There is always a current threat

The worst type of threats are those you don’t know about

So be prepared!

You need to understand your weaknesses

You need to build a solid defence

You need to have a plan of attack

The Art of War - Sun Tzu ~512BC

Locked away in a deep dark basement

No internet connection

No user interaction

= Pretty useless website

= There is a balance to be had

Everything is Hackable Best we can do is make our site less attractive than others to hack into.

Would you attempt to break into this car?

The most vulnerable part of your website is…

YOU

Read this book!

Not just WordPress

cPanel, email, FTP, SSH, MySQL, WordPress

Avoid typical “Administrator” usernames

admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …

No personal information such as DoB

e.g. bob1976

No footie clubs, car regos, pet or family names

Use a random 16 (at least) character password

UPPER, lower, digits, punctuation

e.g. b9G#Z4YVemTN^X6S

Random character passwords

= difficult for you to remember

= difficult for hackers to guess

Use a password service such as LastPass

Local 256-bit encryption, SSL data transfer

https://lastpass.com

Consider forcing users to have a strong password

Force Strong Passwords plugin.

http://wordpress.org/plugins/force-strong-passwords/

Coming soon to WordPress 3.7 or 3.8

Only allow one login per device.

Restrict logins under same username on multiple devices (i.e. username/pass sharing)

WordPress Bouncer plugin

http://wordpress.org/plugins/wp-bouncer/

Understanding UNIX file permissions is key

In general…

WordPress folders/directories = 755

WordPress files = 644

Some hosting companies may recommend you set /wp-content/uploads to 777

Move to another hosting company!

Probably your three most important sys files are:

.htaccess = permalinks, etc

php.ini = PHP settings

wp-config.php = WordPress DB username & pass

These should be locked down to CHMOD 444

Malware can be hidden in Themes, Plugins & other server scripts

Sucuri detects and cleans malware on servers

De-blacklists your server/site

Notify by SMS, Email, Private Twitter etc

http://sucuri.net/ USD $89.99 /site /year

Update WordPress Core, Themes and Plugins regularly = at least weekly

ManageWP service good for multiple sites https://managewp.com

Automatic Updates are coming to WordPress soon (prob 3.7 or 3.8).

Get it now = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/

Choose to update Core, Themes and/or plugins

Especially “free” themes and torrents

Very common to “insert” links into footer areas

Code can read your wp-config.php file and email/send it elsewhere = you’re screwed

Don’t use themes or plugins from Torrent sites!

Always try to download from original source

Read: http://wpmu.org/why-you-should-never-search-for-

free-wordpress-themes-in-google-or-anywhere-else/

Search through files for:

Base64_decode edoced_46esaB and eval

Decode at: http://www.base64decode.org/

Use Theme Authenticity Checker http://wordpress.org/plugins/tac/

Exploit Scanner http://wordpress.org/plugins/exploit-scanner/

Not all Base64_decode function calls are evil

WordPress uses the function extensively throughout the core.

Should be easy to decode and work out if good or bad in plugins or themes.

Popular image/thumbnail resizing script

Bundled in many themes and plugins

Responsible for many WordPress security breaches

“The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the

cause of the vulnerability in timthumb.php.”

Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

Script was “fixed” of exploits however old versions still lurk out there.

Search for TimThumb and check you are using the correct version.

https://code.google.com/p/timthumb/

Version 2.8.11 as of this slide

The nature of TimThumb still makes it potentially very dangerous to have on your site.

Consider alternative themes or plugins.

Read this: http://www.limecanvas.com/timthumb-is-evil/

Won’t make your site “secure” from hacks

Will encrypt the data transmitted between computer and server

More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates

If you have an SSL certificate..

Force all Dashboard and Logins to use HTTPS

In wp-config.php

define('FORCE_SSL_ADMIN', true);

define('FORCE_SSL_LOGIN', true);

Gives additional level of security.

WordFence plugin is recommended: http://www.wordfence.com/

Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*

*premium functions

Brute force attacks try to repeatedly guess username & password.

Block IP address after X number of login attempts within a period.

Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/

Don’t give the hackers a

helping hand

Remove that info!

Add this to functions.php add_filter(‘login_errors', '__return_null');

There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/

Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/

Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/

Backup Buddy http://ithemes.com/purchase/backupbuddy/

VaultPress http://vaultpress.com/

Set your retention frequency. Can you restore from an issue that’s been happening for 2 months?

Check your backup files – do a test restore!

Using another device to generate an authentication code e.g. Mobile phone app

Verification code + login = 2 factor auth

Google Authenticator http://wordpress.org/plugins/google-authenticator/

Is two factor authentication not enough for you?

Biometric authentication uses part of our own body as the second verification part.

This is going to be the normal way of authenticating with systems in the not so distant future.

VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/

Move the wp-content folder to a new location.

Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */

define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');

define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');

Warning: badly developed plugins & themes may have hard-codes wp-content location.

Use .htaccess to protect your wp-config.php file <files wp-config.php>

order allow,deny

deny from all

</files>

Nobody can access the wp-config.php file now except for the web server owner.

Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

Any requests or changes to global variables containing <script> gets blocked.

Many hosts allow directories to be browsed.

Use .htaccess to stop directory browsing Options –Indexes

Password protect wp-admin folder using cPanel and .htaccess + .htpasswd

http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/

Remove the WordPress dashboard Editor for themes and plugins

Add to wp-config.php define('DISALLOW_FILE_EDIT', true);

Default MySQL DB table prefix is wp_

Change before installing new WordPress sites.

Add to wp-config.php $table_prefix = ‘mynewprefix_';

Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/

Monitor who does what on your WordPress site.

WP Security Audit Log http://wordpress.org/plugins/wp-security-audit-log/

Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]

Now login to your site using:

http://www.mywebsite.com/login

Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder');

define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);

Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3);

function lc_wpadmin_filter( $url, $path, $orig_scheme ) {

$old = array( "/(wp-admin)/");

$admin_dir = WP_ADMIN_DIR;

$new = array($admin_dir);

return preg_replace( $old, $new, $url, 1);

}

Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]

Now login to your site using:

http://www.mysite.com/secret-folder/

Known as DoS or DDoS (distributed)

There is nothing YOU* can do to pre-emptively stop

DoS attacks.

Contact your host company

*Unless you own your own data centre

• [4] activerain.com

• [5] mybroadband.co.za

• [6] wired.com

• [12] www.zzee.com

• [12] acm.uiuc.edu

• [12] danielmiessler.com

• [19] wordpress.org/plugins/tac/

• [21] www.promptwebhosting.com.au

• [28] www.bestwpthemez.com

• [30] blog.eternalvigilance.me

• [31] www.mobyware.ru

• [32] www.ibmsystemsmag.com

• [33] disruptive.io

• [37] www.gobalakrishnan.com

• [38] www.trickytechs.com

• [38] www.wpbeginner.com

• [39] www.limecanvas.com

• [45] www.computerworld.com