This document provides an overview of common WordPress security issues and recommendations for improving WordPress security. It discusses threats like encoded JavaScript, conditional redirects, pharma hacks and recommends updating WordPress and plugins regularly, using strong passwords and passphrases, changing the database table prefix, and using secret keys to harden the WordPress installation. The document emphasizes having a comprehensive security approach from the local environment to hosting provider.
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
WordPress Security Tips from Dre Armeda
1. WORDPRESS
THE LOCKDOWN
People, Process, Technology
Dre Armeda - @dremeda
BROUGHT TO YOU BY
APRIL 25, 2012
2. DRE ARMEDA, CISSP
& I love tacos!
Hi. I’m Dre Armeda. I'm a Harley enthusiast, and a
Chargers fan. I wear many hats, and love tacos. I'm
infatuated with WordPress, web design, and web
security. I work at Sucuri Security. I hope to help
make the web a safer place!
CEO, Co-Founder – Sucuri Security
Read my random nonsense at dre.im
Co-Host WP Late Night - Google “I love tacos” to find Dre
http://wpcandy.com/category/broadcasts/wp-late-night
Dre Armeda - @dremeda #wpsecuritytips
3. THE
FOUNDATION
Why we’re here!
Dre Armeda - @dremeda #wpsecuritytips
4. THE FOUNDATION
What is going on?
The web is growing! No seriously :)
+ Over 2 Billion internet users today.
480% growth in the last 11 years
(Internet World Stats)
+ 300 million websites were added to
the internet in 2011 (Pingdom)
+ 100,000+ domains gained weekly
(Global Domain Registry)
Dre Armeda - @dremeda #wpsecuritytips
6. THE WAY WE PUBLISH
WordPress
Dre Armeda - @dremeda #wpsecuritytips
7. THE WAY WE COMMUNICATE
Twitter
Dre Armeda - @dremeda #wpsecuritytips
8. THE WAY WE PUBLISH
Facebook
Dre Armeda - @dremeda #wpsecuritytips
9. OH RICKY
Ouch!
Dre Armeda - @dremeda #wpsecuritytips
10. IT’S NOT ALL PEACHY
With good, there is bad!
Dre Armeda - @dremeda #wpsecuritytips
11. OPPORTUNITY
ScamWOW
Dre Armeda - @dremeda #wpsecuritytips
12. WHAT IS MALWARE?
The bad stuff :/
Malware, short for malicious software, is a software
designed to disrupt computer operation, gather
sensitive information, or gain unauthorized access
to computer systems.
+ SEO spam, JavaScript & iFrame attacks, and malicious
redirects are a couple web-based malware examples.
Dre’s Definition: THE YUCK!
Dre Armeda - @dremeda #wpsecuritytips
13. HOW & WHY?
Not me, I sell cookie dough online!
Dre Armeda - @dremeda #wpsecuritytips
14. WHAT ITS ABOUT
It’s not you.
Dre Armeda - @dremeda #wpsecuritytips
15. ATTACKERS LOVE YOU
And your data!
Malware, short for malicious software, is a software
designed to disrupt computer operation, gather
sensitive information, or gain unauthorized access
to computer systems.
+ Monitor your web browsing and internet usage ($$$)
+ Force Advertising ($$$)
+ Redirect affiliate marketing revenue ($$$)
Dre Armeda - @dremeda #wpsecuritytips
16. HOW BAD IS IT?
If I’m asking, it’s not good.
+ Over 2 million new malware strings monthly (McAfee)
+ Cost to US consumers alone = over $2.3 billion in 2010.
(Consumer Reports)
+ Google Safe Browsing issues over 3 million malware
warnings a day. (Google)
Dre Armeda - @dremeda #wpsecuritytips
18. THE
SCOOP
What are they doing to my website?
Dre Armeda - @dremeda #wpsecuritytips
19. ENCODED JAVASCRIPT
Dynamic Yuck!
JavaScript that is obfuscated (hidden) so that you can’t tell
what it is. It is injected into files/pages on the site and used to
serve malware.
Impact: Website pages may be used to serve malicious
downloads to visitors. Downloads may be used to infect
desktop computers, and/or exploit FTP info.
Typical Entry Point: Outdated, known vulnerable software;
exploited desktop computers; exploited FTP credentials.
Dre Armeda - @dremeda #wpsecuritytips
23. ENCODED JAVASCRIPT
Dynamic Yuck!
How it works:
1. Attacker scans for known vulnerable software (Old
WordPress installations, plugins, themes). May also start
with exploited desktop which steals FTP information.
