When it comes When it comes to security, to security, WordPress is WordPress is the least of your the least of your worries...worries...

Secure All The Things!Secure All The Things!

HACKERS!HACKERS!

HACKERS!HACKERS!

CRACKERS!CRACKERS!

HACKERS!HACKERS!Everybody says “hackers” anyways.Everybody says “hackers” anyways.

WordPress HacksWordPress Hacks

Warning! Massive Number of GoDaddy Warning! Massive Number of GoDaddy WordPress Blogs Hacked!WordPress Blogs Hacked!

DreamHost: One Million Domains Hacked; WordDreamHost: One Million Domains Hacked; WordPress Blogs InfectedPress Blogs Infected

WordPress Sites on GoDaddy, Bluehost HackedWordPress Sites on GoDaddy, Bluehost Hacked

Reuters Hacked Again, Outdated WordPress BloReuters Hacked Again, Outdated WordPress Blog At Fault?g At Fault?

InMotion Hosting Servers Hacked, Thousands InMotion Hosting Servers Hacked, Thousands of Web Sites Affectedof Web Sites Affected

WordPress HacksWordPress Hacks

History shows there have been very few History shows there have been very few “WordPress Hacks”“WordPress Hacks”

““In the vast majority of cases I see, attackers In the vast majority of cases I see, attackers get in some other way, and then once already get in some other way, and then once already in the system, they go looking for WordPress in the system, they go looking for WordPress installs.installs.”” -- Mark Jaquith -- Mark Jaquith

If WordPress isn’t the If WordPress isn’t the weak point, what is?weak point, what is?

WordPress HacksWordPress Hacks

Most hacks that Most hacks that affectaffect WordPress actually WordPress actually originate originate outsideoutside of WordPress Core. of WordPress Core.

TimThumb (PHP library, many themes/plugins)TimThumb (PHP library, many themes/plugins)

Uploadify (jQuery plugin, many themes/plugins)Uploadify (jQuery plugin, many themes/plugins)

Adserve (plugin)Adserve (plugin)

WassUp (plugin)WassUp (plugin)

Is Human (plugin)Is Human (plugin)

We need to look at the We need to look at the bigger picturebigger picture

The LAMP StackThe LAMP Stack

Other Services and AppsOther Services and Apps

SMTP (email)SMTP (email)

FTPFTP

DNSDNS

Other web sites and utilities?Other web sites and utilities?

Drupal, Joomla, forumsDrupal, Joomla, forums

PHPMyAdminPHPMyAdmin

Shared HostingShared Hosting

Shared hosting? Shared security!Shared hosting? Shared security!

Other users on the same server as you can Other users on the same server as you can become a security risk that affects youbecome a security risk that affects you

What about your own users? Can you trust What about your own users? Can you trust everyone who has a login for your site? everyone who has a login for your site? ReallyReally trust them?trust them?

““Nobody cares as much about the survival of Nobody cares as much about the survival of your business as yourself.” -- Ron Cain, your business as yourself.” -- Ron Cain, business ownerbusiness owner

How do hackers get in?How do hackers get in?Known exploits in vulnerable softwareKnown exploits in vulnerable software

Brute-force password hackingBrute-force password hacking

Network scannersNetwork scanners

FiresheepFiresheep

Wifi vulnerabilities (WEP/WPA)Wifi vulnerabilities (WEP/WPA)

Automated toolsAutomated tools

RootkitsRootkits

Staying SafeStaying Safe

Three WordsThree Words

UpdateUpdate

UpdateUpdate

UpdateUpdate

Three WordsThree Words

Update CoreUpdate Core

Update PluginsUpdate Plugins

Update ThemesUpdate Themes

What Else?What Else?

Hotfix PluginHotfix Plugin

WP Security ScannerWP Security Scanner

Login LockdownLogin Lockdown

BulletProof SecurityBulletProof Security

Sucuri.netSucuri.net

What Else?What Else?

Not using a plugin Not using a plugin anymore? anymore?

DeactivateDeactivate

DELETE!DELETE!

The same goes The same goes for themesfor themes

HACKED!HACKED!

Now What?Now What?

You can no longer trust any code filesYou can no longer trust any code files

Nuke the site, start from Nuke the site, start from trustedtrusted, fresh copies, fresh copies

Save wp-config.php and wp-content/uploadsSave wp-config.php and wp-content/uploads

Reinstall data from backupsReinstall data from backups

You You dodo have backups, right? have backups, right?

RightRight??

What do I back up?What do I back up?

DatabaseDatabase

Uploaded media (wp-content/uploads)Uploaded media (wp-content/uploads)

Custom themes and pluginsCustom themes and plugins

wp-config.phpwp-config.php

Keep a list of your installed third-party pluginsKeep a list of your installed third-party plugins

How do I back up?How do I back up?

Backup BuddyBackup Buddy

VaultPressVaultPress

WordPress Backup to DropboxWordPress Backup to Dropbox

It can happen to youIt can happen to you

It can happen to meIt can happen to me

It can happen to everyone, eventuallyIt can happen to everyone, eventually

-- Yes, -- Yes, It Can HappenIt Can Happen, 90125, 90125

A Little Healthy ParanoiaA Little Healthy Paranoia

Healthy ParanoiaHealthy ParanoiaUse strong passwordsUse strong passwords

Two-factor authentication -- Google Two-factor authentication -- Google Authenticator pluginAuthenticator plugin

Use separate WordPress logins for publishing Use separate WordPress logins for publishing day-to-day content and for site administrationday-to-day content and for site administration

Limit who can login to your site, and what Limit who can login to your site, and what permissions they havepermissions they have

Create temporary accounts for developers, if Create temporary accounts for developers, if necessarynecessary

Healthy ParanoiaHealthy Paranoia

Use secure protocols: SFTP, SCP, SSH -- Use secure protocols: SFTP, SCP, SSH -- notnot FTPFTP

If possible, enforce SSL on WordPress logins If possible, enforce SSL on WordPress logins and dashboard accessand dashboard access

Ensure MySQL server is not accessible to Ensure MySQL server is not accessible to other hostsother hosts

Same goes for memcache (or any other data Same goes for memcache (or any other data store)store)

What? I don’t know What? I don’t know how!how!

Getting helpGetting help

Security is part of the cost of doing business, like Security is part of the cost of doing business, like insuranceinsurance

If you don’t know how to do all this, retain the services If you don’t know how to do all this, retain the services of someone who doesof someone who does

Managed hosting:Managed hosting:

Page.lyPage.ly

WordPress.comWordPress.com

WP EngineWP Engine

ZippykidZippykid

Security for DevelopersSecurity for DevelopersSettings API, nonces, validation handlersSettings API, nonces, validation handlers

Data escaping functions: esc_*()Data escaping functions: esc_*()

esc_html()esc_html()

esc_attr()esc_attr()

esc_sql()esc_sql()

esc_url() & esc_url_raw()esc_url() & esc_url_raw()

esc_jsesc_js

Now, SECURE ALL THE Now, SECURE ALL THE THINGS!THINGS!

Thanks!Thanks!

Dougal CampbellDougal Campbell@dougal@dougaldougal.gunters.orgdougal.gunters.org