podcamp ohio 2009

Internet Security for Bloggers and Podcasters

Brian Lockreyhttp://AssistSocial.com@AssistSocial

OverviewBlog SecurityWordPressSocial NetworkingMicro-BloggingPodcastsAdvertisingBest Practices

Blog Security: WordPressWordPress Security: Google 11,800,000Very Popular PlatformPrime Target for HackersSEO: Search Engine OptimizationTraffic RedirectionLinks to Pharmacy / Adult sitesGraphics ReplacementAd / Affiliate RedirectionMany others…

Blog Security: WordPressYou are on their hit list!Game… Like you play Guitar Hero…Always run the latest versionsBackdoor entry pointsPasswords for users are downloadedOpen Source SoftwareBackups are essentialFrequent updates are essentialMany others…

Blog Security: WordPressMonitor log filesBlock probers if you can“Powered by WordPress”Private site or hosted?WordPress.com What is your Time worth?What is your Blog worth?Delete meta tag that displays WP version

Blog Security: WordPressTurn off Open RegistrationWP 2.5+ has better password encryptionUse a Strong admin password!Limit Search on your serverProtect Directories from public browsingDrop the version string in Meta Tags

Blog Security: WordPressLimit wp-admin access by IP addressProtect using .htaccessProtect your MySQL databaseUse SSH/Shell access, not FTPUse SFTP uploads if you canUse VPN if you canNever use Telnet!

Hosting Platform?

Use Linux / Apache if you canDo NOT use Microsoft WindowsAutomattic PollDaddy migrationPollDaddy .NET / SQL to PHP/MySQLAutomattic has 1,200 servers in usePer Matt’s Blog - Stable and Scalable

WordPress: InternalsPHPMySQLKnown Database SchemaKnown File NamesKnown Folder NamesKnown Class NamesKnown Function Names

WordPress: InternalsPHP – Must be kept updatedMySQL – Must be kept updatedOpenSource Software more secureSecurity Through TransparencyMillions of people looking at itOften fixed quickly

WordPress: Look For?The ObviousPlugIns that you did not installheader.php changesSearch Engine redirection (hard to detect)Spammers may hide textView HTML Source CodeGoogle records your “bad” content

WordPress: Look For More?New DirectoriesYour RSS feedsSearch EnginesGoogle = link:twittgroups.comDigg, StumbleUponMany others…

If You Get Hacked?

Just a matter of timeAll systems suspectChange ALL passwordsBackup databasesUpdate software quicklyShut down site. Maybe.Email to security@wordpress.com

WordPress: Plugins / Widgets

Only use what you can trustWatch for suspicious activityWP Security ScanFile PermissionsDatabase SecurityXSS vulnerabilitiesMany others…

Comment Boxes / Widgets

Comment SpamLogin RequiredreCHAPTCHA codesGoogle Friend ConnectOpenIDTwitter OAuthMany others…

Advertising On Your Blog

Google AdWords / AdSenseOthers ???Affiliate ProgramsBe Careful…WordPress Plugins$5000 per Week? Slim ChanceShould you $$$ to Advertise?

PodcastsReliable Hosting ServiceYour XML feedsSearch EnginesPassword Protect the Content FoldersWill keep out the Google Spiders

Best PracticesSoftware Up To Date!Backup DatabasesDirectory Protection File Protection CodesRemove Install FilesRemove Version #Layered SoftwareKeep Your Client Clean!Don’t use Microsoft Windows Server!

SummaryOverwhelmed?Start SimpleBest PracticesStay UpdatedFollow the ExpertsNetwork with othersCollaborate with others

Questions?@AssistSocial