SlideShare a Scribd company logo

Re Bar Camp Presentation Wordpress Lamp Security 2010 06 17

Download as PPTX, PDF
rICh morrow
rICh morrow

A brief intro to some simple but effective things that individual Wordpress site owners (and you don\'t have to be a programmer) can do to keep hackers out of their site(s).

Technology
1 of 12
Securing Wordpress & it’s underlying LAMP stack rICh morrow Principal Engineer, quicloud.com
An OGRE is like an ONION(or something like that… I want a parfait now) rich@quicloud.com 2 Browser Wordpress PHP (Logic), MySQL (Database) Apache (Web Server) Linux (Operating System) 6/17/10 RE Bar Camp Denver
Vulnerabilities at each layer Wordpress, poor Wordpress. No core security team like Drupal Popularity makes it a target “ease of use” = “lack of security” Contrib Modules can inject vulnerabilities LAMP stack depends heavily on your host You may or may not have control. Even if you have control, each layer is a job unto itself. Even the best hosts use “default” installs which are far from secure. 6/17/10 RE Bar Camp Denver rich@quicloud.com 3
Across all layers Update & Patch religiously, or make sure someone is. Only enable what you need (Wordpress or Apache modules, ports/services in Linux) Passwords Choose tough passwords & change them every 3 months or when contractors exit. NEVER email or IM usernames & passwords together. Install security products on every layer possible. Schedule & plan 2-3 hrs/ at least quarterly (if not monthly) to review policies. Back up before changes. Assume you will be hacked at some point. Set up monitoring to alert you w/i 5 minutes of a hack. Back up religiously & test those backups. Have at least 2-3 Wordpress &/or LAMP Security pros on call. 6/17/10 RE Bar Camp Denver rich@quicloud.com 4
Linux Regularly Scan for vulnerabilities with free products like Nessus, or get a $25 scan done with a provider like quicloud. Send “high” and “medium” vulnerabilities to your host or “Linux dude” & ask them to remediate. Use SFTP, not FTP Disable “Root” login and create different login accounts for each consultant. Have a consultant install a “Denail of Service” or “DOS” prevention tool (like fail2ban), a monitoring system (like Nagios) and/or an IDS (like Snort). 6/17/10 RE Bar Camp Denver rich@quicloud.com 5
Apache Make sure you have “mod_security” installed. Make sure Apache is running as a distinct user (typically “apache”). Disable “Root” login and create different login accounts for each consultant. Make sure these are OFF: ‘DirectoryIndexes’, ‘ServerSignature’, ‘ServerTokens’, ‘ExecCGI’, ‘Server Side Includes’. 6/17/10 RE Bar Camp Denver rich@quicloud.com 6
PHP Make sure there are no ‘phpinfo’ entries in any files. (have your “Linux Dude” do a “find . –type f | xargsgrep ‘phpinfo’” from your root web directory). Make sure users can’t upload “.php” files. Scrub all user input (you need a programmer). Turn on and use “error_reporting” on high load pages or suspicious code. Have your “Linux Dude” use PhpSecInfo, “PHP Security Scanner” or the “Spike PHP Security Audit” tool to find & fix problems. Make sure ‘register_globals’ is OFF 6/17/10 RE Bar Camp Denver rich@quicloud.com 7
MySQL Disable “root” user (after making sure you’re not using it) Remove unused users in the “mysql.User” table. Close remote access (port 3306) to the database (again, after you’ve checked you’re not using it). Make sure MySQL is running as a distinct user (usually “mysql”). Remove “test” users and “test” databases that are in default install. Ensure that all users are set for only “localhost” access (again, after you’ve checked “remote” is not needed). 6/17/10 RE Bar Camp Denver rich@quicloud.com 8
Wordpress (finally :-) Install and use: “Login LockDown” module (records IP of failed login and can block login after many attempts in a short period of time). “Stealth Login” module (creates hidden URLs for login, logout, admin, etc) In the “.htaccess” of your “wp-admin” folder, restrict login to your IP (if your IP is static) Move your “wp-config.php” file out of your Web root (possible after wp 2.x). Change the Wordpress table prefix (from “wp_” to something cryptic). Easy prior to installing Wordpress, tough afterwards. Create a 2nd “admin” account, and delete the default “admin” user. Disable browsing of your “wp-content/plugins/” folder. Stop advertising your Wordpress version to hackers. Remove the code “<?phpbloginfo(‘version’); ?>’ from your theme’s “header.php” file. 6/17/10 RE Bar Camp Denver rich@quicloud.com 9
Security can be quick & easy Just regularly patching & updating is huge. Instructions in here will secure probably 80-90% of your problems, and an experienced Sys Admin can do all “the big stuff” in probably 4-6 hours. If you’re not a system administrator, don’t “tinker”. In Linux, you can delete your whole server with just 7 characters… and there’s no “undo”. Use a free/cheap monitoring service like ‘pingdom’, ‘site24x7’, or ‘BinaryCanary’ to set up SMS or email messages if your site is down or hacked. Ask for help if you’re in over your head and/or don’t want to bother. Security is definitely one area you don’t want to ‘skimp’ on. 6/17/10 RE Bar Camp Denver rich@quicloud.com 10
quicloud.com We help the smallest of small businesses create secure, scalable Websites using LAMP, Wordpress, Drupal, and Joomla! Services: Build an entirely new secure server for as low as $200 per server. Patch and secure an existing server for as low as $150 per server. Update and support your systems for as low as $20 per month, per server. Emergency “I’ve been hacked” resolution. We can help you build, deploy, and maintain your services in the cloud, reducing your hosting costs and improving your service level. 6/17/10 RE Bar Camp Denver rich@quicloud.com 11
Resources / further reading Wordpress Security: http://codex.wordpress.org/Hardening_WordPress http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow LAMP Stack Security: http://blog.taragana.com/index.php/archive/top-10-linux-security-tips-for-system-administrators/ http://www.noupe.com/php/php-security-tips.html http://dev.mysql.com/doc/refman/5.0/en/security.html http://www.fail2ban.org/wiki/index.php/Main_Page http://www.nessus.org/ (Security Scanner which you can run from your desktop) Rackspace Cloud (excellent cloud hosting for as low as $11/month, great for us “small guys”): http://www.rackspacecloud.com/ Site Monitoring tools (most offer a “free” version to monitor one site): http://pingdom.com/ http://site24x7.com/ http://binarycanary.com/ http://www.nagios.org/ (Nagiosmonitors your Linux server internally) 6/17/10 RE Bar Camp Denver rich@quicloud.com 12

