Embed Size (px)
DESCRIPTION
Originally presented at Wordcamp 2012 Edmonton, "Beefy WordPress Security" was presented by Tammy from Top Draw and describes potential threats to WordPress installations and what to do about it.
Citation preview
WHERE’S THE BEEF?
Beefing Up Your WordPress Installation
Tammy Valgardson – Senior Web Developer
@tammalee
INT
RO
DU
CT
ION
Absolutely true! It will only take five minutes
to download and install WordPress.
Introduction
But then what?
INT
RO
DU
CT
ION
Introduction
If you set up your blog and walk away,
you leave yourself vulnerable to malicious activity!
Further Reading
WordPress Codex – Hardening WordPress
http://codex.wordpress.org/Hardening_WordPress
How To: Stop The Hacker By Hardening WordPress
http://blog.sucuri.net/2012/06/how-to-stop-the-
hacker-by-hardening-wordpress.html
INT
RO
DU
CT
ION
If you don’t follow password best practices your hacked WordPress account
could lead to other compromised accounts!
What’s at Stake?
INT
RO
DU
CT
ION
What’s at Stake?
Shared hosting means more than just
sharing a server.
If one site gets hacked there is a chance
malware infecting one site can spread to
others on the same shared hosting
space!
INT
RO
DU
CT
IONIf your site is compromised, and hackers get their way, your site will now
serve a nefarious purpose such as:
What’s at Stake?
Hijack links to other sections of your web site, such as
‘Contact’, and send visitors to an entirely different site.
Compromise a shared hosting (soup kitchen)
server and infect other web sites.
Redirect visitors to a web site that
will attempt to install malicious software.
Phish for sensitive information.
Display spam to your visitors that you can’t see.
INT
RO
DU
CT
IONIf your WordPress site is infected with malware it could be blacklisted by
Google and other search engines!
What’s at Stake?
[ Source: http://www.malware-info.com/mal_faq_inject.html ]
THREATS EXPLAINED – BRUTE FORCE ATTACKS
a.k.a. When bored hackers with password cracking programs
decide to cruise for fun on a Friday night.
TH
RE
AT
SE
XP
LAIN
ED
–B
RU
TE
FO
RC
EA
TT
AC
KS
What is a brute force attack?
[ Source: http://www.inmotionhosting.com/support/website/wordpress/wordpress-security-preventing-brute-force-attacks-on-admin-
login ]
TH
RE
AT
SE
XP
LAIN
ED
–B
RU
TE
FO
RC
EA
TT
AC
KS
Peter Abraham over at DNI Dynamic Net, Inc. wrote on October 15, 2012 “If you asked me from
September 2012 forward, the answer would change dramatically with WordPress Brute Force
Attacks now exceeding 50% of all attacks being reported.”[source: http://www.dynamicnet.net/2012/10/wordpress-brute-force-attacks/]
How often do brute force attacks happen?
Brute force attacks happen all the time!
[ Source: http://freethegnu.wordpress.com/2010/09/22/yet-another-ssh-brute-force-attack-and-how-to-protect-against-it-with-iptables-and-sshguard/ ]
TH
RE
AT
SE
XP
LAIN
ED
–B
RU
TE
FO
RC
EA
TT
AC
KS
If your account has administrator permissions they can do all sorts of ‘fun’ things to your site.
One of the most common reasons for a brute force attack is to inject malware into your files or database.
What’s the purpose of a brute force attack?
THREATS EXPLAINED - MALWARE
Not Firefly-related.
Not that I’d mind Captain Malcolm Reynolds getting into my
WordPress installation.
#fullfrontalnerdity
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
E
What is Malware?
Malware is software designed to harvest sensitive information or gain access to computer
systems. On a WordPress installation malware can be injected into your source code, database,
.htaccess files etc.
Malware hijacks the purpose of visiting your site for its
programmed agenda.
Who Creates Malware?
What sort of person creates malware?
