blog world 2010 - how to keep your blog from being hacked
DESCRIPTION
This presentation was given in Las Vegas at BlogWorld 2010 by Brian Layman. It describes techniques that can be used to keep your WordPress website safe.TRANSCRIPT
![Page 1: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/1.jpg)
Exhibits: October 15-16 | Conference: October 14-16 | Mandalay Bay Convention Center | Las Vegas NevadaExhibits: October 15-16 | Conference: October 14-16 | Mandalay Bay Convention Center | Las Vegas Nevada
How to Keep Your Blog from Being
Hacked, Stolen or Otherwise Violated
How to Keep Your Blog from Being
Hacked, Stolen or Otherwise Violated
Brian LaymanBrian Layman
![Page 2: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/2.jpg)
Introduction Introduction
• Who I am. What I do. What I see.• What software do your blogs run on?• Who here has had a blog hacked, defaced,
stolen or taken down?• Is your site safe? (No one would ever want to
hack my blog about _____.)• The title is a lie…
![Page 3: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/3.jpg)
Well Known Blog HacksWell Known Blog Hacks
• Go Daddy• Blue Host• Network Solutions
• PayPal’s Blog• CorneliaMarie.com• ClimateCrisis.net• Twilight Lexicon
• Twitter• Gawker• PhotoMatt• Problogger
• DreamHost• Bizland
![Page 4: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/4.jpg)
Antivirus CampaignAntivirus Campaign
http://bit.ly/AVCampaign
![Page 5: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/5.jpg)
Define “hacked”Define “hacked”
• Content or uploads destroyed• Hidden hyperlinks added to your site• Redirect to another site• Content edited• Hijacked website• Defacement• Bank fraud
![Page 6: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/6.jpg)
Definition of TermsHow attacks happen…
Definition of TermsHow attacks happen…
• CSRF/XSRF – Cross Site Request Forgery • XSS – Cross Site Scripting• SQL Injection• DDOS – (Distributed) Denial of Service• DNS Hijacking – Spoofing or Poisoning• Malvertising – Malicious Advertising• Stolen Password• Bad Code
![Page 7: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/7.jpg)
Open source Responses to Vulnerabilities
Open source Responses to Vulnerabilities
• WordPress• http://codex.wordpress.org/Hardening_WordPress• [email protected]
• Drupal• http://drupal.org/security-team• [email protected]
• Joomla• http://developer.joomla.org/security.html • [email protected]
![Page 8: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/8.jpg)
Security Through ObscuritySecurity Through Obscurity
• What is it? You tell me…• Who is right?• My thought:
Any steps that may eliminate a large subset of attacks on your blog should be taken.
![Page 9: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/9.jpg)
Tactics YOU can use no matter what platform you are on
Tactics YOU can use no matter what platform you are on
• The basics• Passwords• Communication (Plain Text vs. SSL)• Updates• Watch what you add to your sites
(plugins/themes/add-ons)• Backups• Google Webmaster Tools
![Page 10: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/10.jpg)
PasswordsPasswords
• Use strong passwords• Make them unique in high value situations
![Page 11: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/11.jpg)
CommunicationCommunication
• Pay attention to how you are sending your passwords
• Wireless Networks = Risk• FTP – Use SFTP instead• Email – Use SSL Ports 587,995,993 vs 25,110,143• Skype – Syncs history upon connect, never send
secure passwords – EVER• CPanel/WHM/Admin pages – if it is http not https,
your password can be scraped
![Page 12: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/12.jpg)
Updates Updates
• Keep your blog, plugins, themes, & operating system current – yes, even Linux
• Security and attacks improve over time2005 – Admin operations required a referrer
2006 – Admin operations required a NONCE
2007 – Plugin pages forced to check security
2008 – Randomized keys and salts & upgrades
2009 – Security escalations issues – full review
2010 – Automated plugin and theme upgrades
![Page 13: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/13.jpg)
Watch what you add…Watch what you add…
• Every plugin or theme is a security risk• “Free Theme” sites are a very high risk• Less popular & highly specialized plugins
have had less eyes on them and are riskier• Older plugins used older security standards -
we simply knew less and had fewer tools• You are responsible for your site. Learn how
to identify problems or make a friend who can.
![Page 14: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/14.jpg)
BackupsBackups
• Both files and database• Keep the files offline• If you have files online keep them out of
public_html• As important as having the backups…
Know how to restore them!• Before you restore – delete the files and
directories to remove the hack files
![Page 15: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/15.jpg)
Google Webmaster Tools Google Webmaster Tools
• How do you know you are hacked?• Google will email you when they consider you
a risk• http://www.google.com/webmasters/• http://www.google.com/webmasters/checklist/• https://www.google.com/webmasters/tools/
reconsideration
• You can configure multiple owners
![Page 16: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/16.jpg)
Coding PracticesCoding Practices
• EVERYTHING that is displayed on the screen must be filtered.
• WordPress provides: esc_html esc_url esc_*
http://codex.wordpress.org/Data_Validation
• EVERYTHING that you send to the database must be filtered.
• WordPress provides: $wpdb->prepare
• TRUST NOTHING• Try to use your text instead of user input
![Page 17: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/17.jpg)
ServersServers
• Permissions - The 755 myth• chmod -R 755 *• Generic: Directories Should be 755 Files 644• Reality: The least privileges provides the most
access
• VPS vs Shared Hosting vs Managed Hosting• Flexibility, Access, Less risk = More $• Harden your own server or let someone do it• suPHP – Isolates your installation
![Page 18: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/18.jpg)
WordPress Specific Security Techniques WordPress Specific Security Techniques
• Create a “Editor” user for posting• Create a new “Administrator”, delete the old one, then only
use it for maintenance• Never use wp_ as your table prefix• Look at wp-config-sample.php now and then and update
your wp-config.php• Force Secure password logins
• http://codex.wordpress.org/Administration_Over_SSL
![Page 19: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/19.jpg)
WordPress Techniques(Expected Answers)
WordPress Techniques(Expected Answers)
• Move wp-config.php• Remove version Info• Rename the admin user• Move your wp-content directory – Possibly
worth doing but will break many plugins and themes
• Use .htaccess to white list IP addresses or add an extra password layer
![Page 20: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/20.jpg)
WordPress Techniques WordPress Techniques
• Free Plugins http://wordpress.org/extend/plugins/
• exploit-scanner• wp-security-scan• wordpress-file-monitor
• Paid Plugins
http://pluginbuddy.com/purchase/backupbuddy/
![Page 21: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/21.jpg)
Who can help? Managed Hosting & Clean Up
Who can help? Managed Hosting & Clean Up
• iThemes.com• Page.ly • WPSecuritylock.com• WebDevStudios.com• CoveredWebServices.com
And of course:• eHermitsInc.com
![Page 22: Blog World 2010 - How to Keep Your Blog from Being Hacked](https://reader036.vdocument.in/reader036/viewer/2022070304/54c916ee4a795900548b4636/html5/thumbnails/22.jpg)
Brian LaymanBrian Laymanhttp://eHermitsInc.com/slides
http://twitter.com/brianlayman @eHermits
Text ehermits to 50500