Preventing Your WordPress Website from Being Hacked

(c) ann harris - southernsocialmarketing.com | hackpad: https://hackpad.com/DdB2ypCGOo7

Preventing Your Wordpress Site from Being Hacked

Beginner Level Workshop for Wordpress Website Owners, Designers, & Administrators

Course Materials

• Notes + resources uploaded to Lanyrd

• Shortened: http://j.mp/wphackerbegone

• Hackpad

• Collaborative note pad

• Add comments + questions

What You Need• Administrator of WordPress installation (or

familiarity with WP)

• Access to your Cpanel, an FTP client, or domain host’s file manager *very very beginners: this sounds more complicated than it is. Can you log in? You’re good.

• Web file editor Either in browser or Kompozer, Dreamweaver, Notepad++, etc.

Hi, y’all!

• Ann Harris

• @SoSocialAnn

• Code(Her) Workshops Co-Director

• Join us Tues, October 17 6:00 PM @ WeWork Chinatown for an incredibly interesting TBA topic

Before we begin…

1. Not a cybersecurity expert

2. More stuff out there

3. You can’t beat free

4. You really really can’t beat simple

Section 1: Wordpress Security

Section 2: Basic Site Security

Wordpress Protection

Back Up the Easy Way

• WordPress Plugin: Duplicator

• Back up x 2:

• Website styles, themes, and plugins

• Database tables, content, comments, membership/admin information

Back Up the Easy Way

• Wordpress > Duplicator

• Duplicator > Downloads

• Downloads > Cloud via Backblaze

• Behind-the-scenes backing up (wifi)

Update Everything

• Plugins, themes, and the site itself

• ALWAYS back up before updating or changing settings, configurations, plugins, or themes

Avoid “admin”

• Do NOT use the username “admin”

• Hacker software guesses UN + PW

Solution:

• Use something else to start with

• Plugin: Admin Renamer Extended

Optimize Database + Clear Old, Unused Plugin Files

• No longer need plugin

• Deactivate > Delete

• Many plugins do not clean up their database tables after you uninstall them

• WP DB Spring Clean

Scenario

• Hacker is trying to get access

• Try a username and password

• Keeps guessing, guessing, guessing, guessing…

• …until they (eventually) get access

Limit Login Attempts• Solution: Block them out after X number of tries.

• Plugin: Login Lockdown

• I might forget my password 5-10 times

• Anyone who tries 15+ times… probably a hacker

• Lock out!

Two Factor Authentication• Verify you are you by using your cell phone

• Three possible factors exist:

• Something you are (DNA, fingerprint, birth date)

• Something you have (cellphone, credit card, laptop)

• Something you know (password, mother’s maiden name)

• Two factor authentication =

• Factor One: Password

• Factor Two: Cell phone

• Many exist, few are free :(

• Need a smart phone to work

Two Factor Authentication• Google Authenticator Plugin

• Not in plugins list

• Users > Your Profile > Add description you’ll recognize

• Activate > Generate Key

• Pull out cell phone + install Google Authenticator App

• Scan barcode OR manual entry

• Email address must be same as Wordpress login

• Take a picture of your recovery key and store in a safe place

Fix Database Prefix

• WordPress installations defaults to name table beginning with “wp_”

• Hackers use automated software, SQL injection, and other malicious code to take down your site via your database tables & keep backups

• Start by changing default table prefix

Fix Database Prefix

• First, back up your site and databases (just in case)

• Plugin: Change DB Prefix

• Enter new prefix + make sure there’s an underscore

• Warning: Do this only ONCE

Hide Wordpress Version #

• How to find easily: use inspect element or view page source code to find the version number

• Possible solutions:

1. Plugin: Hide Wordpress Version (Adam Harley)

2. Add code to your functions.php files

3. Delete readme.html file (or at least the version)

Hide Wordpress Version #• My top choices:

• Don’t install another plugin

• Add to functions.php AND delete the readme.html

• Functions.php:

function wpbeginner_remove_version() {

return ‘ ‘;

add_filter('the_generator', 'wpbeginner_remove_version');

*note: removes from both source code and RSS feed

Protect WP-Config.Php

• Contains Wordpress configuration, cache settings, and database passwords

• How to fix?

