Security Best Practices for WordPress Developers

Security for WordPress Developers Suzette Franck OCWP Developer Day #ocwp
Zeek, Huntington Beach, CA Friday, June 28, 2013 Media Temple // 8520 National Blvd. Culver City, CA 90232 / 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple

Media Temple // 8520 National Blvd. Culver City, CA 90232
/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Hackers gonna hack... Make it as hard as possible for them, they will move onto an easier target • Strong passwords are best defense Use Lastpass or onepassword

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Hackers gonna hack... Make it as hard as possible for them, they will move onto an easier target • Strong passwords are best defense Use Lastpass or onepassword • Open Source != Insecure More people able to work on fixing security

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Hackers gonna hack... Make it as hard as possible for them, they will move onto an easier target • Strong passwords are best defense Use Lastpass or onepassword • Open Source != Insecure More people able to work on fixing security • Keep software, themes and plugins updated, remove unused code, plugins and themes. (timthumb crisis)

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Hackers gonna hack... Make it as hard as possible for them, they will move onto an easier target • Strong passwords are best defense Use Lastpass or onepassword • Open Source != Insecure More people able to work on fixing security • Keep software, themes and plugins updated, remove unused code, plugins and themes. (timthumb crisis) • Make and test regular backups files & database Do not store backups on your server! Use: DropBox, Amazon, Email, Google Drive, locally or on media

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Hackers gonna hack... Make it as hard as possible for them, they will move onto an easier target • Strong passwords are best defense Use Lastpass or onepassword • Open Source != Insecure More people able to work on fixing security • Keep software, themes and plugins updated, remove unused code, plugins and themes. (timthumb crisis) • Make and test regular backups files & database Do not store backups on your server! Use: DropBox, Amazon, Email, Google Drive, locally or on media • Anyone or anything that has access to your computer, physical media, your accounts, data and files, network, ISP, or host could be the source of a vulnerability

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Hackers gonna hack... Make it as hard as possible for them, they will move onto an easier target • Strong passwords are best defense Use Lastpass or onepassword • Open Source != Insecure More people able to work on fixing security • Keep software, themes and plugins updated, remove unused code, plugins and themes. (timthumb crisis) • Make and test regular backups files & database Do not store backups on your server! Use: DropBox, Amazon, Email, Google Drive, locally or on media • Anyone or anything that has access to your computer, physical media, your accounts, data and files, network, ISP, or host could be the source of a vulnerability • Be alert and stay informed! Know what’s going on with your server (Wordfence)

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login • Uses self-signed certificate, if available

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login • Uses self-signed certificate, if available • Error upon login is normal

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login • Uses self-signed certificate, if available • Error upon login is normal • Self-signed certificates are local and not public

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login • Uses self-signed certificate, if available • Error upon login is normal • Self-signed certificates are local and not public • Check with your hosting company for shared

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login • Uses self-signed certificate, if available • Error upon login is normal • Self-signed certificates are local and not public • Check with your hosting company for shared • VPS may be able to create through Plesk or other

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /* This will use a self-signed certificate, if available on your hosting server.*/ /* An error upon logon is normal because the certificate is local and not public. */ /* More secure, slower, encrypts login, cookies, and entire admin area */ define('FORCE_SSL_ADMIN', true); /* Only encrypting username and password, faster, less secure */ /* define(‘FORCE_SSL_LOGIN’, true); */ wp-config.php SSL Admin & Login • Uses self-signed certificate, if available • Error upon login is normal • Self-signed certificates are local and not public • Check with your hosting company for shared • VPS may be able to create through Plesk or other • http://codex.wordpress.org/Administration_Over_SSL

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'KT4xxjI[DyqD.gCNU^vk+ZC+t4o4CI8jd;r[]OvMV=Z[LDrP4jK}YLpka< O3YI*'); define('SECURE_AUTH_KEY', 'Su$SLzx+l r#b3PpI!y+;>>uGMOoo[4u&<-x969LYF&ZuF<y*L+/=a)IKwLeqIOl'); define('LOGGED_IN_KEY', '^Zi|&R:n2&&b*i+|MI:ZIt7`d4/#[.JI.9UIc%Fe_che:b[Bj,P-oyg>W9Isem[|'); define('NONCE_KEY', 'oBr7x/a#*xAaRgMjJ!`ZYoOy3d:o[0ah >B|T-DJ|-cI)z>GR#gPNg1Cc+_D%Ga '); define('AUTH_SALT', 'Q<NsWg3M,pzK+H{,uHc>5L%<2,NC3d|H%*D!OwC#g]E^C;P-7NDk]k7M3YZ/RMs$'); define('SECURE_AUTH_SALT', 'l={/+#C}_c(mFq2 R!mwd/Mf7mmG5sYB*2*)MztqS>ZSF:UDf D!<+L3|g5Fy|;p'); define('LOGGED_IN_SALT', 'OZ,t0Q$9Ut0qe@y{WXsLP1Hu1YV_he*cvPi#% ,]Z@^{Uw}-[Mu*Y~ng0dZogZ6'); define('NONCE_SALT', '7|u8J+JJlAcyNbc%zqI! &4.K+hM*|nbo~Hfp{CrH!3RNA<TE6[>gFG$$yA!WFSJ'); wp-config.php Salts • Logs everyone out at once, resets all cookies • https://api.wordpress.org/secret-key/1.1/salt/

