WordCamp Phoenix - End-User Security presented by Dre Armeda (@dremeda) and Brad WIlliams (@williamsba).

1. WordPress End-User Security

2. @dremeda & @williamsba Dre Armeda @dremeda Co-Founder – CubicTwo Co-Founder – Sucuri Security Brad Williams @williamsba Co-Founder – WebDevStudios Co-Author – Professional WordPressPlugin Development http://amzn.to/plugindevbook

3. ItStartsWithYou Before you show the world your awesomeness, think long term. An integrated approach to security, beginning to end, will help protect your investment, and your visitor safety. Information security is everyone’s responsibility

6. Automatic updates aren’t a bad idea here either!Yes, personal firewalls still apply!

8. It’s OK to be skeptical. Not sure, ask questions!

10. If unavoidable, do not allow anonymous logins, limit connections, practice least privilege.

12. Don’t share your passwords

13. Avoid writing passwords down

14. Use a password managerZoneAlarm by Check Point

16. How many sites on their network or blacklisted for malware reasons?

17. What version of software to they run and how often do they update?

19. 1. Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.0.x ) do NOT add new features. They contain bug fixes and security patches

20. 1 Update Update Update Update Those Plugins! The pluginChangelog tab makes it very easy to view what has changed in a new plugin version

21. 2. Change DB Table Prefix 1. Edit wp-config.php before installing WordPress 2. Change the prefix wp_ to something unique: /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘dreday_'; All database tables will now have a unique prefix (iedreday_posts)

22. 3. Use Secret Keys Some secrets should remain secrets

23. 3. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. 1. Edit wp-config.php AFTER BEFORE define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); Some secrets should remain secrets 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt

24. 4. Lock Down WP Login & WP Admin Yes, it happens. #FAIL

25. 4. Lock Down WP Login & WP Admin Add the code below to wp-config.php to force SSL (https) on login define('FORCE_SSL_LOGIN', true); Add the code below to wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true); Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping

26. 4. Lock Down WP Login & WP Admin 1. Create an .htaccess file in your wp-admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.123 Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin

27. 5. Move wp-config.php WordPress features the ability to move the wp-config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory

28. 6. Disable WP Generator Tag Viewing source on most WP sites will reveal the version they are running <meta name="generator" content="WordPress 3.0" /> <!-- leave this for stats --> This helps hackers find vulnerable WP blogs running older versions To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats --> The wp_head() function also includes the WP version in your header. To remove add this line of code in your themes functions.php file remove_action( 'wp_head', 'wp_generator' );

29. 6. Disable WP Generator Tag Themes and plugins might also display versions in your header.

30. 7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed Safe: 1 Iffy: 1 Avoid: 8

31. 7. Use Trusted Sources for Themes & Plugins The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

33. Do you Login with username admin?

35. 8. Delete the Admin User Change the admin username in MySQL: UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Or create a new account with administrator privileges. Create a new account. Make the username very unique Assign account to Administrator role Log out and log back in with new account Delete admin account WordPress will allow you to reassign all content written by admin to an account of your choice.

36. WordPress 3.0 lets you set the administrator username during the installation process! DON'T USE ADMIN!

37. Knowing your username is half the battle. Don't make it easy on the hackers.

39. Folders should be set to 755Start with the default settings above If your host requires 777…SWITCH HOSTS!

40. 9. File / Folder Permissions Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} find [your path here] -type f -exec chmod 644 {}

41. 10. Update Update Update

43. WordPress File Monitor - http://wordpress.org/extend/plugins/wordpress-file-monitor/

44. Login Lockdown- http://wordpress.org/extend/plugins/login-lockdown/

45. AskApache Password Protect - http://wordpress.org/extend/plugins/askapache-password-protect/

46. BulletProof Security - http://wordpress.org/extend/plugins/bulletproof-security/

47. Secure WordPress- http://wordpress.org/extend/plugins/secure-wordpress/http://wordpress.org/extend/plugins/wp-time-machine/

49. WP-DB Backup - http://wordpress.org/extend/plugins/wp-db-backup/

50. Backup Buddy - http://pluginbuddy.com/purchase/backupbuddy/

51. VaultPress - http://vaultpress.com/http://wordpress.org/extend/plugins/wp-time-machine/

54. VaultPress- http://vaultpress.comhttp://wordpress.org/extend/plugins/wp-time-machine/

56. http://codex.wordpress.org/Changing_File_Permissions

57. http://codex.wordpress.org/Editing_wp-config.php

59. http://blog.sucuri.net/2010/11/yet-another-wordpress-security-post-part-one.html

60. http://www.growmap.com/wordpress-exploits/

61. http://wpcandy.com/teaches/security-tips

62. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/

63. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/