wordpress security best practices
Post on 08-May-2015
5.304 Views
Preview:
DESCRIPTION
TRANSCRIPT
There is always a current threat
The worst type of threats are those you don’t know about
So be prepared!
You need to understand your weaknesses
You need to build a solid defence
You need to have a plan of attack
The Art of War - Sun Tzu ~512BC
Locked away in a deep dark basement
No internet connection
No user interaction
= Pretty useless website
= There is a balance to be had
Everything is Hackable Best we can do is make our site less attractive than others to hack into.
Would you attempt to break into this car?
The most vulnerable part of your website is…
YOU
Read this book!
Not just WordPress
cPanel, email, FTP, SSH, MySQL, WordPress
Avoid typical “Administrator” usernames
admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …
No personal information such as DoB
e.g. bob1976
No footie clubs, car regos, pet or family names
Use a random 16 (at least) character password
UPPER, lower, digits, punctuation
e.g. b9G#Z4YVemTN^X6S
Random character passwords
= difficult for you to remember
= difficult for hackers to guess
Use a password service such as LastPass
Local 256-bit encryption, SSL data transfer
https://lastpass.com
Consider forcing users to have a strong password
Force Strong Passwords plugin.
http://wordpress.org/plugins/force-strong-passwords/
Coming soon to WordPress 3.7 or 3.8
Only allow one login per device.
Restrict logins under same username on multiple devices (i.e. username/pass sharing)
WordPress Bouncer plugin
http://wordpress.org/plugins/wp-bouncer/
Understanding UNIX file permissions is key
In general…
WordPress folders/directories = 755
WordPress files = 644
Some hosting companies may recommend you set /wp-content/uploads to 777
Move to another hosting company!
Probably your three most important sys files are:
.htaccess = permalinks, etc
php.ini = PHP settings
wp-config.php = WordPress DB username & pass
These should be locked down to CHMOD 444
Malware can be hidden in Themes, Plugins & other server scripts
Sucuri detects and cleans malware on servers
De-blacklists your server/site
Notify by SMS, Email, Private Twitter etc
http://sucuri.net/ USD $89.99 /site /year
Update WordPress Core, Themes and Plugins regularly = at least weekly
ManageWP service good for multiple sites https://managewp.com
Automatic Updates are coming to WordPress soon (prob 3.7 or 3.8).
Get it now = “Automatic Updater” plugin http://wordpress.org/plugins/automatic-updater/
Choose to update Core, Themes and/or plugins
Especially “free” themes and torrents
Very common to “insert” links into footer areas
Code can read your wp-config.php file and email/send it elsewhere = you’re screwed
Don’t use themes or plugins from Torrent sites!
Always try to download from original source
Read: http://wpmu.org/why-you-should-never-search-for-
free-wordpress-themes-in-google-or-anywhere-else/
Search through files for:
Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authenticity Checker http://wordpress.org/plugins/tac/
Exploit Scanner http://wordpress.org/plugins/exploit-scanner/
Not all Base64_decode function calls are evil
WordPress uses the function extensively throughout the core.
Should be easy to decode and work out if good or bad in plugins or themes.
Popular image/thumbnail resizing script
Bundled in many themes and plugins
Responsible for many WordPress security breaches
“The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the
cause of the vulnerability in timthumb.php.”
Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
Script was “fixed” of exploits however old versions still lurk out there.
Search for TimThumb and check you are using the correct version.
https://code.google.com/p/timthumb/
Version 2.8.11 as of this slide
The nature of TimThumb still makes it potentially very dangerous to have on your site.
Consider alternative themes or plugins.
Read this: http://www.limecanvas.com/timthumb-is-evil/
Won’t make your site “secure” from hacks
Will encrypt the data transmitted between computer and server
More on SSL certificates at http://www.symantec.com/en/au/ssl-certificates
If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.php
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
Gives additional level of security.
WordFence plugin is recommended: http://www.wordfence.com/
Scans for… malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*
*premium functions
Brute force attacks try to repeatedly guess username & password.
Block IP address after X number of login attempts within a period.
Limit Login Attempts plugin http://wordpress.org/plugins/limit-login-attempts/
Don’t give the hackers a
helping hand
Remove that info!
Add this to functions.php add_filter(‘login_errors', '__return_null');
There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly). Back up to email http://wordpress.org/plugins/wponlinebackup/
Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/
Backup Buddy http://ithemes.com/purchase/backupbuddy/
VaultPress http://vaultpress.com/
Set your retention frequency. Can you restore from an issue that’s been happening for 2 months?
Check your backup files – do a test restore!
Using another device to generate an authentication code e.g. Mobile phone app
Verification code + login = 2 factor auth
Google Authenticator http://wordpress.org/plugins/google-authenticator/
Is two factor authentication not enough for you?
Biometric authentication uses part of our own body as the second verification part.
This is going to be the normal way of authenticating with systems in the not so distant future.
VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics. http://wordpress.org/plugins/voxedin/
Move the wp-content folder to a new location.
Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */
define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');
define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');
Warning: badly developed plugins & themes may have hard-codes wp-content location.
Use .htaccess to protect your wp-config.php file <files wp-config.php>
order allow,deny
deny from all
</files>
Nobody can access the wp-config.php file now except for the web server owner.
Use .htaccess to stop SQL Injection attacks Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Any requests or changes to global variables containing <script> gets blocked.
Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsing Options –Indexes
Password protect wp-admin folder using cPanel and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
Remove the WordPress dashboard Editor for themes and plugins
Add to wp-config.php define('DISALLOW_FILE_EDIT', true);
Default MySQL DB table prefix is wp_
Change before installing new WordPress sites.
Add to wp-config.php $table_prefix = ‘mynewprefix_';
Existing websites – use WP Security Scan http://wordpress.org/plugins/wp-security-scan/
Monitor who does what on your WordPress site.
WP Security Audit Log http://wordpress.org/plugins/wp-security-audit-log/
Using .htaccess RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:
http://www.mywebsite.com/login
Add to wp-config.php: define('WP_ADMIN_DIR', 'secret-folder');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
Add to functions.php: add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3);
function lc_wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}
Add to .htaccess: RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:
http://www.mysite.com/secret-folder/
Known as DoS or DDoS (distributed)
There is nothing YOU* can do to pre-emptively stop
DoS attacks.
Contact your host company
*Unless you own your own data centre
• [4] activerain.com
• [5] mybroadband.co.za
• [6] wired.com
• [12] www.zzee.com
• [12] acm.uiuc.edu
• [12] danielmiessler.com
• [19] wordpress.org/plugins/tac/
• [21] www.promptwebhosting.com.au
• [28] www.bestwpthemez.com
• [30] blog.eternalvigilance.me
• [31] www.mobyware.ru
• [32] www.ibmsystemsmag.com
• [33] disruptive.io
• [37] www.gobalakrishnan.com
• [38] www.trickytechs.com
• [38] www.wpbeginner.com
• [39] www.limecanvas.com
• [45] www.computerworld.com
top related