• Young programmers with something
to prove
• Older, more experienced, virus
writers who write malware
professionally
• ‘Researchers’ who create malware
as proof of concept projects
Why?
Why do people create malware?
• Petty theft
• Cybercrime
• Support for spammers
• Distributed network attacks
• Stealing electronic currency
• ...and many more.
[Source: http://www.securelist.com/en/threats/detect?chapter=72 ]
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
E
Malware - Backdoors
“A backdoor lets an attacker gain access to
your environment via what you would
consider to be abnormal methods — FTP,
SFTP, WP-ADMIN, etc…”
[ Source:
http://wp.smashingmagazine.com/2012/10/09/four-
malware-infections-wordpress/ ]
Malware - Drive-by Downloads
“The point of a drive-by download is often to
download a payload onto your user’s local
machine. One of the most common payloads
informs the user that their website has been
infected and that they need to install an anti-
virus product...”
[ Source:
http://wp.smashingmagazine.com/2012/10/09/four-
malware-infections-wordpress/ ]
Malware – Malicious Redirects
“When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.”[ Source: http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ ]
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
E
Malware – Pharma Hacks
“Pharma hack is one of the most prevalent infections around. It should not be confused with
malware; it’s actually categorized as SPAM — “stupid pointless annoying messages.” If you’re
found to be distributing SPAM, you run the risk of being flagged by Google…”
[ Source: http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ ]
[ Source: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php ]
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
E
Old and outdated plugins, themes, and WordPress installations may have holes in their security
that can be exploited.
Malware is injected into a file or your database where it hijacks your visitors experience when
they visit your web site. It's written using a Web 2.0 language, usually PHP, Javascript, Ruby,
Perl, etc. Because WordPress is so widely distributed and open-source there is not only an
excellent chance there are outdated installations with security holes but the code of those
installations is free for a hacker to study.
Third-party plugins and themes may have backdoors coded into them that allow access to
hackers. (eg. Tim Thumb hack)
How does malware infect WordPress?
[ Source: http://www.intechgrity.com/timthumb-vulerability-how-it-got-hacked-how-to-recover/# ]
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
E
How do I know I’m infected?
• Formatting/theme is altered
• You run a plugin that tells you
• Links/text have been inserted at the
bottom of the website
• Warning in search results
• Browsing the website with Google
Chrome results in a warning
Plugins that help scan your site
Sucuri Sitecheck Malware Scaner
http://wordpress.org/extend/plugins/sucuri-
scanner/
WordFence Security
http://wordpress.org/extend/plugins/wordfe
nce/ (Multi-site support in beta!)
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
E
• Google Webmaster Tools messages [ www.google.com/webmasters/tools/ ]
• Google’s pretty good about notifying webmasters when it sees weird stuff going on.
Example:
How do I know I’m infected?
Notice of Suspected Hacking on http://www.yourwebsite.com/
May 17, 2012
Dear owner or webmaster of http://www.yourwebsite.com/,
We are writing to let you know that some pages from
http://www.yourwebsite.com/ will be labeled as potentially
compromised in our search results. This is because some of your
pages contain content which may harm the quality and relevance of
our search results. It appears that these pages were created or
modified by a third party, who may have hacked all or part of your
site. Many times, they will upload files or modify existing ones,
which then show up as spam in our index.
The following are some example URLs which exhibit this behavior:
TH
RE
AT
SE
XP
LAIN
ED
-M
ALW
AR
EIf you have an infection, I highly recommend hiring Sucuri.net to
clean it up for you. They specialize in removing malware
infections and they’re quick, specialized, and inexpensive.
How do I get rid of Malware?
sitecheck.sucuri.net/scanner
Scan your Web site for possible infections by using the free service below:
You could hire a developer to comb through your infected code, database, and
.htaccess files. However, most developers don’t specialize in malware removal
and when you pay an hourly rate for that inexperience you may be better off
hiring a specialist.
PASSWORDS & ADMINISTRATIVE USERS
If you’re starting to fall asleep, wake up!
