WordPress Security Strategy for WordPress.org (condensed version)
-
Upload
judy-wilson -
Category
Technology
-
view
1.017 -
download
5
description
Transcript of WordPress Security Strategy for WordPress.org (condensed version)
________________________________________________
copyright 2013 Site Shack Web Designall rights reserved
Monday, June 17, 13
We’ve been designing and developing seo-optimized websites and digital media in
Nashville since January, 2004.
WordPress too? Yep. And WordPress training, tailored to your exact needs.
We are MyEMMA co-agents. We provide customized HTML Email Design
and Account Management.
Our work is mobile-friendly.
Owner, Site Shack Web Design
Judy Wilson
Monday, June 17, 13
Your WordPress siteis living in a high crime neighborhood.*
* Doesn’t matter if you’re on WordPress.com or using Wordpress.org.
Easy access is the key.
Monday, June 17, 13
How do they get in?
Hacks are most often delivered through cheesy credentials, old and/or evil software, themes, plugins + old, vulnerable scripts (such as the “timthumb script”) and cheap, poor-security
hosting environments.
WRONG:Username: admin
Password: mypassword
Monday, June 17, 13
Backdoors
Drive-by Downloads
Pharma Hacks
Malicious Redirects
Main Types of WordPress Hacks
Monday, June 17, 13
The Installation: Solid padlocks + lock your doors
and windows
Advanced Security: Multiple locks,+ burglar bars + alarm systems + guard dog (see Appendix below)
Before You Install: Map out your strategy
Monday, June 17, 13
2. Good Theme. Do not use any old free theme! Vet your premium theme! (including version appropriate)
Run a virus/malware check on the theme after you download/buy it.
Stay informed!
Before You Install: Map out your Strategy
1. Good Host. Do not use a “soup kitchen” host = high risk of cross contamination.
3. Good Plugins.Highly rated, updated often, check WordPress repository, correspond to your version of WordPress.
4. Backup regularly (your host should of course do this also) See the plugin “Backup Buddy.”
Monday, June 17, 13
The Installation: Lock Your Doors and Windows
1. Do NOT use “admin” for your user name.
2. Do NOT use a password that can be found in a dictionary or that you’ve ever used anywhere else at any time.
3. Do NOT use sequential numbers and/or letters.
4. Hire Sucuri to monitor your site: www.sucuri.net
5. Use 2-factor authentication: Already in place at Wordpress.com but you can use Google 2-step Authentication with Wordpress.org.
Monday, June 17, 13
The Installation: Lock Your Doors and Windows
3. Stop using FTP. Use SFTP -- call your host if you’re not sure about using SFTP. Note: There are multiple methods for FTP.
1. In your wp-config.php file: Salt your hashes aka use the “secret words.”
2. Do not use “wp” for your table prefix. Make up something non-sequential like “jnm.”
Monday, June 17, 13
The Installation: Lock Your Doors and Windows
1. Turn off trackbacks and pingbacks.
2. Comments ONLY when appropriate and always use Akismet.
3. Use your Administrator accounts for Administrator work (like setting up a new user). Use Editor, Author, Contributor and Subscriber for their appropriate tasks.
4. Remove themes and plugins that are not being used.
Monday, June 17, 13
The Installation: Lock Your Doors and Windows
2. Do you know where your backup is? Can you restore from it?
1. Confirm the correct folder permissions:
Folder permissions: 755File permissions: 644index.php: 666wp-config.php: 600
3. Consider a sandbox site and test your backup and restore procedure -- more than once. Then delete the website before you forget about it.
Monday, June 17, 13
Appendix
•Before You Install
•Recommended Hosts
•Advanced Security Techniques
•How Can I Tell I’ve Been Hacked?
•Cleaning and Remediation
•Miscellaneous Help
Monday, June 17, 13
Setup Google Webmaster Tools:Google Webmaster tools are an important resource for many reasons. But for site security, one of their best features is their email notifications of malware when it’s found on your site. As the verified site owner, you’ll be notified by email if malware is detected.
http://www.wpreads.com/2013/03/protecting-wp-config-and-htaccess-files-for-wordpress.html
https://www.google.com/webmasters/tools/home?hl=en
http://codex.wordpress.org/Hardening_WordPress
BEFORE YOU INSTALL
Monday, June 17, 13
http://wpengine.com/
http://websynthesis.com(Yoast hosts here.)
http://page.ly
Recommended Managed WP Hosts
Consider using a “Managed” WordPress host with malware scanning in place. These include curated plugins.
