisecure Login Reimagined, Stealth Login • Stealth Login: Akismet, Antispam Bee, Bad Behavior, Block Bad Queries (BBQ), Defensio Anti- Spam, Fast Secure Contact Form, Math Comment Spam Protection, SI CAPTCHA Anti-Spam • SSL: Force non-SSL, WPSSL • Users: LBAK User Tracking, Role Scoper, User Access Manager, WP-Members Saturday, December 1, 12

50. I love you all, but your site will never be

    100% secure • All we can do is try our best Saturday, December 1, 12

51. What to do if you get Hacked! • Go into

    maintance mode if needed • Maintenance Mode Plugin • Ushally is 3rd Party Code • Reinstall WordPress • Make a new WordPress install with new passwords • Upload WordPress and Plugins • Import Database Backup Saturday, December 1, 12

52. Some Great Resources! • http://codex.wordpress.org/Hardening_WordPress • An example of basic

    WordPress Security .htaccess • https://gist.github.com/3092744 • Bigger Examples • http://html5boilerplate.com • Theme Example - http://underscores.me Saturday, December 1, 12

53. Thanks! Any Questions? • David Justice Parsons III • Coder

    • Developer • Open Sourcer • davidparsons.me • @david_j_parsons • [email protected] Saturday, December 1, 12