Professional Documents
Culture Documents
and then make everything better with the best security tips!
Topics
Example
WordPress Hacks Securing Your WordPress Website How to Clean Up a Hacked Site Recommended Plugins
YOU
Who Is Safe?
Who Is Safe?
NO ONE
Scared Yet?
Example
Hacker bot finds a security hole on your website
WordPress
Example
Hacker bot hides a file in your WordPress installation
WordPress
Example
Hacker bot can now trigger this file/code remotely
WordPress
Hacker Bot
Example
Common Hacker bot script jobs
Add spam content and links to your websites theme files Create posts and pages with spam content and links Delete posts/pages/settings wreaking havoc on your site etc, etc, bad stuff, etc, etc
WordPress
Hacker Bot
WRONG!
Only Noobs Get Hacked
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Scobleizer.com: HACKED
Pearsonified.com: HACKED
FeaturedContentGallery.com: HACKED
Make it Stop!
Palette Cleanser
Securing WordPress
Either change the username in MySQL: UPDATE wp_users SET user_login='newuser' WHERE user_login='admin';
Make it hard on the hacker! If they already know your username thats half the battle
WordPress 3.0 lets you set the administrator username during the installation process!
Start with the default settings above if you cant upload increase privileges (ie 775, 777)
WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory
This makes it nearly impossible for anyone to access your wp-config.php file as it now resides outside of your websites root directory
If you have compatibility issues with plugins there are two optional settings
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
If hackers cant find your wp-content folder, they cant hack it!
The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file
remove_action('wp_head', 'wp_generator');
The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
AFTER
define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6');
You can add/change secret keys at anytime. This will invalidate all existing cookies and require your users to login again
All database tables will now have a unique prefix (ie drupal_posts)
define('FORCE_SSL_LOGIN', true);
Set the below option in wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true);
.htaccess lockdown
1. Create a .htaccess file in your wp-admin directory
2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123
OR
Delete, dont overwrite, all original WordPress files Upload fresh copies of all WordPress core files
Install fresh copies of all WP plugins need DONT use the same plugin files from the hacked site
If possible install a fresh copy of your theme If using the old theme be sure to inspect every file for hack code
Change your passwords: WordPress, FTP, MySQL Verify the hacker didnt create another user, if so delete it Update your secret keys in wp-config.php (as shown earlier)
Look for common hack keywords: eval, base64, strrev, iframe, noscript, display Use WordPress Exploit Scanner plugin (discussed later)
Check all folder and file permissions are correct Reset to 755 on folders and 644 on files if needed
Step 7: Pray
WP Security Scan
http://wordpress.org/extend/plugins/wp-security-scan/
WP-MalWatch
Nightly security scan Detects files based on configurable file patterns Detects hidden files
http://wordpress.org/extend/plugins/wp-malwatch/
ServerBuddy
http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
http://wordpress.org/extend/plugins/exploit-scanner/
http://wordpress.org/extend/plugins/wordpress-file-monitor/
Login Lockdown
http://wordpress.org/extend/plugins/login-lockdown/
http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/Changing_File_Permissions http://codex.wordpress.org/Editing_wp-config.php http://codex.wordpress.org/htaccess_for_subdirectories http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-yourwordpress-admin-area/ http://www.growmap.com/wordpress-exploits/ http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpressblog/ http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/ http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpressblog/ http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog http://codex.wordpress.org/FAQ_My_site_was_hacked http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/ http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hackedwordpress-installation/ http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
Contact
Brad Williams
brad@webdevstudios.com