Monday, June 17, 13
Advanced Security:
WP-app firewall
There are many security modifications you can make to your .htaccess file.
http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676
The .htaccess file
http://wordpress.org/extend/plugins/ose-firewall/
NOTE: .htaccess files (distributed configuration files) are processed first before any other code on your website.
http://wordpress.org/extend/plugins/bulletproof-security/
http://wordpress.org/extend/plugins/wordfence/
Multiple locks + burglar bars + alarm system + guard dog
Monday, June 17, 13
http://www.wpbeginner.com/plugins/improve-wordpress-security-with-google-authenticator/
Setting up 2-step authentication for Wordpress.org
http://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editor
http://codex.wordpress.org/Editing_wp-config.php
http://yoast.com/wordpress-ssl-setup/SSL setup info and tips from Yoast
Modifying the wp-config.file
Advanced Security: Multiple locks + burglar bars + alarm system + guard dog
Monday, June 17, 13
How Can I Tell I’ve Been Hacked?
http://aw-snap.info/file-viewer/Allows you to scan from different User Agents:
Use http://sitecheck.sucuri.net to run a scan to find malware and blacklist info.
http://wordpress.org/extend/plugins/sucuri-scanner/
http://wordpress.org/extend/plugins/gotmls/
http://wordpress.org/extend/plugins/wordfence/
WordPress Plugins
Do some scanning:
Monday, June 17, 13
• Displaying popups that you didn't implement.
• Displaying odd text in your footer or in the "View Source."
• Links to other sites or auto-linking of keywords that you didn't create links for.
• Seeing obfuscated / encoded text in plugins.
• Website redirecting (immediately or after a short length of time) to another URL.
• A friend calls/texts/emails you that your site is directing users to Dr. Dre’s
Headphones, or “performance enhancing” or pain medication drugs etc.
• Style sheet formatting has disappeared.
• You can’t login to your wp-admin.
• New files appearing in themes folder or anywhere else (look for a recent or
atypical date via FTP; when you open these pages, they may appear to contain
binary code.)
Uh oh. I think it’s too late.How Can I Tell I’ve Been Hacked?
Monday, June 17, 13
1. Stay calm. You could make it worse by anxiously jumping in and trying to fix the problem.
2. Scan your local machine / hard drive.
3. Scan your site. There are many good tools and WordPress plugins to help with this. This will help identify the infected files and folder etc.
4. Check with your hosting provider. Call them. You can call them, yes?
5. You’ve already updated, changed all passwords?
6. Add new salts or “secret keys.”
7. Check your files. Start with your .htaccess file to being looking for malicious code.
WordPress (with some help) suggests:Cleaning & Remediation:
Have SSH root access? http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/
Monday, June 17, 13
1. Can you identify the type of hack? This may make the cleanup easier.
2. Run a fresh backup and then . . .
3. Backup from an older backup that you believe predates the hack.
4. No backup? Hmm. Seriously consider taking down and trashing the site.
5. Restored from backup? Change passwords again.
6. Secure your site with recommended security measures.
7. Do a post-mortem. How did this happen?
8. Compare your WordPress files to those in a clean install. Open up files. Do you see something that refers to base64_decode? That’s at least one of the hack.
9. Can’t find the malware? Disable your plugins (rename the directory). If the infection is in a plugin, the scan will show as clean.
Cleaning & Remediation:
Monday, June 17, 13
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://www.unmaskparasites.com/
http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
Suggestions from Sucuri http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html
Know command line and have SSH access?
Cleaning up your site at Google http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634
https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked-wordpress-website-via-ssh/
Cleaning & Remediation:
Monday, June 17, 13
Cleaning & Remediation:
http://www.stopthehacker.com
http://www.sucuri.net
http://www.sparktrust.com
If all else fails (and before you torch the site): Hire someone:
Monday, June 17, 13
http://www.unmaskparasites.com/malware-warning-guide/#request
Cleaning & Remediation: Tools
http://www.stopbadware.org/request-review
StopBadware performs independent reviews of websites that are blacklisted for badware by our data providers.
http://wordpress.org/extend/plugins/wordfence/
http://blog.aw-snap.info/2012/07/malware-removal-vendors.html
Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups.Wordfence is now Multi-Site compatible.
Monday, June 17, 13
Miscellaneous Help
http://blog.page.ly
http://wp.smashingmagazine.com
http://tonyonsecurity.com/
Excellent forum on malware:https://www.badwarebusters.org/
http://aw-snap.info/
Tony Perez’s blog COO/CFO Sucuri
Smashing Magazine WordPress site
Excellent hacked info and tools
https://www.udemy.com/how-to-secure-wordpress-blog-or-website-for-beginners/?
http://labs.sucuri.net/?malwareSee what Sucuri picks up in its malware scans.
Monday, June 17, 13
Safe travels and happy trails with WordPress!
Judy Wilsonwww.Site-Shack.com
Nashville, TN
from site-shack
Monday, June 17, 13