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts • Use a password manager, such as LastPass or Onepassword Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts • Use a password manager, such as LastPass or Onepassword • Use strong passwords or passphrases, longer and more complex the better Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts • Use a password manager, such as LastPass or Onepassword • Use strong passwords or passphrases, longer and more complex the better • Like a toothbrush, change passwords every 3 months, do not reuse Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts • Use a password manager, such as LastPass or Onepassword • Use strong passwords or passphrases, longer and more complex the better • Like a toothbrush, change passwords every 3 months, do not reuse • Always use SecureFTP or SSH Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts • Use a password manager, such as LastPass or Onepassword • Use strong passwords or passphrases, longer and more complex the better • Like a toothbrush, change passwords every 3 months, do not reuse • Always use SecureFTP or SSH • Set file permissions at 644 and 755 for folders Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • Practice "least privilege" when creating accounts • Do not use the same admin login for all users, create individual accounts • Remove and update unused accounts • Use a password manager, such as LastPass or Onepassword • Use strong passwords or passphrases, longer and more complex the better • Like a toothbrush, change passwords every 3 months, do not reuse • Always use SecureFTP or SSH • Set file permissions at 644 and 755 for folders • Use antivirus on your computer, keep it updated Best Security Practices

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • FIRST: Limit the exposure! You do not want your server reported to Google or anywhere as having malware! • Take site offline until it can be cleaned or restored from a clean backup If you get hacked...

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • FIRST: Limit the exposure! You do not want your server reported to Google or anywhere as having malware! • Take site offline until it can be cleaned or restored from a clean backup • Change ALL passwords immediately: Control panels, FTP, email, admins, database If you get hacked...

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • FIRST: Limit the exposure! You do not want your server reported to Google or anywhere as having malware! • Take site offline until it can be cleaned or restored from a clean backup • Change ALL passwords immediately: Control panels, FTP, email, admins, database • Locate your last good backup just in case If you get hacked...

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple • FIRST: Limit the exposure! You do not want your server reported to Google or anywhere as having malware! • Take site offline until it can be cleaned or restored from a clean backup • Change ALL passwords immediately: Control panels, FTP, email, admins, database • Locate your last good backup just in case • Get help if you need it: sucuri.net If you get hacked...

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple FIRST, Back That Junk Up! ★Backup files AND database ★WordPress Codex: WordPress_Backups ★Check your web host's documentation on backing up MySQL (RSYNC, cPanel, Plesk, proprietary, etc.) ★ALWAYS use SFTP or SSH! (FTP is Evil) http://www.flickr.com/photos/statelibraryqueensland/6167277447/ FTP

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple FIRST, Back That Junk Up! ★Backup files AND database ★WordPress Codex: WordPress_Backups ★Check your web host's documentation on backing up MySQL (RSYNC, cPanel, Plesk, proprietary, etc.) ★ALWAYS use SFTP or SSH! (FTP is Evil) http://www.flickr.com/photos/statelibraryqueensland/6167277447/ FTP X

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple Recommended Backup Plugins ★BackUpWordPress ★BackupBuddy ★WP Migrate DB Pro (database only) Tip: Don’t store backups on your server!

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple Don’t leave the fire insurance documents in the house unprotected!!! ★Backup files are valuable! ★Don’t leave unprotected for hackers ★Uses up server resources, not its purpose ★Randomly test emergency procedures ★Redundancy is a good idea

/ 877-578-4000 / mediatemple.net / @mt_Suzette © 2013 (mt) Media Temple If You Can’t Do A Backup or Update Your Site ★Maintainn - Managed WordPress Maintenance ★VaultPress - Daily backups for $5/month per site ★wordpress.meetup.com - Hire a developer from your local WordPress Meetup, Feed The Economy! ★Remember: having a website is a responsibility ★If none of these work, reconsider commitment

Security Best Practices for WordPress Developers

Security Best Practices for WordPress Developers

More Decks by Suzette Franck

Other Decks in Technology

Featured

Transcript