Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Securing Your WordPress Site 040814

advertisement 
Securing your WordPress Site
Presented by Russ Sanderlin
Russ Sanderlin, RHCE
Senior Network Systems Analyst, AAA National Office
Owner, Tearstone Graphics
@Tearstone
Agenda
•
•
•
•
•
•
Importance
Attack Surface
Basic Hardening
Ongoing Security
Plugins
Read More
Importance
• WordPress continues to grow in popularity
• Bigger the platform, the greater the reported
incidents for security.
• 2012 – 117,000 WordPress hacked sites were
reported
• 2013 – 73.2 % of the top 40,000+ WordPress sites
were vulnerable to exploits
Source: WP White Security
Attack Surface
• Definition: Sum of the amount of points an attacker
could use to get into a system.
• Points of entry for extracting data, or inserting
malware are called "attack vectors“
• Minimize attack vectors by minimizing the amount
of code running on the site.
o Minimize the amount of Themes, Plug-Ins
Source: OWASP.ORG
NEW! Wordpress 3.8.2
• Potential authentication cookie forgery.
• Privilege escalation: prevent contributors from
publishing posts.
• (Hardening) Pass along additional information when
processing pingbacks to help hosts identify
potentially abusive requests.
• (Hardening) Fix a low-impact SQL injection by
trusted users.
• (Hardening) Prevent possible cross-domain scripting
through Plupload, the third-party library WordPress
uses for uploading files.
Basic Hardening
Start With A Secure Foundation
Users
• Delete “admin” account, create new login with
unusual name for administration.
• All users, especially with elevated privileges should
have complex passwords.
o
o
o
o
Changed every 60-90 days
At least 8 characters
Combination of mixed case, numbers and special character i.e. #5hN!uM
Avoid dictionary passwords
Database - MySQL
• Use an abstract naming convention (security
through obsecurity)
o Database names
o table prefixes, not wp_
o MySQL User names
• Assign limited privileges to SQL user.
o WordPress database user only needs SELECT, INSERT, DELETE and UPDATE
o GRANT, DROP and ALTER are not needed
Webhost
• Find a webhost that understands WordPress
• Takes security seriously
• Find out if host performs backups.
o If not, implement a backup solution
• Server side scans and malware cleanup
• Host should have VPS options for growth and better
security.
Site
• Avoid running multiple WordPress installations on
one domain
• Do not run a development version of the site on
your production site.
• Disable FTP, use SFTP
Permissions
• Unix/Linux permissions
o R = 4, W = 2, X =1 (Combine values to set permission)
o Owner – Group – Public
o I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot write)
• File and Folder Permissions
o Default is 664 for files, 775 for folders
o Wp-config.php and .htaccess
• 664 to allow for modification
• 444 to allow read, not modify
Ongoing Security
Ounce of prevention is worth a pound of cure – Benjamin
Franklin
Update Your Site
• Update WordPress Core, Plug-Ins and Themes
• WP White Security found 42,106 Top Alexa-based
ranked sites running WordPress:
o 73.2% were running old versions which had documented vulnerabilities
o 74 different versions of WordPress, 10 of which were reported as fake
• Older versions of WordPress are not maintained with
security updates.
Perform Routine
Inspections
• Perform site cleanups on a regular basis
• Review all installed plug-ins
• Remove themes and plug-ins no longer needed
(reduce attack surface)
• Identify anything you do not remember installing
and handle with care
Scan with SiteCheck
•
•
•
•
Scan site with Scuri.Net SiteCheck
Free general site malware checker
Premium clean up service
Premium monitoring service
WPScan
• Black Box WordPress security scanner
• Pre-Installed on these operating systems
o
o
o
o
BlackBox Linux
Kali Linux
Pentoo
SamuraiWTF
• Download, Install Instructions, Arguments found on
http://wpscan.org
Security Plugins
Providing a pre-coded helping hand
Understand Your Plugin
• Understand what the security plugins do, and what
effects they have on your site
o Your requirements should drive the choice in plugin, the plugin should not
drive your site requirements
o Plugins have performance implications to WordPress sites, more code can
slow down site loads.
o Multiple plugins or excessive functionality extends attack surface
• Misconfiguration can break your site
o i.e. intrusion detection could stop search engines from crawling your site
• Security plugins could lock you out of your own site
• Plugin support can be a challenge
Limit Login Attempts
• Customize the rate of invalid login attempts
o Limit login attempts by IP
o Limit login via cookies
• Makes brute-force attacks impossible
Manage WP
• Plugin that integrates with https://managewp.com/
• Centralize update administrations of multiple
WordPress sites
• Automated backups
• Provides email notification alerts
iThemes Security
(Better WP Security)
• Automatically Secure Site from Basic Attacks
o
o
o
o
Prevent non-admins from accessing admin content
Default usernames with “admin” replaced
Brute force login protection
Prevent website scanning
• Change admin, register and login URL
• Limit Logins and time restrictions
o Restrict max login attempts by user or host
o Disable site access on a schedule
• Blacklist: Users, Groups or IPs
• Data Backup
• Change Database Prefix
WordFence
• Delivers Enterprise-Class Security
• Includes
o
o
o
o
Fast Cache Engine
Firewall
(Premium) Anti-Virus Scanning
(Premium) Two-Factor authentication (use cell phone to login)
• Repair core, theme and plugin files
• Consumes a lot resources, not ideal for shared
hosting.
Bulletproof Security
• Automatically optimizes website for security
• Protects WordPress site against a number of
documented hack attempts.
• Security Logging (Account use, HTTP errors)
• File and Folder Permission Scans
• Maintenance Mode with countdown timer
• Focuses on .htaccess protection
All In One Security and
Firewall
• Security Points – Assesses a score based on how
secure your site is
• Classifies security configuration features on risk
• Secures
o
o
o
o
o
User Accounts
User Logins
Database Security (Change table prefix)
Visual file system review
Blacklist IP addresses
• Incorporates DB Backup to schedule automated
backups
Sources, Read More
• http://codex.wordpress.org/Hardening_WordPress
• http://www.designwall.com/blog/how-to-handle-awordpress-security-attack/
• http://www.cvedetails.com/vulnerability-list/vendor_id2337/product_id-4096/Wordpress-Wordpress.html
• https://managewp.com/security-plugins-problem
• https://www.owasp.org/index.php/Attack_Surface_Analysis_C
heat_Sheet
• http://codex.wordpress.org/Changing_File_Permissions
• http://codex.wordpress.org/Version_3.8.2
Any Questions??
Grab a WordPress Decal
Related documents
Creating Wordpress Plugins - East Toronto Web Design Meetup
Creating Wordpress Plugins - East Toronto Web Design Meetup
WordPress-Security
WordPress-Security
Powerpoint
Powerpoint
PowerPoint Presentation - Creating a WordPress Website
PowerPoint Presentation - Creating a WordPress Website
Earth is Ascending Presentation by Guru Ra
Earth is Ascending Presentation by Guru Ra
CMS-Systems-and-WordPress - seocourse
CMS-Systems-and-WordPress - seocourse
berytech18-11-2009
berytech18-11-2009
optimizing-WordPress
optimizing-WordPress
XL0Y-71FR-301Z-0032
XL0Y-71FR-301Z-0032
Simple Techniques to Improve Your Website using the
Simple Techniques to Improve Your Website using the
Models of Communication - COKY
Models of Communication - COKY
Jazakallah.... - YasSarNal QuR`aN
Jazakallah.... - YasSarNal QuR`aN
Download
advertisement