Securing your WordPress Site Presented by Russ Sanderlin Russ Sanderlin, RHCE Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @Tearstone Agenda • • • • • • Importance Attack Surface Basic Hardening Ongoing Security Plugins Read More Importance • WordPress continues to grow in popularity • Bigger the platform, the greater the reported incidents for security. • 2012 – 117,000 WordPress hacked sites were reported • 2013 – 73.2 % of the top 40,000+ WordPress sites were vulnerable to exploits Source: WP White Security Attack Surface • Definition: Sum of the amount of points an attacker could use to get into a system. • Points of entry for extracting data, or inserting malware are called "attack vectors“ • Minimize attack vectors by minimizing the amount of code running on the site. o Minimize the amount of Themes, Plug-Ins Source: OWASP.ORG NEW! Wordpress 3.8.2 • Potential authentication cookie forgery. • Privilege escalation: prevent contributors from publishing posts. • (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests. • (Hardening) Fix a low-impact SQL injection by trusted users. • (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Basic Hardening Start With A Secure Foundation Users • Delete “admin” account, create new login with unusual name for administration. • All users, especially with elevated privileges should have complex passwords. o o o o Changed every 60-90 days At least 8 characters Combination of mixed case, numbers and special character i.e. #5hN!uM Avoid dictionary passwords Database - MySQL • Use an abstract naming convention (security through obsecurity) o Database names o table prefixes, not wp_ o MySQL User names • Assign limited privileges to SQL user. o WordPress database user only needs SELECT, INSERT, DELETE and UPDATE o GRANT, DROP and ALTER are not needed Webhost • Find a webhost that understands WordPress • Takes security seriously • Find out if host performs backups. o If not, implement a backup solution • Server side scans and malware cleanup • Host should have VPS options for growth and better security. Site • Avoid running multiple WordPress installations on one domain • Do not run a development version of the site on your production site. • Disable FTP, use SFTP Permissions • Unix/Linux permissions o R = 4, W = 2, X =1 (Combine values to set permission) o Owner – Group – Public o I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot write) • File and Folder Permissions o Default is 664 for files, 775 for folders o Wp-config.php and .htaccess • 664 to allow for modification • 444 to allow read, not modify Ongoing Security Ounce of prevention is worth a pound of cure – Benjamin Franklin Update Your Site • Update WordPress Core, Plug-Ins and Themes • WP White Security found 42,106 Top Alexa-based ranked sites running WordPress: o 73.2% were running old versions which had documented vulnerabilities o 74 different versions of WordPress, 10 of which were reported as fake • Older versions of WordPress are not maintained with security updates. Perform Routine Inspections • Perform site cleanups on a regular basis • Review all installed plug-ins • Remove themes and plug-ins no longer needed (reduce attack surface) • Identify anything you do not remember installing and handle with care Scan with SiteCheck • • • • Scan site with Scuri.Net SiteCheck Free general site malware checker Premium clean up service Premium monitoring service WPScan • Black Box WordPress security scanner • Pre-Installed on these operating systems o o o o BlackBox Linux Kali Linux Pentoo SamuraiWTF • Download, Install Instructions, Arguments found on http://wpscan.org Security Plugins Providing a pre-coded helping hand Understand Your Plugin • Understand what the security plugins do, and what effects they have on your site o Your requirements should drive the choice in plugin, the plugin should not drive your site requirements o Plugins have performance implications to WordPress sites, more code can slow down site loads. o Multiple plugins or excessive functionality extends attack surface • Misconfiguration can break your site o i.e. intrusion detection could stop search engines from crawling your site • Security plugins could lock you out of your own site • Plugin support can be a challenge Limit Login Attempts • Customize the rate of invalid login attempts o Limit login attempts by IP o Limit login via cookies • Makes brute-force attacks impossible Manage WP • Plugin that integrates with https://managewp.com/ • Centralize update administrations of multiple WordPress sites • Automated backups • Provides email notification alerts iThemes Security (Better WP Security) • Automatically Secure Site from Basic Attacks o o o o Prevent non-admins from accessing admin content Default usernames with “admin” replaced Brute force login protection Prevent website scanning • Change admin, register and login URL • Limit Logins and time restrictions o Restrict max login attempts by user or host o Disable site access on a schedule • Blacklist: Users, Groups or IPs • Data Backup • Change Database Prefix WordFence • Delivers Enterprise-Class Security • Includes o o o o Fast Cache Engine Firewall (Premium) Anti-Virus Scanning (Premium) Two-Factor authentication (use cell phone to login) • Repair core, theme and plugin files • Consumes a lot resources, not ideal for shared hosting. Bulletproof Security • Automatically optimizes website for security • Protects WordPress site against a number of documented hack attempts. • Security Logging (Account use, HTTP errors) • File and Folder Permission Scans • Maintenance Mode with countdown timer • Focuses on .htaccess protection All In One Security and Firewall • Security Points – Assesses a score based on how secure your site is • Classifies security configuration features on risk • Secures o o o o o User Accounts User Logins Database Security (Change table prefix) Visual file system review Blacklist IP addresses • Incorporates DB Backup to schedule automated backups Sources, Read More • http://codex.wordpress.org/Hardening_WordPress • http://www.designwall.com/blog/how-to-handle-awordpress-security-attack/ • http://www.cvedetails.com/vulnerability-list/vendor_id2337/product_id-4096/Wordpress-Wordpress.html • https://managewp.com/security-plugins-problem • https://www.owasp.org/index.php/Attack_Surface_Analysis_C heat_Sheet • http://codex.wordpress.org/Changing_File_Permissions • http://codex.wordpress.org/Version_3.8.2 Any Questions?? Grab a WordPress Decal