Recommended

London
LondonLondon
Londonguest7de3a8e0
 
Ogs designs
Ogs designsOgs designs
Ogs designsOmri Stephenson
 
Hathersage Barn
Hathersage BarnHathersage Barn
Hathersage BarnKarl Zaldats
 
Great expectations
Great expectationsGreat expectations
Great expectationsWhyCantIGetAUserName
 
P1151345302
P1151345302P1151345302
P1151345302Ashraf Aboshosha
 
P1121102462
P1121102462P1121102462
P1121102462Ashraf Aboshosha
 
P1131213152
P1131213152P1131213152
P1131213152Ashraf Aboshosha
 
P1151139820
P1151139820P1151139820
P1151139820Ashraf Aboshosha
 

Recommended

London
LondonLondon
Londonguest7de3a8e0
 
Ogs designs
Ogs designsOgs designs
Ogs designsOmri Stephenson
 
Hathersage Barn
Hathersage BarnHathersage Barn
Hathersage BarnKarl Zaldats
 
Great expectations
Great expectationsGreat expectations
Great expectationsWhyCantIGetAUserName
 
P1151345302
P1151345302P1151345302
P1151345302Ashraf Aboshosha
 
P1121102462
P1121102462P1121102462
P1121102462Ashraf Aboshosha
 
P1131213152
P1131213152P1131213152
P1131213152Ashraf Aboshosha
 
P1151139820
P1151139820P1151139820
P1151139820Ashraf Aboshosha
 
Jimmy kimmel live
Jimmy kimmel liveJimmy kimmel live
Jimmy kimmel liveBen March
 
Fab friday ppt
Fab friday pptFab friday ppt
Fab friday pptHart County BOE
 
Tourism: A Path to Competitiveness for Georgia
Tourism: A Path to Competitiveness for GeorgiaTourism: A Path to Competitiveness for Georgia
Tourism: A Path to Competitiveness for GeorgiaSW Associates, LLC
 
