Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:
1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.
2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.
3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.
4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.
5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.
6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.
7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.
If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
2. ABOUT ME
„ Hi! My name is Angela Bowman
@askwpgirl
„ WordPress Instructor at
Boulder Digital Arts
„ Started working with WordPress in 2007 –
Eating fufu is fun!
self taught, very painful
„ Used to hold the myth of “After I build a site, my job is done.”
„ Common sense approach to security that isn’t overwhelming
or super technical
3. WHY DO WE NEED TO HAVE THIS TALK?
„ PHP and MySQL are inherently vulnerable – this is the stuff
WordPress is made of.
„ What is MySQL? The database where all your content and
settings are stored.
„ What is PHP? The scripting language used by WordPress,
themes and plugins use to access your data and display it in
the browser window.
„ Hackers exploit poor PHP coding (and other vulnerabilities)
to inject content into your database and files via the browser
URL and interface
4. WHY ARE YOU VULNERABLE?
„ Because your site is on the Internet
„ Because it’s easy to exploit known
vulnerabilities
„ Because we are human NOT Vulcan
„ We live by our beliefs rather than logic
(or don’t know what we don’t know)
„ We are going to talk about common
mythology (beliefs) and counteract those
with logic and a rational approach to security
5. THE MYTHS WE LIVE BY
Inspired by: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-
security-myths/ by Anders Vinther of The WordPress Security Checklist.
6. MYTH #1 WORDPRESS IS NOT SECURE
„ WordPress is not secure,
so you should stay away from it!
„ WordPress is totally secure,
so you don’t have to worry about it.
REALITY
„ Both things are true!
„ Old versions of WordPress are NOT secure
„ Current WordPress version is secure
7. MYTH #2 MY SITE ISN’T LAUNCHED
YET, SO IT CAN’T BE HACKED
„ Hackers will attempt to exploit things that aren’t even on
your site, such as plugins you don’t even have installed
„ If you have a website on public web host, you have an
Internet presence even if the pages of your site aren’t
indexed by Google
„ You need to protect ALL installations of WordPress on
your hosting account even if you don’t use them
8. MYTH #3 I ONLY USE PLUGINS &
THEMES FROM WORDPRESS.ORG,
SO I’M SAFE
„ Plugins and themes are the #1 way hackers gain access
to your site
„ While WordPress CURRENT CORE is secure, plugins and
themes are not. WordPress.org is safer but not sure bet.
„ Why? From ProBlogger.com: “Experience and
programming skills vary greatly, and so does the quality of
their work. Even the best programmers make mistakes and
all software contains bugs.”
9. MYTH #4 UPDATING MY THEMES
AND PLUGINS WHENEVER I LOG IN
IS GOOD ENOUGH
„ Exploits are published IMMEDIATELY to the web.
„ If you are running an outdated version of WordPress,
theme, or plugin, you are immediately vulnerable to attack.
„ Timthumb script exploit was discovered and exploited on
a mass number of blogs within DAYS!
„ If you don’t update your site’s code ASAP,
you will be SOL.
10. MYTH #5 MY SITE IS SMALL, SO IT’S
NOT WORTH HACKING
„ From Devin’s WP Theming blog
regarding TimThumb Hack:
“… Although I had updated the
majority of sites and had
notified former clients, I still
hadn’t gotten to some of the
“And, word to the wise,
smaller sites yet – like my
your girlfriend’s food blog
girlfriend’s food blog. should always be a top
priority.”
http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
11. MYTH # 6 IF I DE-ACTIVATE A THEME
OR PLUGIN, THERE IS NO RISK
„ De-activated themes and plugins are just as risky if they
have vulnerable code.
„ Because even files of deactivated plugins and themes can
be access via the Internet
12. MYTH # 7 IF MY SITE IS COMPROMISED,
I’LL FIND OUT RIGHT AWAY!