• Move the file up 1 folder.

• It still works!

Protect wp-confing from .htaccess

• Just add the following to your .htaccess file:

order allow,deny

deny from all

</files>

Protect /wp-admin

• Hackers can’t enter a username and password if they can’t find the login box!

• Plugin: HC Custom WP-Admin URL

Force SSL

• Add the following to wp-config.php:

define('FORCE_SSL_ADMIN', true);

Basic Website Security

Hotlinking Protection

• You should probably back up now…

• Decide what files you want to protect

• Use HTAccess Tools Hotlink Protection

• Copy & paste into your .htaccess file

• http://www.htaccesstools.com/hotlink-protection/

Protect your videos

• Best host? Use Vimeo Pro.

• If you place it on your site, you can specify video only embeddable on your domain.

• Youtube? Even unlisted videos, if someone gets the link, you can share it anywhere.

Protecting Your Folders

• Navigate inside the folder

• Create (if not there already) .htaccess and .htpasswd

• Use htaccess tools’s htpasswd generator

• http://www.htaccesstools.com/htpasswd-generator/

Protecting Your Folders• .htaccess:AuthType BasicAuthName "restricted area" AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd require valid-user *note: must use exact path. In MediaTemple, it looks like this:/home/21410/domains/website.com/html/examples/PasswordProtected/.htpasswd

• .htpasswd:ann-password:$apr1$ur9/yDct$Dt9G2yWKaiiVlEInOi2vF0

• UN: ann-password PW: password

Prevent Indexing Your Folders

• Stop search engines from indexing your sensitive or private files online

• Go to the folder you want to protect (uploads?)

• Add (or create) to .htaccess: Options -Indexes

DMCA Protection• Digital Millennium Copyright Act

• If you find someone pirating your content illegally on their site, you can contact the web hosting company with a claim of copyright violation and they have to take it down.

• DMCA takedown services - paid & subscription sites

• DMCA.com - DIY ($10/mo) or have a pro do it

• ActiveDMCA.com - Protect products ($1 trial)

Protecting Embedded Videos

• Encrypt HTML

• Instead of using YouTube’s embed code

• Doesn’t fix 100%, but does make it a PITA to decrypt and steal your videos

Download the Notes

http://j.mp/wphackerbegone

WTF Rescue Plan1. Limit access to your website to *only* your IP address

2. Modify wp-config and change WP passwords, keys, salts

3. Change database table passwords

4. Investigate! Go through the website security checklist Figure out what went wrong so when you restore your backup you can fix the leak

5. Restore backup with new database passwords, keys, salts, etc. and any changes you need to make to the backup to keep it secure moving forward

6. Worst Case Scenario: Hire a pro to fix it and alert your domain host about the incident

Protecting Your Browsing

• Unsecure site = hacker playground

• Secure site + unsecure server (host) = hacker party

• Secure site + secure server + unsecure connection = hacker paradise

• TunnelBear

Preventing Your WordPress Website from Being Hacked

Technology

Remedying Web Hijacking: Notiﬁcation Effectiveness and … · 2020. 3. 3. · Google Search labeling hacked websites in search results [13]; and Facebook and Twitter preventing

Evaluation Hacked Media

Hacked tax forms

3 Hacked Chords

Everyone’s Been Hacked

Hacked By Turkhacks

Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016

HACKED BY Mutarrif

Detecting, Responding, Preventing and Investigating in ... · hacked and video footage is available to criminals In order to secure communications between Avigilon Control Center

PRP - Hacked Off

Getting hacked

HackED - Community Partner

MWEB Business: Hacked

HACKED WEBSITE TREND REPORT - Sucuri...Wesite Hacked Trend Report Q3 2016 # HackedWesiteReport # askSucuri SucuriSecurity sucurinet 7 Sucuri Inc All rights resered WordPress Analysis

Bsm Hacked Paper

Hacked By PaRaziT

Hacked Revealed: Penetration Profession

promueve2012.mx HACKED!

Your WordPress Site is and is not Hacked - You don't know until you check

You've Been Hacked, Now What? Getting WordPress Up and Running Again