Farah Prsentatation Gvip 14 Juin 2008
Farah Prsentatation Gvip 14 Juin 2008Farah Prsentatation Gvip 14 Juin 2008
Farah Prsentatation Gvip 14 Juin 2008Ashraf Aboshosha
 
P1111444352
P1111444352P1111444352
P1111444352Ashraf Aboshosha
 
P1121138815
P1121138815P1121138815
P1121138815Ashraf Aboshosha
 
Photos 110208145628-phpapp02
Photos 110208145628-phpapp02Photos 110208145628-phpapp02
Photos 110208145628-phpapp02kaew393
 
Ryan's photo slide
Ryan's photo slideRyan's photo slide
Ryan's photo slidegzorskas
 
Parkour
ParkourParkour
ParkourDepartament d'Educació - Generalitat de Catalunya
 
IoT Stream Conf Keynote: Past, Present and Future of IoT
IoT Stream Conf Keynote: Past, Present and Future of IoTIoT Stream Conf Keynote: Past, Present and Future of IoT
IoT Stream Conf Keynote: Past, Present and Future of IoTrICh morrow
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckrICh morrow
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercisesrICh morrow
 
Hadoop in the cloud with AWS' EMR
Hadoop in the cloud with AWS' EMRHadoop in the cloud with AWS' EMR
Hadoop in the cloud with AWS' EMRrICh morrow
 
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...rICh morrow
 
No sql distilled-distilled
No sql distilled-distilledNo sql distilled-distilled
No sql distilled-distilledrICh morrow
 
quicloud Apr 20 2010 Boulder New Tech Presentation
quicloud Apr 20 2010 Boulder New Tech Presentationquicloud Apr 20 2010 Boulder New Tech Presentation
quicloud Apr 20 2010 Boulder New Tech PresentationrICh morrow
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

More Related Content

Viewers also liked

Jimmy kimmel live
Jimmy kimmel liveJimmy kimmel live
Jimmy kimmel liveBen March
 
Tourism: A Path to Competitiveness for Georgia
Tourism: A Path to Competitiveness for GeorgiaTourism: A Path to Competitiveness for Georgia
Tourism: A Path to Competitiveness for GeorgiaSW Associates, LLC
 
Farah Prsentatation Gvip 14 Juin 2008
Farah Prsentatation Gvip 14 Juin 2008Farah Prsentatation Gvip 14 Juin 2008
Farah Prsentatation Gvip 14 Juin 2008Ashraf Aboshosha
 
Photos 110208145628-phpapp02
Photos 110208145628-phpapp02Photos 110208145628-phpapp02
Photos 110208145628-phpapp02kaew393
 
Ryan's photo slide
Ryan's photo slideRyan's photo slide
Ryan's photo slidegzorskas
 

Viewers also liked (9)

Jimmy kimmel live
Jimmy kimmel liveJimmy kimmel live
Jimmy kimmel live
 
Fab friday ppt
Fab friday pptFab friday ppt
Fab friday ppt
 
Tourism: A Path to Competitiveness for Georgia
Tourism: A Path to Competitiveness for GeorgiaTourism: A Path to Competitiveness for Georgia
Tourism: A Path to Competitiveness for Georgia
 
Farah Prsentatation Gvip 14 Juin 2008
Farah Prsentatation Gvip 14 Juin 2008Farah Prsentatation Gvip 14 Juin 2008
Farah Prsentatation Gvip 14 Juin 2008
 
P1111444352
P1111444352P1111444352
P1111444352
 
P1121138815
P1121138815P1121138815
P1121138815
 
Photos 110208145628-phpapp02
Photos 110208145628-phpapp02Photos 110208145628-phpapp02
Photos 110208145628-phpapp02
 
Ryan's photo slide
Ryan's photo slideRyan's photo slide
Ryan's photo slide
 
Parkour
ParkourParkour
Parkour
 

More from rICh morrow

IoT Stream Conf Keynote: Past, Present and Future of IoT
IoT Stream Conf Keynote: Past, Present and Future of IoTIoT Stream Conf Keynote: Past, Present and Future of IoT
IoT Stream Conf Keynote: Past, Present and Future of IoTrICh morrow
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckrICh morrow
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercisesrICh morrow
 