This is the most important section I’ll be talking about today.
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Creating your Password
When creating a password, do NOT use:
• Your birthdate, wedding
anniversary, or dates of birth of your
children or spouse
• Your name, username, company
name, names of your children or
spouse
• Your SIN number
• Only numbers or only letters
• A short, easy to remember,
password
• The word, ‘password’. No, not even
‘password01’ or ‘password2012’
• No words found in a dictionary of
any language (BUT WAIT! We’ll talk
about multi-word passwords very
soon!)
Further Reading
Common passwords to avoid
http://www.labnol.org/internet/common-
passwords-to-avoid/14136/
Avoiding Common Passwords
http://www.passworddragon.com/avoid-
common-passwords
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Creating your Password
When creating a password, do use:
• At least 10 characters
• A mix of numbers, upper and lower case letters, and special characters
• A password you have never used before
• Have a system or mnemonic
Password Generatorwww.StrongPasswordGenerator.com
Got to Password Meter to test the strength of your new password - www.PasswordMeter.com
Brute Force calculator: https://www.grc.com/haystack.htm
Further Reading
Salting Passwords
http://www.onextrapixel.com/2011/11/02/w
ordpress-security-how-to-secure-wordpress-
thoroughly/
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Creating your Password – Multi-word combo passwords
[ Source: http://xkcd.com/936/ ]
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Multi-word combo passwords
Multi-word combo passwords are more likely
to be remembered but there are a few things
to consider:
• The words must be random
• The words must not relate
• Throw in upper & lower cases
• Throw in numbers
• Throw in special characters
“Numbers substituted for letters is really,
really bad. Most password applications will
try that before they do plain English,...”[ Source: http://www.nettechblog.com/yes-your-
passwords-suck-hints-on-creating-solid-passwords/ ]
Test your password out
https://www.grc.com/haystack.htm
My coworker came up with and tested:
Staple2Deers@dawn
And found it would take 1.34 billion trillion
centuries to crack using brute force.
Further Reading
Which are more secure, multi-word
passwords or passwords made using a
combination of letters, numbers and
symbols?
http://www.quora.com/Which-are-more-
secure-multi-word-passwords-or-passwords-
made-using-a-combination-of-letters-
numbers-and-symbols
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Remembering your Password
DO NOT store it in an obvious place!
• NOT on a sticky note on your monitor
• NOT in your daily planner
Use a Password Keeper
• www.keepass.info
• https://agilebits.com/OnePassword
• http://www.lastpass.com
Don’t Panic!
Password recovery is built into WordPress!
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Password Recovery
Always keep your email up to date on your WordPress site!
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Strong, Unique Passwords aren’t just for WordPress
The way you communicate with your web host should also be secure. You want strong
passwords for:
• Your cPanel user
• Your FTP user (which you should make different from your cPanel user)
• Your MySQL database user
• Your PHPMyAdmin user
Use SFTP to move files to your hosting space
Try to use SFTP for your file transfers. SFTP
stands for Secure File Transfer Protocol and it
uses encrypted SSH transport for it’s
operations.
Every password should be different!
If you use a different password for
every service you have accounts for,
you minimize the amount of
damage a hacker can do!
http://filezilla-project.org/
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Administration Users
Create a new administrator user
1. Log into WordPress as your current
admin
2. Create a new user
3. Give it a name other than Admin or
Administrator
4. Assign your new user an ‘administrator’
role
Remove your old administrator user
1. Log into WordPress as your new admin
user
2. Go to Users and delete your old admin
user
3. Or, set your old Admin user’s role to
‘subscriber’ and change the password to
something ridiculously long and complex
If you have an administrator-level user
named ‘Admin’ or ‘Administrator’
get rid of it!
YO
UR
PA
SS
WO
RD
& A
DM
INIS
TR
AT
IVE
US
ER
S
Administration Users
You don’t need to write posts as an administrator! Keep your administrator user separate from
your blog-writing user. Hackers can find your username from your posts
If you go to Your Profile you can change what your name is displayed as. I recommend changing
this from the default of your username to something else.