2. Backdoor file inserted into the environment. This gives
the attacker remote access into your world
3. Payload inserted into various Javascript files and/or
encoded and hidden in theme, plugin files.
4. You’ve just enabled your visitors to load fake anti-virus
and other cool downloads from your site
Dre Armeda - @dremeda #wpsecuritytips
24. CONDITIONAL REDIRECTS
Why is this site in Russian?
An attack that causes a website to redirect to a malicious
website based on referrer, web browser, operating system.
Impact: When traffic is coming from a specific referrer (i.e.
Google, Bing), the site is redirected to a malicious website.
Typical Entry Point: Outdated, known vulnerable software.
Dre Armeda - @dremeda #wpsecuritytips
25. CONDITIONAL REDIRECTS
Why is this site in Russian?
Infected .htaccess file:
Dre Armeda - @dremeda #wpsecuritytips
26. CONDITIONAL REDIRECTS
Why is this site in Russian?
Result of conditional redirect:
Dre Armeda -- @dremeda
Dre Armeda @dremeda #wpsecuritytips
27. CONDITIONAL REDIRECTS
Why is this site in Russian?
How it works:
1. Attacker scans for known vulnerable software (Old
WordPress installations, plugins, themes).
2. Backdoor file inserted into the environment. This gives
the attacker remote access into your world
3. .htaccess file entries are created to load redirected.
Encoded redirect code can also be added to index files.
4. You’re now redirecting to some cool malware
awesomeness.
Dre Armeda - @dremeda #wpsecuritytips
28. PHARMA HACK
Viva Viagra!
Pharma Hack is a type of SEO poisoning. Attackers
manipulate their search engine results to make their links
appear higher than legitimate results.
Impact: Website page and post titles, descriptions and links
are changed to display pharmaceutical ads and links back to
malicious websites on search engine result pages.
Typical Entry Point: Outdated, known vulnerable software.
Dre Armeda - @dremeda #wpsecuritytips
29. PHARMA HACK
Viva Viagra!
Results of scanning rendered source.:
Dre Armeda - @dremeda #wpsecuritytips
30. PHARMA HACK
Viva Viagra!
Google Search Engine Results:
Dre Armeda - @dremeda #wpsecuritytips
31. PHARMA HACK
Viva Viagra!
Google Search Engine Results:
Dre Armeda - @dremeda #wpsecuritytips
32. PHARMA HACK
Viva Viagra!
How it works:
1. Attacker scans for known vulnerable software (Old
WordPress installations, plugins, themes)
2. Backdoor file inserted into the environment. This gives
the attacker remote access into your world
3. Control file is inserted into core application or plugin files.
This file acts as a connection from the backdoor to the
database.
4. Payload is dropped into the database and Viva Viagra!
QUICK TIP: Check Google to see if you’re infected:
site:{yourdomain.com} viagra <--Substitute your favorite pills
Dre Armeda - @dremeda #wpsecuritytips
33. RISK
REDUCTION
It Starts with you!
Dre Armeda - @dremeda #wpsecuritytips
34. WHAT IS SECURITY?
Different people, different meanings.
Protecting things of value
from harm’s way.
Dre Armeda - @dremeda #wpsecuritytips
35. IS MY SITE SECURE?
Is any site?
The percentage of risk can never be 0!
Key objective: Minimize risk
Dre Armeda - @dremeda #wpsecuritytips
36. IT STARTS WITH YOU!
Always think ahead
Before you show the world
your awesomeness, think
long term.
An integrated approach to
security, beginning to end,
will help protect your
investment, and your visitor
safety.
Information security is
everyone’s responsibility
Dre Armeda - @dremeda #wpsecuritytips
37. ARE YOU SECURE LOCALLY?
My machine is my castle!
Think of your local environment as if it was a medieval castle and you’re
the queen or king. You & your queen/kingdom must be protected.
Keep your computer up to date
+ Ensure you’re patching or installing
updates ASAP
+ Automatic updates rock!
Install an anti-virus solution
+ Ensure you’re keeping definitions
current
+ Automatic updates aren’t a bad idea here
either!
Yes, personal firewalls still apply!
Dre Armeda - @dremeda #wpsecuritytips
38. CONNECTING SECURELY?
Who’s watching?
It’s your information, but who’s watching & listening? You may be a
network geek at home, but what happens at Starbucks?
Your Internet Connection
Use SSL whenever possible, especially on an unverified connection.
+ HTTPS - great way to ensure transactions & traffic are traveling with
security in mind.
Connecting To Your Site(s)
Consider using sFTP/SSH vs. FTP
+ Still widely marketed, but did you know your credentials are passed
unencrypted when using FTP
+ If FTP is unavoidable, deny anonymous login, limit connections,
practice least privilege
+ Don’t store your credentials in your FTP client.