Hadoop in the cloud with AWS' EMR
Hadoop in the cloud with AWS' EMRHadoop in the cloud with AWS' EMR
Hadoop in the cloud with AWS' EMRrICh morrow
 
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...rICh morrow
 
No sql distilled-distilled
No sql distilled-distilledNo sql distilled-distilled
No sql distilled-distilledrICh morrow
 
quicloud Apr 20 2010 Boulder New Tech Presentation
quicloud Apr 20 2010 Boulder New Tech Presentationquicloud Apr 20 2010 Boulder New Tech Presentation
quicloud Apr 20 2010 Boulder New Tech PresentationrICh morrow
 

More from rICh morrow (7)

IoT Stream Conf Keynote: Past, Present and Future of IoT
IoT Stream Conf Keynote: Past, Present and Future of IoTIoT Stream Conf Keynote: Past, Present and Future of IoT
IoT Stream Conf Keynote: Past, Present and Future of IoT
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises
 
Hadoop in the cloud with AWS' EMR
Hadoop in the cloud with AWS' EMRHadoop in the cloud with AWS' EMR
Hadoop in the cloud with AWS' EMR
 
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
EC2 Pricing Model (deck 0307 of the InfiniteSkills AWS course at http://bit.l...
 
No sql distilled-distilled
No sql distilled-distilledNo sql distilled-distilled
No sql distilled-distilled
 
quicloud Apr 20 2010 Boulder New Tech Presentation
quicloud Apr 20 2010 Boulder New Tech Presentationquicloud Apr 20 2010 Boulder New Tech Presentation
quicloud Apr 20 2010 Boulder New Tech Presentation
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Re Bar Camp Presentation Wordpress Lamp Security 2010 06 17

