A brief intro to some simple but effective things that
individual Wordpress site owners (and you don\'t have to be a
programmer) can do to keep hackers out of their site(s).
2. An OGRE is like an ONION(or something like that… I want a parfait now) rich@quicloud.com 2 Browser Wordpress PHP (Logic), MySQL (Database) Apache (Web Server) Linux (Operating System) 6/17/10 RE Bar Camp Denver
3. Vulnerabilities at each layer Wordpress, poor Wordpress. No core security team like Drupal Popularity makes it a target “ease of use” = “lack of security” Contrib Modules can inject vulnerabilities LAMP stack depends heavily on your host You may or may not have control. Even if you have control, each layer is a job unto itself. Even the best hosts use “default” installs which are far from secure. 6/17/10 RE Bar Camp Denver rich@quicloud.com 3
4. Across all layers Update & Patch religiously, or make sure someone is. Only enable what you need (Wordpress or Apache modules, ports/services in Linux) Passwords Choose tough passwords & change them every 3 months or when contractors exit. NEVER email or IM usernames & passwords together. Install security products on every layer possible. Schedule & plan 2-3 hrs/ at least quarterly (if not monthly) to review policies. Back up before changes. Assume you will be hacked at some point. Set up monitoring to alert you w/i 5 minutes of a hack. Back up religiously & test those backups. Have at least 2-3 Wordpress &/or LAMP Security pros on call. 6/17/10 RE Bar Camp Denver rich@quicloud.com 4
5. Linux Regularly Scan for vulnerabilities with free products like Nessus, or get a $25 scan done with a provider like quicloud. Send “high” and “medium” vulnerabilities to your host or “Linux dude” & ask them to remediate. Use SFTP, not FTP Disable “Root” login and create different login accounts for each consultant. Have a consultant install a “Denail of Service” or “DOS” prevention tool (like fail2ban), a monitoring system (like Nagios) and/or an IDS (like Snort). 6/17/10 RE Bar Camp Denver rich@quicloud.com 5
6. Apache Make sure you have “mod_security” installed. Make sure Apache is running as a distinct user (typically “apache”). Disable “Root” login and create different login accounts for each consultant. Make sure these are OFF: ‘DirectoryIndexes’, ‘ServerSignature’, ‘ServerTokens’, ‘ExecCGI’, ‘Server Side Includes’. 6/17/10 RE Bar Camp Denver rich@quicloud.com 6
7. PHP Make sure there are no ‘phpinfo’ entries in any files. (have your “Linux Dude” do a “find . –type f | xargsgrep ‘phpinfo’” from your root web directory). Make sure users can’t upload “.php” files. Scrub all user input (you need a programmer). Turn on and use “error_reporting” on high load pages or suspicious code. Have your “Linux Dude” use PhpSecInfo, “PHP Security Scanner” or the “Spike PHP Security Audit” tool to find & fix problems. Make sure ‘register_globals’ is OFF 6/17/10 RE Bar Camp Denver rich@quicloud.com 7
8. MySQL Disable “root” user (after making sure you’re not using it) Remove unused users in the “mysql.User” table. Close remote access (port 3306) to the database (again, after you’ve checked you’re not using it). Make sure MySQL is running as a distinct user (usually “mysql”). Remove “test” users and “test” databases that are in default install. Ensure that all users are set for only “localhost” access (again, after you’ve checked “remote” is not needed). 6/17/10 RE Bar Camp Denver rich@quicloud.com 8
9. Wordpress (finally :-) Install and use: “Login LockDown” module (records IP of failed login and can block login after many attempts in a short period of time). “Stealth Login” module (creates hidden URLs for login, logout, admin, etc) In the “.htaccess” of your “wp-admin” folder, restrict login to your IP (if your IP is static) Move your “wp-config.php” file out of your Web root (possible after wp 2.x). Change the Wordpress table prefix (from “wp_” to something cryptic). Easy prior to installing Wordpress, tough afterwards. Create a 2nd “admin” account, and delete the default “admin” user. Disable browsing of your “wp-content/plugins/” folder. Stop advertising your Wordpress version to hackers. Remove the code “<?phpbloginfo(‘version’); ?>’ from your theme’s “header.php” file. 6/17/10 RE Bar Camp Denver rich@quicloud.com 9
10. Security can be quick & easy Just regularly patching & updating is huge. Instructions in here will secure probably 80-90% of your problems, and an experienced Sys Admin can do all “the big stuff” in probably 4-6 hours. If you’re not a system administrator, don’t “tinker”. In Linux, you can delete your whole server with just 7 characters… and there’s no “undo”. Use a free/cheap monitoring service like ‘pingdom’, ‘site24x7’, or ‘BinaryCanary’ to set up SMS or email messages if your site is down or hacked. Ask for help if you’re in over your head and/or don’t want to bother. Security is definitely one area you don’t want to ‘skimp’ on. 6/17/10 RE Bar Camp Denver rich@quicloud.com 10
11. quicloud.com We help the smallest of small businesses create secure, scalable Websites using LAMP, Wordpress, Drupal, and Joomla! Services: Build an entirely new secure server for as low as $200 per server. Patch and secure an existing server for as low as $150 per server. Update and support your systems for as low as $20 per month, per server. Emergency “I’ve been hacked” resolution. We can help you build, deploy, and maintain your services in the cloud, reducing your hosting costs and improving your service level. 6/17/10 RE Bar Camp Denver rich@quicloud.com 11
12. Resources / further reading Wordpress Security: http://codex.wordpress.org/Hardening_WordPress http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow LAMP Stack Security: http://blog.taragana.com/index.php/archive/top-10-linux-security-tips-for-system-administrators/ http://www.noupe.com/php/php-security-tips.html http://dev.mysql.com/doc/refman/5.0/en/security.html http://www.fail2ban.org/wiki/index.php/Main_Page http://www.nessus.org/ (Security Scanner which you can run from your desktop) Rackspace Cloud (excellent cloud hosting for as low as $11/month, great for us “small guys”): http://www.rackspacecloud.com/ Site Monitoring tools (most offer a “free” version to monitor one site): http://pingdom.com/ http://site24x7.com/ http://binarycanary.com/ http://www.nagios.org/ (Nagiosmonitors your Linux server internally) 6/17/10 RE Bar Camp Denver rich@quicloud.com 12