Dre Armeda - @dremeda #wpsecuritytips
39. WHERE YOU VISIT
This place sells fake anti-virus
Just because your website is super ninja like doesn’t mean others are too.
Most desktop viruses and malware these days are passed via infected
websites.
Safe Browsing
+ Use NoScript extension for
Firefox
+ It’s OK to be skeptical. Not
sure, ask questions!
+ Disable pop-ups
Dre Armeda - @dremeda #wpsecuritytips
40. HERE’S MY PASSWORD
It’s password
Passwords are like toothbrushes, you should keep them to yourself. And
discard them, and get a new one, if they have been used by others.
Password Management
+ Change passwords often
+ Don’t share your passwords
+ Avoid writing passwords down
+ Use a password manager
+ KeePass Password Safe
+ LastPass
+ 1Password
ZoneAlarm by Check Point
Dre Armeda - @dremeda #wpsecuritytips
41. WHAT’S A PASSPHRASE
It’s password
Good passwords are great, great passphrase’s
are awesome
+ Longer than traditional passwords
+ Hard to exploit
+ Easy to remember with all the added security goodness
F0urScore&7YearsAgo
Dre Armeda - @dremeda #wpsecuritytips
42. WHERE DO YOU LIVE?
Choose wisely!
At the end of the day, hosting providers market the world. You in turn,
should have opportunity to know how they’re going to protect you.
Your Lovely Host
Cheap doesn’t always mean best, or
safest!
+ How many sites on their network are
blacklisted or infected w/ malware?
+ What versions of software do they run
and how often do they update?
+ How are account credentials stored &
who has access.
+ Do they have published security
practices?
Use Google Tools to check your host:
http://www.google.com/safebrowsing/diagnostic?site=hostingcompanywebsite.com
Dre Armeda - @dremeda #wpsecuritytips
43. WORDPRESS
SECURITY TIPS
Things to think about
Dre Armeda - @dremeda #wpsecuritytips
45. UPDATE UPDATE UPDATE!
Then update again
Keep WordPress Updated! All WordPress instances on your server.
Quick Tips for Successful Updates
+ Don’t edit WordPress core
+ Research your plugins &
themes before deployment
+ Use child themes
+ Don’t test hot
+ Read Reviews
Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain
bug fixes and security patches
Dre Armeda - @dremeda #wpsecuritytips
46. YES, PLUGINS TOO!
Why should I?
Update Those Plugins!
The plugin Changelog tab
makes it very easy to view
what has changed in a new
plugin version
Also viewable in the plugin
installer in your wp-admin area
Dre Armeda - @dremeda #wpsecuritytips
47. USE & REMOVE
Rule of TimThumb!
Just because a plugin is not enabled in WordPress does not mean you’re not
at risk! Same thing applies to plugins and of course old instances of
WordPress or any other software for that matter!
There’s nothing worse than leaving it there, forgetting
about it, then getting infected through something that you
don’t even need.
IF IT’S NOT IN USE REMOVE IT FROM THE SERVER!
Dre Armeda - @dremeda #wpsecuritytips
48. CHANGE DB TABLE PREFIX
Won’t solve world hunger, but why not?
1. WordPress installer allows you to specify new prefix during install
2. Or, BEFORE installing, you can change the prefix manually in wp-config.php:
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘tacos_';
All database tables will now have a unique prefix (ie tacos_posts)
Dre Armeda - @dremeda #wpsecuritytips
49. KEEPING SECRETS
Ah come on
Some secrets should remain secrets
Dre Armeda - @dremeda #wpsecuritytips
50. USE SECRET KEYS
Yes it’s a bit obscure
A secret key is a hashing salt which makes your site harder to hack by
adding random elements to the password.
1. Edit wp-config.php
BEFORE AFTER
define('AUTH_KEY', 'put your unique phrase here'); define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD');
define('SECURE_AUTH_KEY', 'put your unique phrase define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1');
here'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+');
define('LOGGED_IN_KEY', 'put your unique phrase define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H');
here'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt');
define('NONCE_KEY', 'put your unique phrase here'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-');
define('AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*');
define('SECURE_AUTH_SALT', 'put your unique phrase define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
here');
define('LOGGED_IN_SALT', 'put your unique phrase
here');
define('NONCE_SALT', 'put your unique phrase here');
Some secrets should remain secrets
2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt
Dre Armeda - @dremeda #wpsecuritytips
51. COMMENCE LOCKDOWN
Teh SSL’s
Add the code below to wp-config.php to force SSL (https) on login
define('FORCE_SSL_LOGIN', true);
Add the code below to wp-config.php to force SSL (https) on all admin pages
define('FORCE_SSL_ADMIN', true);
Using SSL (https) on all admin screens in WordPress will encrypt all
data transmitted with the same encryption as online shopping
https://codex.wordpress.org/Administration_Over_SSL
Dre Armeda - @dremeda #wpsecuritytips
52. LIMIT ACCESS
Them, that, there IP’s
1. Create an .htaccess file in your wp-admin directory
2. Add the following lines of code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 67.123.83.59
allow from 123.123.123.123
Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin
Dre Armeda - @dremeda #wpsecuritytips
53. USE TRUSTED SOURCES
Shirley you can’t be serious?