„ Only if you use a site monitoring service or plugin (maybe)
„ Your site can be compromised months before you find out
„ Many hacks are invisible to visitors to the site and only
visible to bots, so you may not know you’ve been hacked
until your site is blacklisted
„ Some hacks redirect search engine traffic, so you won’t
notice if you just go to a specific URL
http://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html
13. MYTH # 8 I CAN USE A SECURITY
PLUGIN AND THAT WILL COVER ME
„ Some security plugins can provide a layer of protection:
Firewall 2, WordPress File Monitor, and Limit Login
Attempts (as well as others)
„ Security plugins won’t help much if a hacker gains access
to your online session, passwords, or sensitive files
„ Security plugins won’t help if the web hosting server is
compromised
14. MYTH # 9 MY PASSWORDS ARE
GOOD ENOUGH
„ A “sniffed” password 8 characters or less can be decoded
instantaneously
„ “Only purely random passwords, generated by special
purpose generator tokens, drawing from the largest ASCII
character sets available can keep a step ahead of cracking
programs.”
http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
15. MYTH #10 IF MY SITE IS HACKED, MY
WEB HOST CAN RESTORE IT FOR ME
„ If you discover the hack quickly enough, your web host
may have a backup of the site made before the hack
„ Most hosts store one day backup and one weekly backup
„ Your host may not be able to help you discover why you
were hacked in the first place.You’ll end up restoring
hackable files.
17. SOME OPTIONS
„ Set up an altar to the WordPress Gods
and do daily puja and offerings
„ Throw up your hands and cry
„ Drink another beer and try to forget
„ Delegate (hire a service to maintain your site)
Regina Smola
„ DIY using the following steps WPSecurityLock.com
18. 1 – SECURE YOUR OWN COMPUTER
„ Why bother securing WordPress if you give the keys away?
„ Run anti-virus software regularly
„ Don’t login via insecure or public WIFI networks
„ Use a Virtual Private Network when traveling
„ Secure your home WIFI network
„ Be careful of sites you click on. More than 55,000 malicious
web domains existed in 2011.
19. 2 – UPDATE TO CURRENT VERSIONS
„ Run a full backup using BackupBuddy OR wp-db-backup
plugin plus manual FTP backup of all files OR site snapshot
(including database) at web host
„ If your site hasn’t been updated in a LOOOOONG time:
„ Check plugins for compatibility
„ Check server PHP and MySQL versions
„ If you’re using WP version less than 3.2, you might be on MySQL 4.
You will need to export this database and import it into a new
MySQL 5 database.
http://www.realestatebloglab.com/restore-your-wordpress-database-from-mysql-4-to-mysql-5/
20. 2 – UPDATE CONTINUED
„ Update plugins first, delete unused, and de-activate all the
plugins (optional)
„ Update WordPress, then re-activate plugins one at a time
testing site between each activation.
„ If site crashes after activating a plugin, rename plugins
folder to plugins-old, access dashboard, then delete bad
plugin via ftp, and rename folder back to plugins and
continue.
http://codex.wordpress.org/Updating_WordPress
http://codex.wordpress.org/Upgrading_WordPress_Extended
21. 2 – UPDATE CONTINUED
„ Check site at sucuri.net
„ Read the changelog for your theme to
see if security updates made
„ Consider new theme if outdated theme that isn’t being maintained.
Delete unused themes except TwentyEleven.
„ Backup theme before updating
„ Update your wp-config.php encryption cookie salts:
http://tentblogger.com/salt-keys/
22. 3 – RESET PWDS AND ADMIN NAME
„ If “admin” is the Administrative username, create a new
admin user, log out, login as new user, delete old the
“admin” user and assign posts/pages to new admin
„ Use password generator to reset passwords for
WordPress, FTP, hosting, and email:
„ Online Generator: http://www.pctools.com/guides/password/
„ RPG Dashboard Widget for Mac Os:
http://www.apple.com/downloads/dashboard/networking_security/
rpgwidgetedition_davidkreindler.html
„ Track Passwords: http://agilebits.com/products/1Password
23. 4 – SET UP BACKUP SCHEDULE
„ Use backup plugin or service:
„ Backup Buddy affiliate link: http://askwpgirl.com/go/backupbuddy.php
„ WP DB Backup http://wordpress.org/extend/plugins/wp-db-backup/
„ WP Online Backup http://wordpress.org/extend/plugins/wponlinebackup/
„ Back WP Up http://wordpress.org/extend/plugins/backwpup/
„ VautPress.com – Backup, one-click restore, and site monitoring
„ Backup as often as you don’t want to loose data:
„ Database – daily or weekly
„ Full Site – weekly or monthly
„ Store backups on remote server (eg Amazon S3 account)
24. 5 – INSTALL SECURITY PLUGINS
„ Firewall 2 – http://wordpress.org/extend/plugins/wordpress-firewall-2/ AND
WordPress Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/
OR Bulletproof Security – http://wordpress.org/extend/plugins/bulletproof-security/
„ Limit Login Attempts -– http://wordpress.org/extend/plugins/limit-login-attempts/
„ WordPress File Monitor –
http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/
Use caution installing plugins.