Clean up old admin accounts
If you’ve got old admin accounts sitting around – like ones that you’ve created for developers to work on your site with, remove them.
Not all of your users need to be administrators, either. If you have contributors to your site, test out various settings to see how much access they really need.
PASSWORD STRENGTH IS KEY!
The best security for your administration user
is having a strong password
Make sure you reset your admin passwords
on a regular basis and make sure you haven't
used that password elsewhere before!
UPDATES & HOUSEKEEPING
If only my condo was as clean as my server.
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
Updates
The majority of hacked WordPress sites
are not updated!
Updates include:
• Core WordPress files
• Themes
• Plugins
[ Source: WPbeginner.com ]
Outdated WordPress files, themes,
and plugins can have holes in security
that can be exploited by malware!
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
Challenges to Updating
Theme hasn’t been coded according to WP
best guidelines and the site breaks if you
upgrade.
Plug-in has been abandoned by the
developer and you’re afraid to update your
core files or you continue using the plugin
years after it’s been abandoned.
You’re afraid to update because you’re not
very web-savvy.
Recommended Reading
Abandoned Plugin Suggestion
Matt Jones (http://pluginchief.com/)
suggests a plugin adoption program:
http://digwp.com/2012/10/abandoned-
plugin-adoption-program/
WordPress Codex: Updating WordPress
http://codex.wordpress.org/Updating_Word
Press
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
Backing up before updating
Using an SFTP program (filezilla-project.org),
back up all your web files to your
Computer.
Using PHPMyAdmin or cPanel to back your
database up.
Never leave .sql or other database backup
files on your server!
Update Now!
WordPress Codex: WordPressBackups
http://codex.wordpress.org/WordPress_Back
ups
http://vaultpress.com/
It’s not free but it’s highly recommended.
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
Safety First! Safe themes and plugins
Curtis McHale, who spoke at WordCamp Edmonton 2011 (you can view his slide show here:
http://www.slideshare.net/curtismchale) is part of a team that checks themes submitted to the
WordPrss.org repository to make sure they are secure and well-formed.
If you are interested in joining the WordPress Theme Review Team:
http://make.wordpress.org/themes/about/how-to-join-wptrt/ This page has a list of useful
plugins that they use to examine a theme and may be useful for anyone developing their own
theme.
http://www.woothemes.com/
Has a good reputation for paid themes.
http://wordpress.org/extend/themes/
Themes are vetted by teams of
Volunteers and are free.
Nothing is 100% un-hackable!
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
Housekeeping
Don't leave files on your server that may give
hackers information about yours site or old
code that may be exploitable:
• .sql backups
• readme files
• inactive plugins and themes
• Phpinfo.php
Further Reading
http://resources.infosecinstitute.com/harden
ing-wordpress/
http://wiki.dreamhost.com/Harden_WordPre
ss
How to: Stop the Hacker by Hardening WP
http://blog.sucuri.net/2012/06/how-to-stop-
the-hacker-by-hardening-wordpress.html
Removing WordPress Version
Altering your functions.php file:
http://www.wpbeginner.com/wp-
tutorials/the-right-way-to-remove-
wordpress-version-number/
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
WP Security Scan
Use a plugin to change your database prefix
Also this plugin can help you change your
database prefix:
http://wordpress.org/extend/plugins/wp-
security-scan/
I use this plugin to scan my site on a regular
basis.
Manually change your database prefix
Change your database prefix
http://digwp.com/2010/10/change-
database-prefix/
If you are setting up a new WordPress site
the option is there to change your database
prefix when you first set it up.
UP
DA
TE
S&
HO
US
EK
EE
PIN
G
The scary world of CHMOD
Check permissions of upload, upgrade, and
backup directories
WordPress Codex – Changing File
Permissions:
http://codex.wordpress.org/Changing_File_P
ermissions
Equally scary .htaccess!
