View
109
Download
1
Category
Tags:
Preview:
DESCRIPTION
Citation preview
HOW TO KEEP YOUR BLOG FROM BEING HACKED, STOLEN
OR OTHERWISE VIOLATED
Brian Layman
North East Ohio WordPress Meetup
#NEOWP
Introduction
Who I am. What I do. What I see. What software do your blogs run on? Who here has had a blog hacked, defaced, stolen or
taken down? Is your site safe? (No one would ever want to hack
my blog about _____.) The title is a lie…
Well Known Blog Hacks
Go Daddy Blue Host Network Solutions
• PayPal’s Blog• CorneliaMarie.com• ClimateCrisis.net• Twilight Lexicon
• Twitter• Gawker• PhotoMatt• Problogger
• DreamHost• Bizland
Antivirus Campaign
http://bit.ly/AVCampaign
Define “hacked”
Content or uploads destroyed Hidden hyperlinks added to your site Redirect to another site Content edited Hijacked website Defacement Bank fraud
Definition of TermsHow attacks happen…
CSRF/XSRF – Cross Site Request Forgery XSS – Cross Site Scripting SQL Injection DDOS – (Distributed) Denial of Service DNS Hijacking – Spoofing or Poisoning Malvertising – Malicious Advertising Stolen Password Bad Code
Open source Responses to Vulnerabilities
WordPress http://codex.wordpress.org/Hardening_WordPress security@wordpress.org
Drupal http://drupal.org/security-team security@drupal.org
Joomla http://developer.joomla.org/security.html security@joomla.org
Security Through Obscurity
What is it? You tell me… Who is right? My thought:
Any steps that may eliminate a large subset of attacks on your blog should be taken.
Tactics YOU can use no matter what platform you are on
The basics Passwords Communication (Plain Text vs. SSL) Updates Watch what you add to your sites
(plugins/themes/add-ons) Backups Google Webmaster Tools
Passwords
Use strong passwords Make them unique in high value situations
Communication
Pay attention to how you are sending your passwords Wireless Networks = Risk FTP – Use SFTP instead Email – Use SSL Ports 587,995,993 vs 25,110,143 Skype – Syncs history upon connect, never send
secure passwords – EVER CPanel/WHM/Admin pages – if it is http not https, your
password can be scraped
Updates
Keep your blog, plugins, themes, & operating system current – yes, even Linux
Security and attacks improve over time2005 – Admin operations required a referrer
2006 – Admin operations required a NONCE
2007 – Plugin pages forced to check security
2008 – Randomized keys and salts & upgrades
2009 – Security escalations issues – full review
2010 – Automated plugin and theme upgrades
2011 – Sniffing, upload, clickjacking, file cleanup
Watch what you add…
Every plugin or theme is a security risk “Free Theme” sites are a very high risk Less popular & highly specialized plugins have had
less eyes on them and are riskier Older plugins used older security standards - we
simply knew less and had fewer tools You are responsible for your site. Learn how to
identify problems or make a friend who can.
Backups
Both files and database Keep the files offline If you have files online keep them out of public_html As important as having the backups…
Know how to restore them! Before you restore – delete the files and directories
to remove the hack files
Google Webmaster Tools
How do you know you are hacked? Google will email you when they consider you a risk
http://www.google.com/webmasters/ http://www.google.com/webmasters/checklist/ https://www.google.com/webmasters/tools/reconsideration
You can configure multiple owners
Coding Practices
EVERYTHING that is displayed on the screen must be filtered. WordPress provides: esc_html esc_url esc_*
http://codex.wordpress.org/Data_Validation EVERYTHING that you send to the database must
be filtered. WordPress provides: $wpdb->prepare
TRUST NOTHING Try to use your text instead of user input
Servers
Permissions - The 755 myth chmod -R 755 * Generic: Directories Should be 755 Files 644 Reality: The least privileges provides the most access
VPS vs Shared Hosting vs Managed Hosting Flexibility, Access, Less risk = More $ Harden your own server or let someone do it suPHP – Isolates your installation
WordPress Specific Security Techniques
Create a “Editor” user for posting Create a new “Administrator”, delete the old one, then
only use it for maintenance Never use wp_ as your table prefix Look at wp-config-sample.php now and then and
update your wp-config.php Force Secure password logins
http://codex.wordpress.org/Administration_Over_SSL
WordPress Techniques(Expected Answers)
Move wp-config.php Remove version Info Rename the admin user Move your wp-content directory – Possibly worth
doing but will break many plugins and themes Use .htaccess to white list IP addresses or add an
extra password layer
WordPress Techniques
Free Plugins http://wordpress.org/extend/plugins/ exploit-scanner wp-security-scan wordpress-file-monitor
Paid Plugins
http://pluginbuddy.com/purchase/backupbuddy/
Who can help?
Site Rescue, Securing & Code Review Sucuri.net WebDevStudios.com WebDevStudios.com CoveredWebServices.com
Managed Hosting WPEngine.com Page.ly WPSecuritylock.com
And of course doing it all: eHermitsInc.com
Brian Laymanhttp://eHermitsinc.com
http://thecodecave.com
http://www.slideshare.net/brianlayman
http://twitter.com/brianlayman
@eHermits
Text ehermits to 50500
Brian@eHermitsInc.com
Recommended