  • 1. Securing Wordpress & it’s underlying LAMP stack rICh morrow Principal Engineer, quicloud.com
  • 2. An OGRE is like an ONION(or something like that… I want a parfait now) rich@quicloud.com 2 Browser Wordpress PHP (Logic), MySQL (Database) Apache (Web Server) Linux (Operating System) 6/17/10 RE Bar Camp Denver
  • 3. Vulnerabilities at each layer Wordpress, poor Wordpress. No core security team like Drupal Popularity makes it a target “ease of use” = “lack of security” Contrib Modules can inject vulnerabilities LAMP stack depends heavily on your host You may or may not have control. Even if you have control, each layer is a job unto itself. Even the best hosts use “default” installs which are far from secure. 6/17/10 RE Bar Camp Denver rich@quicloud.com 3
  • 4. Across all layers Update & Patch religiously, or make sure someone is. Only enable what you need (Wordpress or Apache modules, ports/services in Linux) Passwords Choose tough passwords & change them every 3 months or when contractors exit. NEVER email or IM usernames & passwords together. Install security products on every layer possible. Schedule & plan 2-3 hrs/ at least quarterly (if not monthly) to review policies. Back up before changes. Assume you will be hacked at some point. Set up monitoring to alert you w/i 5 minutes of a hack. Back up religiously & test those backups. Have at least 2-3 Wordpress &/or LAMP Security pros on call. 6/17/10 RE Bar Camp Denver rich@quicloud.com 4
  • 5. Linux Regularly Scan for vulnerabilities with free products like Nessus, or get a $25 scan done with a provider like quicloud. Send “high” and “medium” vulnerabilities to your host or “Linux dude” & ask them to remediate. Use SFTP, not FTP Disable “Root” login and create different login accounts for each consultant. Have a consultant install a “Denail of Service” or “DOS” prevention tool (like fail2ban), a monitoring system (like Nagios) and/or an IDS (like Snort). 6/17/10 RE Bar Camp Denver rich@quicloud.com 5
  • 6. Apache Make sure you have “mod_security” installed. Make sure Apache is running as a distinct user (typically “apache”). Disable “Root” login and create different login accounts for each consultant. Make sure these are OFF: ‘DirectoryIndexes’, ‘ServerSignature’, ‘ServerTokens’, ‘ExecCGI’, ‘Server Side Includes’. 6/17/10 RE Bar Camp Denver rich@quicloud.com 6
  • 7. PHP Make sure there are no ‘phpinfo’ entries in any files. (have your “Linux Dude” do a “find . –type f | xargsgrep ‘phpinfo’” from your root web directory). Make sure users can’t upload “.php” files. Scrub all user input (you need a programmer). Turn on and use “error_reporting” on high load pages or suspicious code. Have your “Linux Dude” use PhpSecInfo, “PHP Security Scanner” or the “Spike PHP Security Audit” tool to find & fix problems. Make sure ‘register_globals’ is OFF 6/17/10 RE Bar Camp Denver rich@quicloud.com 7
  • 8. MySQL Disable “root” user (after making sure you’re not using it) Remove unused users in the “mysql.User” table. Close remote access (port 3306) to the database (again, after you’ve checked you’re not using it). Make sure MySQL is running as a distinct user (usually “mysql”). Remove “test” users and “test” databases that are in default install. Ensure that all users are set for only “localhost” access (again, after you’ve checked “remote” is not needed). 6/17/10 RE Bar Camp Denver rich@quicloud.com 8
  • 9. Wordpress (finally :-) Install and use: “Login LockDown” module (records IP of failed login and can block login after many attempts in a short period of time). “Stealth Login” module (creates hidden URLs for login, logout, admin, etc) In the “.htaccess” of your “wp-admin” folder, restrict login to your IP (if your IP is static) Move your “wp-config.php” file out of your Web root (possible after wp 2.x). Change the Wordpress table prefix (from “wp_” to something cryptic). Easy prior to installing Wordpress, tough afterwards. Create a 2nd “admin” account, and delete the default “admin” user. Disable browsing of your “wp-content/plugins/” folder. Stop advertising your Wordpress version to hackers. Remove the code “<?phpbloginfo(‘version’); ?>’ from your theme’s “header.php” file. 6/17/10 RE Bar Camp Denver rich@quicloud.com 9
  • 10. Security can be quick & easy Just regularly patching & updating is huge. Instructions in here will secure probably 80-90% of your problems, and an experienced Sys Admin can do all “the big stuff” in probably 4-6 hours. If you’re not a system administrator, don’t “tinker”. In Linux, you can delete your whole server with just 7 characters… and there’s no “undo”. Use a free/cheap monitoring service like ‘pingdom’, ‘site24x7’, or ‘BinaryCanary’ to set up SMS or email messages if your site is down or hacked. Ask for help if you’re in over your head and/or don’t want to bother. Security is definitely one area you don’t want to ‘skimp’ on. 6/17/10 RE Bar Camp Denver rich@quicloud.com 10
  • 11. quicloud.com We help the smallest of small businesses create secure, scalable Websites using LAMP, Wordpress, Drupal, and Joomla! Services: Build an entirely new secure server for as low as $200 per server. Patch and secure an existing server for as low as $150 per server. Update and support your systems for as low as $20 per month, per server. Emergency “I’ve been hacked” resolution. We can help you build, deploy, and maintain your services in the cloud, reducing your hosting costs and improving your service level. 6/17/10 RE Bar Camp Denver rich@quicloud.com 11
  • 12. Resources / further reading Wordpress Security: http://codex.wordpress.org/Hardening_WordPress http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow LAMP Stack Security: http://blog.taragana.com/index.php/archive/top-10-linux-security-tips-for-system-administrators/ http://www.noupe.com/php/php-security-tips.html http://dev.mysql.com/doc/refman/5.0/en/security.html http://www.fail2ban.org/wiki/index.php/Main_Page http://www.nessus.org/ (Security Scanner which you can run from your desktop) Rackspace Cloud (excellent cloud hosting for as low as $11/month, great for us “small guys”): http://www.rackspacecloud.com/ Site Monitoring tools (most offer a “free” version to monitor one site): http://pingdom.com/ http://site24x7.com/ http://binarycanary.com/ http://www.nagios.org/ (Nagiosmonitors your Linux server internally) 6/17/10 RE Bar Camp Denver rich@quicloud.com 12