Is this happening on your site?
Themes can include base64() encoded text links to promote various services
http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-
else/
Dre Armeda - @dremeda #wpsecuritytips
54. USE TRUSTED SOURCES
So many choices
Trusted Sources for Free WordPress Themes
WordPress.org Theme Directory
+ http://wordpress.org/extend/themes/
WooThemes
+ http://www.woothemes.com/themes/free/
Themelab
+ http://www.themelab.com/free-wordpress-themes
Theme Hybrid
+ http://themehybrid.com/
ThemeShaper(Thematic)
+ http://themeshaper.com
Graph Paper Press
+ http://graphpaperpress.com/themes/
More themes: http://wpmu.org/when-is-a-free-wordpress-theme-really-free-some-thoughts-and-some-places-to-find-
them/
Dre Armeda - @dremeda #wpsecuritytips
55. REALLY SECURE
Doh!
Yes, it happens. #FAIL
Dre Armeda - @dremeda #wpsecuritytips
56. HOW DO YOU LOGIN?
With a keyboard dummy
Dre Armeda - @dremeda #wpsecuritytips
57. DON’T BE HOOD YO!
I got nothing!
Dre Armeda - @dremeda #wpsecuritytips
58. HALFWAY THERE…
Livin’ on a prayer
Knowing your
username is
half the battle.
Don't make it
easy on the
hackers.
Dre Armeda - @dremeda #wpsecuritytips
59. NO MORE ADMIN USER
Good bye old man
Change the admin username in MySQL:
UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';
Or create a new account with administrator privileges.
1. Create a new account. Make the username very unique
2. Assign account to Administrator role
3. Log out and log back in with new account
4. Delete admin account
WordPress will allow you to
reassign all content written
by admin to an account of
your choice.
Dre Armeda - @dremeda #wpsecuritytips
60. OH BABY!
Wouldn’t you know it
WordPress 3.0 lets you
set
the administrator
username during the
installation process!
DON'T USE ADMIN!
Dre Armeda - @dremeda #wpsecuritytips
61. PERMISSIONS
Say no to 777
What folder permissions should you use?
Good Rule of Thumb:
•
Files should be set to 644
•
Folders should be set to 755
Better Rule of Thumb:
Set permissions to the lowest that still work.
Start with the default settings above
If your host requires 777…SWITCH HOSTS!
Dre Armeda - @dremeda #wpsecuritytips
62. CHANGING PERMISSIONS
Choose wisely!
Or via SSH with the following commands
find [your path here] -type d -exec chmod 755 {} ;
find [your path here] -type f -exec chmod 644 {} ;
Dre Armeda - @dremeda #wpsecuritytips
64. YOU’RE NOT ALONE
You Can Do It!
Dre Armeda - @dremeda #wpsecuritytips
65. SUCURI WORDPRESS PLUGIN
Lots of Goodies
+ Web Application Firewall (Sucuri WAF) – Adds firewall capabilities that connect to Sucuri’s
Signature Network. Sucuri’s network has thousands of signatures that block known malicious
websites from accessing your WordPress install.
+ 1-Click Hardening - Upgrade WordPress, remove WP version, and block PHP from being
inserted into your uploads directory all with the click of a button. Much more included.
+ Sucuri SiteCheck - Scan your WordPress install using Sucuri’s SiteCheck malware scanner
from your WP dashboard.
+ WordPress Audit Logs – The plugin logs all WordPress activity. You’ll know when a post is
created or deleted, failed and successful login attempts, even if a core file is changed.
+ Whitelist/Blacklist – You can now whitelist IP addresses to allow access to your admin area.
The plugin will blacklist any IP after multiple failed attempts. It’s all at your control!
http://sucuri.net/wordpress-security-monitoring
Dre Armeda - @dremeda #wpsecuritytips
66. WEBDEVSTUDIOS
THE WordPress Development Shop
http://webdevstudios.com
Dre Armeda - @dremeda #wpsecuritytips