WordPress Security: Nothing Exposed to WWW is 100% Secure

Transcript

1. WordPress Security Gaurav Singh @sgaurav_baghel Nothing exposed to www is

   100% secure WordCamp Pune 2013

2. The Real Problem @sgaurav_baghel “38% of us Would Rather Clean

   a Toilet Than Think of A New Password” -- mashable

3. Challenges @sgaurav_baghel • Environment • Network • Application • End

   Users -- YOU Any of these levels can screw you.

4. Environment @sgaurav_baghel

5. The Real Scenario @sgaurav_baghel Linux Apache PHP MySQL Word Pres

   s cPan el phpM yAdm in Modu les Each contains its own list of vulnerabilities.

6. Network @sgaurav_baghel Why worry, be safe.

7. Application @sgaurav_baghel WordPress Core Plugi n Them e You Secure

   each, hackers have an eye on all.

8. End User @sgaurav_baghel

9. @sgaurav_baghel If you know it well, you are already half

   secure. Attack Types

10. @sgaurav_baghel • Mostly automated • Scanning web looking for know

    vulnerabilities. • Brute Force/Data Dictionary Attacks. • SQLi • XSS Opportunistic Attacks

11. @sgaurav_baghel • Against Large Enterprise with mass user base. •

    Sophisticated attacks mostly involving group of hackers. • DDOS attacks to bring website down. • Done for financial/data benefits. Targeted Attacks

12. @sgaurav_baghel • Defacement • Injections • Redirects • Pharma Hacks

    • Backdoors – hardest to find out Top WordPress Infections

13. @sgaurav_baghel “A stitch in time, saves nine.” – Matt Mullenweg

    Tips to Save Yourself

14. @sgaurav_baghel For “I Don’t Care” Rockstars I know you login

    with admin to post blogs. Please change it from now.

15. Know your Host @sgaurav_baghel 1. Cheap should never be the

    criteria. 2. Choose your host wisely. 3. Know there security plan. 4. If your host do not offer SSH, time to find a new. 5. What will they do in case you get hacked? 6. http://google.com/safebrowsing/diagn ostics?site=<yourhost>

16. Be Safe and Connect Securely @sgaurav_baghel 1. Choose SFTP over

    FTP. 2. Always login with least privileges. • Use account with least privileges to get your task done. • Avoid using root as far as possible. 3. Marry Linux as your OS. 4. Keep antivirus updated, on your Mac too.

17. Backup Regularly @sgaurav_baghel 1. Do not rely on your host

    to backup data for you. 2. All it takes is a single command to do the job. 3. Use VaultPress to do backup job. 4. Never keep backup on same server. 5. Keeping backup of database is equally important.

18. Update Update Update @sgaurav_baghel 1. Single key to cut off

    most of attacks on WordPress. 2. Version like 3.1.X are mostly security patches. 3. Not just WordPress, update your themes and plugin as well. 4. Keep an eye on all vulnerabilities exposed and check if that can affect you.

19. Care your WordPress @sgaurav_baghel 1. Use secure passwords and do

    not share. 2. Change Passwords regularly. 3. Login with least privileges possible. 4. Create a nickname to post blogs. 5. Do not search “Free Woo themes” until you plan to end up serving Viagra from your blog.

20. For “Yes, I do care” guys @sgaurav_baghel • Connect Securely,

    use SSH/SFTP • Choose a different “Admin” name. • Use a Nickname to post blogs. • Keep WordPress cookies salted. http://api.wordpress.org/secret-keys/1.1/ salt/

21. For “Yes, I do care” guys @sgaurav_baghel • Limit theme

    and plugin use, delete unused ones. • Move up wp-config.php one level and lock it down. • Rename database prefix during installation. • ‘Limit Login Attempts’ – kills brute force • Disable user registration • Use Child Themes to modify CSS instead of tweaking base files.

22. For “Yes, I do care” guys @sgaurav_baghel • Manage File

    Permissions Files: 644 or 640 Folder: 755 or 750 • Hide version info – these small steps help. In functions.php add these lines

23. For “Yes, I do care” guys @sgaurav_baghel • Enable SSL

    Login Site needs to be accessible from https Add following lines in wp-config.php

24. For “Yes, I do care” guys @sgaurav_baghel • Discourage unnecessary

    crawl Crawlers can crawl unnecessary files and expose them to hackers. Create a robot.txt and disallow crawling of unnecessary files.

25. For “The Paranoids” @sgaurav_baghel These Settings can break your website,

    know well before you execute.

26. Kill PHP Execution @sgaurav_baghel Ensure that PHP files can not

    be executed from within a directory. If it messes with theme/plugin, ensure this is implemented in at least wp-includes and uploads directory.

27. Disable Editing in WP Admin @sgaurav_baghel Too often your passwords

    get hacked and you end up giving hacker access to entire code base. Add these lines in wp-config.php

28. Limit Admin/Login access by IP @sgaurav_baghel Add these lines of

    code in the .htaccess file placed in admin/root folder To implement this, you need to have static ip address.

29. Forbid Proxy Comment Posting @sgaurav_baghel Deny requests that use a

    proxy server to post comments and eliminate some spam. Courtesy, perishablepress.com

30. Disable PHP settings @sgaurav_baghel Edit php.ini - Idea is to

    turn display errors to off, in case of error they might return location of your web root. This will most likely break something, test in dev server before moving to live

31. Some Security Plugins @sgaurav_baghel • Akismet • Duo Two Factor

    Authentication • Vaultpress • Limit Login Attempts • BulletProof Security

32. [Sh]it Happens @sgaurav_baghel Nothing to Panic, just clean and resubmit

33. [Sh]it Happens @sgaurav_baghel • WordPress Forum – http://wordpress.org/tags/hacked http://wordpress.org/tags/malware •

    http://safeweb.norton.com

34. Wish your WordPress a secure future @sgaurav_baghel Queries/feedback?