Stereonaut!

Securing WordPress talk by Brad Williams
~ Nov 20, 2009

with 2 comments

Here I start a series of posts with my comments, notes and remarks on the talks that I attended at last weekend's WordCamp in NYC.

Screen shot 2009-11-20 at 1.19.12 PMThe first talk I attended was Securing WordPress, by Brad Williams (@williamsba on Twitter). First off, this talk wasn't too technical since it was focused to beginning developers whose background wouldn't be completely into systems administration, it was intended to a broader audience, which is exactly why I liked it so much and started taking notes. You need some mild level of expertise on WordPress for most of what Brad mentioned but you don't have to be an expert.

IMG_3006

So, most of the notes I took were taken directly from the slides (that you can browse below in the Slideshare widget), but I also add some homebrewed comments myself:

Don't use the admin account: Change it

Hackers will most likely target to the most privileged account on a WordPress that by default goes by the name of "admin" and you don't seem to be able to change it easily from the administration panel. Go ahead and do it on the MySQL shell yourself:

UPDATE wp_users SET user_login="notadmin" WHERE user_login="admin";

Change your files' permissions

This is what Brad called "The Great Permission Debate". You are basically fine if you leave all files under 0644 and directories under 0755.

$ find wordpress_root/ -type f -exec chmod 644 {} \;
$ find wordpress_root/ -type d -exec chmod 755 {} \;

Take wp-config.php out of WordPress

Starting in 2.6, WordPress will also look for the wp-config.php configuration file on the parent directory of your WordPress directory, which depending on your setup, might be not reachable to your web server's public files.

Move plugins and uploads directory out of WordPress

Also since 2.6, WordPress can be configured so that you don't have your plugins and uploads directory (where you upload files from the administration panel) to point somewhere else. You can do it by setting the constants WP_CONTENT_DIR, WP_CONTENT_URL, WP_PLUGIN_DIR and WP_PLUGIN_URL:

define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/your/blog/contents');
define('WP_CONTENT_URL', "http://myblog.com/contents");
...

Remove the WordPress version from the META head

WordPress apparently uses the generator META tag to scan for WordPress installations and create statistics of usage. That also enables possible attackers to discover what version of WordPress you are using, and if you are using an old vulnerable one, you might get hit. You can use the WordPress function, wp_head() instead.

Stay current on updates

Of course, always focus on getting the latest updates installed.

Secure passwords

Don't use "password" or "a" or "123" as a password for your installations. I recommend generating your password with a little tool called pwgen.

Secret keys

You can add some salt to your password by setting values for a few secret key constants. This will make a better encryption on the information stored on the user's cookies. Codex puts this as an example:

define('AUTH_KEY', ':dr+%/5V4sAUG-gg%aS*v;&xGhd%{YKC^Z7KKGh j>k[.Nf$y7iGKdJ3c*[Kr5Bg');
define('SECURE_AUTH_KEY', 'TufWOuA _.t>#+hA?^|3RfGTm>@*+S=8\"\'+\"}]<m#+}V)p:Qi?jXLq,<h\\`39m_(');
define('LOGGED_IN_KEY', 'S~AACm4h1;T^\"qW3_8Zv!Ji=y|)~5i63JI |Al[(<YS<2V^$T])=8Xh2a:b:}U_E');
define('NONCE_KEY', 'k1+EOc-&w?hG8j84>6L9v\"6C89NH?ui{*3\\(t09mumL/fFP_!K$JCEkLuy ={x{0');

For more information on each of these secret keys, go to read their documentation.

Change the WordPress tables prefix

The database for a WordPress installation uses a prefix on each of the tables it uses, by default "wp_". You can change it to be a custom value.

Make sure you have HTTPS and force login and admin access through it

If it's possible, enable SSL on your host and configure WordPress to pass all login information and administration access through it. You can do it by setting the constants FORCE_SSL_LOGIN and FORCE_SSL_ADMIN to true.

IP lockdown

If you are using the Apache webserver, you can configure it so that it only allows  access to /wp-admin from a given IP (work or home only). You can do just about the same with any other webserver available (namely, nginx).

Security Plugins

Some of the following plugins will make your life easier. I recommend taking a look at them, they are worthwhile!

WP Security Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

screenshot-1

WordPress Exploit Scanner

This plugin searches the files and database of your website for signs of suspicious activity.

exploit-scanner

WordPress File Monitor

Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.

Login Lockdown

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.

Finally

Some of the actions here are just preventive or simple security by obscurity. Truth is, you will never be 100% secure and you have to be certain that you understand that.

Presentation

This is Brad's presentation:

Related posts

Written by David Moreno

November 20th, 2009 at 1:20 pm

Categorized in: planeta linux, wordpress

Tagged with , ,

«
»

2 Responses to 'Securing WordPress talk by Brad Williams'

Subscribe to comments with RSS or TrackBack to 'Securing WordPress talk by Brad Williams'.

  1. Glad you enjoyed the presentation David! There are some great tips that every WordPress user should follow to keep their site secure.

    Brad Williams

    20 Nov 09 at 1:33 pm

  2. Really helpful information.

    Skatox

    22 Nov 09 at 10:35 am

Leave a Reply

Get Adobe Flash playerPlugin by wpburn.com wordpress themes