WordPress Security from WordCamp NYC 2012

Embed Size (px)

DESCRIPTION

My WordPress Security presentation from WordCamp NYC 2012

Text of WordPress Security from WordCamp NYC 2012

  • 1.WORDPRESS SECURITY BY BRAD WILLIAMS Brad Williams @williamsba

2. WHO IS BRAD?Brad Williams Co-Founder WebDevStudios.com Co-Author Professional WordPress & Professional WordPress Plugin Development Co-Organizer WordCamp Philly Co-Host WP Late Night Brad Williams@williamsba 3. HAPPY BIRTHDAY TO BRAD and its my Birthday today! Brad Williams@williamsba 4. TODAYS TOPICS Security Stats Example Hack Top Security Tips Recommended Plugins & Services Resources Brad Williams @williamsba 5. SECURITY STATS FOR WORDPRESS Security Stats Brad Williams @williamsba 6. SECURITY STATS Brad Williams@williamsba 7. SECURITY STATS Websites 2500 700+ million websites May 2012 (NetcraX) 2000 300 million websites in 2011 (Pingdom) 10+ billion indexed pages (WorldWebSize) 1500 Projected: Websites 1000 1 Billion websites by 2013 2 Billion websites by 2015 500 0 2011 2012 2013 2015 Brad Williams@williamsba 8. SECURITY STATSWordPress Stats 73+ Million WordPress powered websites 16% of all websites are running WordPress 22 out of every 100 new domains in the U.S. launches with WordPress Projected 300-500 Million WordPress sites by 2015 Brad Williams @williamsba 9. SECURITY STATSWeb Malware Stats 403 Million unique variants of malware in 2011 (Symantec) 140% growth since 2010 81% increase in malicious web-based adacks between 2010 - 2011 Brad Williams @williamsba 10. SECURITY STATSIn Summary Be Scared! Brad Williams @williamsba 11. HACK EXAMPLE Link Injecfon Hacker bots look for known exploits (SQL Injecfon, folder permissions, etc) This allows them to insert spam les/links into your WordPress Themes, plugins, and core les. Brad Williams @williamsba 12. HACK EXAMPLELink Injecfon Hosfng account contained two separate websites WordPress WordPress Mulfsite Brad Williams @williamsba 13. HACK EXAMPLELink Injecfon Hacker bot dropped a malicious le on a WP Mulfsite install WordPress WordPress Mulfsite Brad Williams@williamsba 14. HACK EXAMPLELink Injecfon WordPress Mulfsite starts hacking WordPress install Inserfng spam links into the theme, plugins, and core les WordPress WordPress Mulfsite Brad Williams@williamsba 15. HACK EXAMPLE Link Injecfon WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon WordPress WordPress Mulfsite Cleaning up the WordPress website only resulted in more spam links a few days later Brad Williams@williamsba 16. HACK EXAMPLE Link Injecfon WP Mulfsite contains no spam links Acts as a carrier to spread the contaminafon WordPress WordPress Mulfsite Cleaning up the WordPress website only resulted in more spam links a few days later Brad Williams@williamsba 17. HACK EXAMPLELink Injecfon 375 spam links per page, only shown to search engines Brad Williams@williamsba 18. THIS IS A SAMPLE TITLETHIS IS THE SUBTITLE Default text box Scared Yet? Brad Williams @williamsba 19. TOP SECURITY TIPSFOR WORDPRESS Thats It! Good luck! Brad Williams@williamsba 20. TOP SECURITY TIPS FOR WORDPRESS Securing WordPress Brad Williams @williamsba 21. TOP SECURITY TIPSFOR WORDPRESS 1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug xes and security patches Brad Williams@williamsba 22. TOP SECURITY TIPS FOR WORDPRESS 1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version Brad Williams @williamsba 23. TOP SECURITY TIPSFOR WORDPRESS 1. Update Update Update NO EXCUSES! UPDATE! Brad Williams@williamsba 24. TOP SECURITY TIPS FOR WORDPRESS 2. Use Secret Keys Some secrets should remain secrets Brad Williams @williamsba 25. TOP SECURITY TIPS FOR WORDPRESS 2. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 1. Edit wp-cong.php BEFORE AFTER dene(AUTH_KEY, put your unique phrase here); dene(AUTH_KEY, *8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD); dene(SECURE_AUTH_KEY, put your unique phrase here); dene(SECURE_AUTH_KEY, q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1); dene(LOGGED_IN_KEY, put your unique phrase here); dene(LOGGED_IN_KEY, D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+); dene(NONCE_KEY, put your unique phrase here); dene(NONCE_KEY, oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!JO/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt); dene(SECURE_AUTH_SALT, put your unique phrase here); dene(SECURE_AUTH_SALT, 3s1|cIj d7y