They don’t all play well with others.
25. 6 – CREATE A MAINTENANCE PLAN
„ Plan to login to all your sites at least once a month and
update WordPress, plugins and themes
„ Consider using Infinite WP to manage multiple sites from a
single control panel: http://infinitewp.com/
„ Follow @wpsecuritylock and @sucuri_security to stay
current on latest security threats
„ Update passwords and wp-config.php salts regularly
26. 7 – BEST PRACTICES
„ Don’t allow users to register (Settings > General)
„ Always hold comments for moderation and use spam
filtering (aka Akismet)
„ Don’t use your username as your Display Name
„ SFTP for file transfers and secure SMTP for email
(ask web host)
„ Rename the database table prefix when you first install
WordPress or later using plugin -
http://www.seoegghead.com/software/wordpress-table-rename.seo
27. 7 – BEST PRACTICES CONTINUED
„ Host site with good web host who keeps software
updated and doesn’t thwart your automatic backups
„ Use plugins with caution - recently updated, going
concern.
„ Use themes with caution - Have a “relationship” with your
theme developer so you know when he/she makes
security updates
„ Submit sites to Google Webmaster Tools. In preferences,
turn ON email notifications:
http://googlewebmastercentral.blogspot.com/2012/07/new-crawl-error-alerts-from-webmaster.html
28. 8 – HARNESS POWER OF .HTACCESS
„ .htaccess is an invisible configuration file for Apache web
servers
„ .htaccess can protect specific files and folders
„ Use caution! You can totally jack up your site with edits
made to .htaccess
http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-
to-boost-your-wordpress-sites-security-1676
29. 8 - .HTACCESS TRICKS
In root .htaccess, add: Limit access to WordPress Dashboard:
In the wp-admin folder, add an .htaccess file
# Prevent directory browsing with the following where the number below
Options All –Indexes is your IP address. (Test to make sure
doesn’t interfere with any other plugins or
# protect wpconfig.php Ajax functionality.)
<Files wp-config.php>
order allow,deny order deny,allow
deny from all allow from 99.999.999.999
</Files> deny from all
Tip:You can also move the wp-config.php file
up one level (just above the public_html
folder). Be sure your backup plugin still runs
okay after doing this.
30. RESOURCES
„ WordPress.org
„ Hacked: http://wordpress.org/tags/hacked
„ Malware: http://wordpress.org/tags/malware
„ http://codex.wordpress.org/Hardening_WordPres
„ http://codex.wordpress.org/WordPress_Backups
„ http://codex.wordpress.org/FAQ_My_site_was_hacked
„ wpsecuritylock.com - resources and services for securing
sites
„ sucuri.net - Free site scanning, reasonable rates for
monitoring and fixing your sites
„ Wpsecuritychecklist.com – off-site monitoring
31. EXPLOIT INFORMATION
„ Badwarebusters.org
„ wpsecure.net - Updated lists of vulnerable WordPress
plugins
„ spotthevuln.com - Helping developers understand security
- examples of bad coding
„ Security/Exploit Databases:
„ http://securityreason.com/exploit_alert/
„ http://secunia.com/advisories/search/?search=wordpress
„ http://exploit-db.com
32. OTHER PRESENTATIONS
„ Awesome slideshow and great video on how to hack a site in 2.5 minutes:
http://perezbox.com/2012/06/wordcamp-orange-county-2012-wordpress-security-
presentation/
„ Great presentation on using proper WordPress API usage for plugin and theme
development (very technical):
http://weblogtoolscollection.com/archives/2011/03/01/mark-jaquith-on-wordpress-
themeandplugin-security/
„ WordPress Security Webinar:
http://blog.sucuri.net/2012/04/lockdown-wordpresssecurity-webinar-with-dre-
armeda.html
„ How to Stop the Hacker:
http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-thehacker-and-ensure-your-site-is-
locked.html