.htaccess is a powerful file when used correctly! You can use it to secure:
• wp-config.php
• set up admin access from your IP only
• ban bad users
• stop directory browsing
• prevent access to /wp-content/
• protect your .htaccess file!
Protect Your WordPress Site with .htaccess
http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
Securing directories with .htaccess: http://digwp.com/2012/09/secure-media-uploads/
How to Password Protect your WP Admin
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
If you change your permalink
structure any customization
on your .htaccess file may be
overwritten!
HO
ST
ING
Hosting
When it comes to hosting, you get what you
pay for. $5/month hosting is cheap but it’s
not terribly secure. You take your chances
with shared hosting.
How to identify a good WordPress host?
A good WordPress host will mention what
steps they take to provide you with a secure
hosting environment or how they cater
specifically to WordPress installations.
Sadly, many bloggers are paid to shill for
hosting companies so you have to do your
due diligence when it comes to picking a
host.
Good Hosts (caveat emptor)
Recommended on WordPress.org
Bluehost: http://www.bluehost.com/
DreamHost: http://www.dreamhost.com/
Laughing Squid: http://laughingsquid.us/
Recommended by WooThemes
WPEngine: http://wpengine.com/
Examples of good hosts
Hardening WordPress on Dreamhost
http://wiki.dreamhost.com/Harden_WordPre
ss
WP Engine’s list of disallowed plugins
http://support.wpengine.com/disallowed-
plugins/
PLU
G-IN
S
Plugins
Plugins are not the be all and end all when it
comes to security.
That being said, here are some plugins you
may find useful. Don’t use them all at once!
Malware Scanning / Blocking
Sucuri Sitecheck Malware Scanner
http://wordpress.org/extend/plugins/sucuri-
scanner/
Block Bad Queries:
http://wordpress.org/extend/plugins/block-
bad-queries/
Brute Force Blocking
User Locker:
http://wordpress.org/extend/plugins/user-
locker/
Limit Login Attempts:
http://wordpress.org/extend/plugins/limit-
login-attempts/
General Security
Wordfence Security:
http://wordpress.org/extend/plugins/wordfe
nce/
WP Security Scan:
http://wordpress.org/extend/plugins/wp-
security-scan/
CO
NC
LUS
ION
In Conclusion
There are many more tips and tricks than
what I’ve covered here but I’m trying to keep
things simple.
Try as you might your security will never be
perfect but the good news is you can easily
make yourself less of a target by taking a few,
simple, security precautions.
Knowing how to protect yourself is the first
step towards a safe, secure WordPress site.
(The second step is to actually implement
some of this advice.)
Recommended Reading
http://my.safaribooksonline.com/book/-/9781849512107
http://blog.sucuri.net/category/wordpress
http://codex.wordpress.org/Hardening_WordPress
http://blogvault.net/wordpress-security-1-securing-wp-config-php/
http://www.copyblogger.com/wordpress-website-security/
http://www.wpsecuritylock.com/dreamhost-one-click-wordpress-installed-timthumb-vulnerability-and-security-risks/
http://www.instantfundas.com/2011/12/quick-guide-to-secure-wordpress-setup.html
CR
ED
ITW
HE
RE
CR
ED
ITIS
DU
E
Credits:Cow hide photo in title graphic by Sherrie Thai of ShaireProductions
http://www.flickr.com/photos/shaireproductions/3766840922/
Bashful Cow purchased from istockphoto.com
“Let’s have fun” scary graphic purchased from istockphoto.com
Herd Infection photo purchased from istockphoto.com
Social Media icons from respective social media web sites
‘Common passwords to avoid’ poster
http://www.etsy.com/listing/52531459/500-worst-passwords-poster-fold-down
Special thanks to:Adriel Michaud @ TopDraw.com for his input
Sarah Sinfield @ KickPoint.ca for encouraging me
Curtis McHale @ CurtisMcHale.com for inspiring me
My partner who makes sure my fuzzy blanket supply never runs out
