Announcement: The Austin WordPress meet up now has over 1000 members! Organizers are looking for a new meeting place for the regular first meeting. If you know of a place that can hold about 150 people, preferably classroom style, and is wired for internet, please post your suggestion in the comments.
Tonight’s speaker: Chris Wiegman from Bit51.com.
Chris is the owner of Bit51.com and a web developer for St. Edward’s University. He has more than 15 years experience developing solutions for individuals, business, and education.
Chris gave a hugely informative talk on WordPress security and there was a lot of back and forth with everyone there. [Thanks, Chris! I learned a lot!]
Below are some notes from tonight’s discussion. . .
Levels of security
don’t allow higher levels of access than necessary
don’t use admin account for daily work (esp at Starbucks or somewhere, but home also)
- only use for adding plugins or making updates
- can use roles administrator plugin to adjust what the roles enable
- set as low as possible to minimize any potential damage
change admin username
- takes 32 seconds for someone to break into your average 8 digit password account if they know your admin with a brute force attack
- plugin available to do this
- another option is to change the admin role to subscriber role
use/enforce strong passwords
- every digit you add means they have to go through 62 more times, so slows down hacking.
- the longer and more diverse your password is, the longer it takes. But they’re all breakable.
- Can use a plugin that will block IP access for so many minutes after so many tries
- enforce password expiration
- if you’re taking people’s info, this may be a good idea
- Chris has a plugin that forces people to create decent passwords
Obsure and Protect
- obscure is only successful against casual bots/ scripts kiddies
- hide plugins/themes the bots are looking for
- change wp-content, database prefix
- wp-content holds [a lot of stuff]
- Very tricky to change wp-content on existing site because it will break links unless you script for that, better to do on a fresh site.
- Change wp-content to content or joeblow, whatever you want
- move wp-config.php up one level
- note: some plugins may create a new wp-config.php file if they don’t find one. NOT good.
Q: is there a way to find out what plugins have been taken down from WP? Per Chris, lots of talk around WordPress to do something about that recently, but no easy way to find that out.
Protect the site when problems are found
- keep up to date – biggest thing to do to protect your site on a daily basis
- if you have to test on another site, do it. Do wait a couple hours, even good developers can screw up
Q – how to manage site protection for clients?
1. it’s up to them if no maintenance of site was contracted
2. manageWP (?) is a plugin to help with this
- use trusted plugins
- give a new one a week or use a development site
- watch trusted developers
- look at comments, numbers downloaded, date of late update
- de-activating a plugin does not delete its vulnerability to hacking
- Chris recommends writing names of unused plugins on a separate, unpublished page so you can use them again later. Ex: Tim Thumb plugin hacking last year didn’t require the plugin to have been activated. Tim Thumb has been fixed, but not necessarily themes based on it.
- Don’t keep any plugins or themes not in use
- They slow down your site, too, which will get you a Google penalty.
Detect and Recover
- Watch your site – you are best monitor of normal for your site
- if something looks funny, it probably is
- Tools to help you monitor your site:
- AW Stats ?
- Sucuri.com is good – free to a certain amount
- Google Analytics
- Google webmaster tools – SEO and malware check
- speed slowdown is a bad sign
- turn your comments off after a while
- visiting someone else’s hacked site can spread the hacking (that’s how Tim Thumb worked – it had a multiplier effect of 1000 sites/minute when someone clicked on a link within a hacked site)
- if you see a bunch of blank lines with gobbledy-gook at the bottom, the site’s been hacked
Recover from disaster
- Back up Files beforehand and regularly
- Files you’ve uploaded
- Custom code
- Don’t need to & don’t want to back up plugins
- Don’t back up wp-config?
- Ways to backup
- Backupwordpress (?) to Dropbox
- Save to Amazon, Dropbox, VaultPress
- Which plugins to use depends on what you do, how often you update, etc
- Don’t keep backup in same place as server
- Don’t trust your hosting company to back up for you
- Export from WP is limited, but useful – again, depends on what’s on your site
- Be careful about backups going to server – your shared hosting may shut you down for exceeding CPU usage
Per Nick Batik, try out one of your backups and be sure it’s good before you totally trust the system
Per [someone in the back], HostGator says if file is too big to backup then zip your content directory up from your cpanel. Then use php.admin to back up. Pick a slow time of day because this sucks up server space.
- If you’ve been hacked, delete everything!
- including your wp-config file.
- Change the SALT in wp-config, too (use Google WordPress salt generator or do new install).
- Change user name for cpanel, for FTP, for database. Change all passwords.
AMP Security (Apache/mySQL/PHP)
Use different accounts, different databases, etc.
- Ideally, different cpanels, too.
- A reseller account with separate cpanels IS separate
- Don’t use mod_php or CGI for PHP (not covering this tonight)
Reduce privileges to a minimum
- Can turn off some permissions in cpanel, esp for client
Remove extra modules/options/etc
- at the server level
Turn off MySQL networking
Create different users for each site
Do NOT use FTP
- Use firewall
- Hardware firewalls stronger than software firewalls
- Limit connection sources
- Try out CloudFlare (yes, it was recently hacked itself!)
- Lesson: gmail password is recoverable (i.e., obtainable) with your phone number
- Chris uses Google Voice only, but mostly Skype and email
- 2 part authentication is much more secure
Enable certificate authentication for SSH (or SFTP)
- some hosts are hard to work with in this respect
- may be required to prove identity with photo ID
- note: Filezilla shows FTP passwords in the clear – bad bad bad. Paid tools will encrypt it
Better WP Security plugin by Chris Wiegman
Chris demonstrated some of the features of his security plugin Better WP Security (warning from Chris: plugin is pretty massive, may not work for everything and everybody: use what works for you and turn off the rest). Plug-in includes Chris’s checklist of what he does on sites. Instructional video (35 minutes!) available on WordPress.org.
Additional Plugins & Software & Notes
drlinkchecker checks for broken links
SecurityKiss – free software that encrypts data in a secure tunnel. Only free to so many MBs /month. Slower than open wifi. Some companies offer VPN which you could use instead; it would probably be faster.
Wireless connections – Nick recommends plugging into cellphone as a modem as long as you watch the data usage.
Someone whose name I missed (Eli M?) has a blog with posts about firewalls. (Please fill in if you know!)
Q: What about ecommerce on WP? Nick puts on separate, identical looking theme install and just adds store to WP menu. Going to try WooCommerce, has used WPeCommerce. Doesn’t like any of them. What about stripe.com? Clark Wimberly is using this one now. Saving info as custom post.
Q: What if you saw something erratic on your site: run security plug in or CloudFlare.
N.B. These are my casual notes taken during the meeting, so they may have my transcription or understanding errors!!! Please refer to Chris’s slides to ensure accuracy. – Deb