Announcement: The Austin WordPress meet up now has over 1000 members! Organizers are looking for a new meeting place for the regular first meeting. If you know of a place that can hold about 150 people, preferably classroom style, and is wired for internet, please post your suggestion in the comments.

Tonight’s speaker: Chris Wiegman from Bit51.com.

Chris is the owner of Bit51.com and a web developer for St. Edward’s University. He has more than 15 years experience developing solutions for individuals, business, and education.

Chris gave a hugely informative talk on WordPress security and there was a lot of back and forth with everyone there. [Thanks, Chris! I learned a lot!]

Below are some notes from tonight’s discussion. . .

Levels of security

Users

don’t allow higher levels of access than necessary
don’t use admin account for daily work (esp at Starbucks or somewhere, but home also)

only use for adding plugins or making updates
can use roles administrator plugin to adjust what the roles enable
set as low as possible to minimize any potential damage

change admin username

takes 32 seconds for someone to break into your average 8 digit password account if they know your admin with a brute force attack
plugin available to do this
another option is to change the admin role to subscriber role

use/enforce strong passwords

every digit you add means they have to go through 62 more times, so slows down hacking.
the longer and more diverse your password is, the longer it takes. But they’re all breakable.
Can use a plugin that will block IP access for so many minutes after so many tries

enforce password expiration

if you’re taking people’s info, this may be a good idea

Chris has a plugin that forces people to create decent passwords

Applications

Obsure and Protect

obscure is only successful against casual bots/ scripts kiddies
hide plugins/themes the bots are looking for

change wp-content, database prefix

wp-content holds [a lot of stuff]
Very tricky to change wp-content on existing site because it will break links unless you script for that, better to do on a fresh site.
Change wp-content to content or joeblow, whatever you want

move wp-config.php up one level

note: some plugins may create a new wp-config.php file if they don’t find one. NOT good.

Q: is there a way to find out what plugins have been taken down from WP? Per Chris, lots of talk around WordPress to do something about that recently, but no easy way to find that out.

Protect the site when problems are found

keep up to date – biggest thing to do to protect your site on a daily basis
if you have to test on another site, do it. Do wait a couple hours, even good developers can screw up

Q – how to manage site protection for clients?
1. it’s up to them if no maintenance of site was contracted
2. manageWP (?) is a plugin to help with this

use trusted plugins

give a new one a week or use a development site
watch trusted developers
look at comments, numbers downloaded, date of late update

de-activating a plugin does not delete its vulnerability to hacking

Chris recommends writing names of unused plugins on a separate, unpublished page so you can use them again later. Ex: Tim Thumb plugin hacking last year didn’t require the plugin to have been activated. Tim Thumb has been fixed, but not necessarily themes based on it.

K.I.S.S.

Don’t keep any plugins or themes not in use

They slow down your site, too, which will get you a Google penalty.

Detect and Recover

Watch your site – you are best monitor of normal for your site

if something looks funny, it probably is

Tools to help you monitor your site:

AW Stats ?
Sucuri.com is good – free to a certain amount
pingdom.com
Google Analytics
Google webmaster tools – SEO and malware check

speed slowdown is a bad sign
turn your comments off after a while
visiting someone else’s hacked site can spread the hacking (that’s how Tim Thumb worked – it had a multiplier effect of 1000 sites/minute when someone clicked on a link within a hacked site)
if you see a bunch of blank lines with gobbledy-gook at the bottom, the site’s been hacked
much hacking is done with javascript – FF offers an add-on No Script to block javascripts

Recover from disaster

Back up Files beforehand and regularly

Files you’ve uploaded
Custom code
Database
Don’t need to & don’t want to back up plugins
Don’t back up wp-config?

Ways to backup

Backupwordpress (?) to Dropbox
Save to Amazon, Dropbox, VaultPress
Which plugins to use depends on what you do, how often you update, etc

Don’t keep backup in same place as server
Don’t trust your hosting company to back up for you
Export from WP is limited, but useful – again, depends on what’s on your site
Be careful about backups going to server – your shared hosting may shut you down for exceeding CPU usage

Per Nick Batik, try out one of your backups and be sure it’s good before you totally trust the system
Per [someone in the back], HostGator says if file is too big to backup then zip your content directory up from your cpanel. Then use php.admin to back up. Pick a slow time of day because this sucks up server space.

If you’ve been hacked, delete everything!

including your wp-config file.
Change the SALT in wp-config, too (use Google WordPress salt generator or do new install).
Change user name for cpanel, for FTP, for database. Change all passwords.

AMP Security (Apache/mySQL/PHP)

Use different accounts, different databases, etc.

Ideally, different cpanels, too.
A reseller account with separate cpanels IS separate

Don’t use mod_php or CGI for PHP (not covering this tonight)
Reduce privileges to a minimum

Can turn off some permissions in cpanel, esp for client

Remove extra modules/options/etc

at the server level

Turn off MySQL networking
Create different users for each site
Do NOT use FTP
Use firewall

Hardware firewalls stronger than software firewalls

Limit connection sources
Try out CloudFlare (yes, it was recently hacked itself!)

Lesson: gmail password is recoverable (i.e., obtainable) with your phone number
Chris uses Google Voice only, but mostly Skype and email
2 part authentication is much more secure

Enable certificate authentication for SSH (or SFTP)

some hosts are hard to work with in this respect
may be required to prove identity with photo ID

note: Filezilla shows FTP passwords in the clear – bad bad bad. Paid tools will encrypt it

Better WP Security plugin by Chris Wiegman

Chris demonstrated some of the features of his security plugin Better WP Security (warning from Chris: plugin is pretty massive, may not work for everything and everybody: use what works for you and turn off the rest). Plug-in includes Chris’s checklist of what he does on sites. Instructional video (35 minutes!) available on WordPress.org.

Additional Plugins & Software & Notes

drlinkchecker checks for broken links

SecurityKiss – free software that encrypts data in a secure tunnel. Only free to so many MBs /month. Slower than open wifi. Some companies offer VPN which you could use instead; it would probably be faster.

Wireless connections – Nick recommends plugging into cellphone as a modem as long as you watch the data usage.

Someone whose name I missed (Eli M?) has a blog with posts about firewalls. (Please fill in if you know!)

Q: What about ecommerce on WP? Nick puts on separate, identical looking theme install and just adds store to WP menu. Going to try WooCommerce, has used WPeCommerce. Doesn’t like any of them. What about stripe.com? Clark Wimberly is using this one now. Saving info as custom post.

Q: What if you saw something erratic on your site: run security plug in or CloudFlare.

N.B. These are my casual notes taken during the meeting, so they may have my transcription or understanding errors!!! Please refer to Chris’s slides to ensure accuracy. – Deb