securing your wordpress site presented by russ sanderlin

28
Securing your WordPress Site Presented by Russ Sanderlin

Upload: duyen

Post on 25-Feb-2016

22 views

Category:

Documents


0 download

DESCRIPTION

Securing your WordPress Site Presented by Russ Sanderlin. Russ Sanderlin , RHCE. Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @ Tearstone. Agenda. Importance Attack Surface Basic Hardening Ongoing Security Plugins Read More. Importance. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Securing your WordPress Site Presented by Russ  Sanderlin

Securing your WordPress SitePresented by Russ Sanderlin

Page 2: Securing your WordPress Site Presented by Russ  Sanderlin

Russ Sanderlin, RHCESenior Network Systems Analyst, AAA National OfficeOwner, Tearstone Graphics

@Tearstone

Page 3: Securing your WordPress Site Presented by Russ  Sanderlin

Agenda• Importance• Attack Surface• Basic Hardening• Ongoing Security• Plugins• Read More

Page 4: Securing your WordPress Site Presented by Russ  Sanderlin

Importance• WordPress continues to grow in popularity• Bigger the platform, the greater the reported

incidents for security.• 2012 – 117,000 WordPress hacked sites were

reported• 2013 – 73.2 % of the top 40,000+ WordPress sites

were vulnerable to exploits

Source: WP White Security

Page 5: Securing your WordPress Site Presented by Russ  Sanderlin

Attack Surface• Definition: Sum of the amount of points an

attacker could use to get into a system. • Points of entry for extracting data, or inserting

malware are called "attack vectors“• Minimize attack vectors by minimizing the

amount of code running on the site. o Minimize the amount of Themes, Plug-Ins

Source: OWASP.ORG

Page 6: Securing your WordPress Site Presented by Russ  Sanderlin

NEW! Wordpress 3.8.2• Potential authentication cookie forgery. • Privilege escalation: prevent contributors from

publishing posts. • (Hardening) Pass along additional information

when processing pingbacks to help hosts identify potentially abusive requests.

• (Hardening) Fix a low-impact SQL injection by trusted users.

• (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

Page 7: Securing your WordPress Site Presented by Russ  Sanderlin

Basic HardeningStart With A Secure Foundation

Page 8: Securing your WordPress Site Presented by Russ  Sanderlin

Users• Delete “admin” account, create new login with

unusual name for administration.• All users, especially with elevated privileges

should have complex passwords.o Changed every 60-90 dayso At least 8 characterso Combination of mixed case, numbers and special character i.e. #5hN!

uMo Avoid dictionary passwords

Page 9: Securing your WordPress Site Presented by Russ  Sanderlin

Database - MySQL• Use an abstract naming convention (security

through obsecurity)o Database nameso table prefixes, not wp_o MySQL User names

• Assign limited privileges to SQL user. o WordPress database user only needs SELECT, INSERT, DELETE and

UPDATEo GRANT, DROP and ALTER are not needed

Page 10: Securing your WordPress Site Presented by Russ  Sanderlin

Webhost• Find a webhost that understands WordPress• Takes security seriously• Find out if host performs backups.

o If not, implement a backup solution• Server side scans and malware cleanup• Host should have VPS options for growth and

better security.

Page 11: Securing your WordPress Site Presented by Russ  Sanderlin

Site• Avoid running multiple WordPress installations on

one domain• Do not run a development version of the site on

your production site.• Disable FTP, use SFTP

Page 12: Securing your WordPress Site Presented by Russ  Sanderlin

Permissions• Unix/Linux permissions

o R = 4, W = 2, X =1 (Combine values to set permission)o Owner – Group – Publico I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot

write)

• File and Folder Permissionso Default is 664 for files, 775 for folderso Wp-config.php and .htaccess

• 664 to allow for modification• 444 to allow read, not modify

Page 13: Securing your WordPress Site Presented by Russ  Sanderlin

Ongoing SecurityOunce of prevention is worth a pound of cure – Benjamin

Franklin

Page 14: Securing your WordPress Site Presented by Russ  Sanderlin

Update Your Site• Update WordPress Core, Plug-Ins and Themes • WP White Security found 42,106 Top Alexa-based

ranked sites running WordPress:o 73.2% were running old versions which had documented vulnerabilitieso 74 different versions of WordPress, 10 of which were reported as fake

• Older versions of WordPress are not maintained with security updates.

Page 15: Securing your WordPress Site Presented by Russ  Sanderlin

Perform Routine Inspections

• Perform site cleanups on a regular basis• Review all installed plug-ins• Remove themes and plug-ins no longer needed

(reduce attack surface)• Identify anything you do not remember installing

and handle with care

Page 16: Securing your WordPress Site Presented by Russ  Sanderlin

Scan with SiteCheck• Scan site with Scuri.Net SiteCheck• Free general site malware checker• Premium clean up service• Premium monitoring service

Page 17: Securing your WordPress Site Presented by Russ  Sanderlin

WPScan• Black Box WordPress security scanner• Pre-Installed on these operating systems

o BlackBox Linuxo Kali Linuxo Pentooo SamuraiWTF

• Download, Install Instructions, Arguments found on http://wpscan.org

Page 18: Securing your WordPress Site Presented by Russ  Sanderlin

Security PluginsProviding a pre-coded helping hand

Page 19: Securing your WordPress Site Presented by Russ  Sanderlin

Understand Your Plugin

• Understand what the security plugins do, and what effects they have on your siteo Your requirements should drive the choice in plugin, the plugin should

not drive your site requirementso Plugins have performance implications to WordPress sites, more code

can slow down site loads.o Multiple plugins or excessive functionality extends attack surface

• Misconfiguration can break your site o i.e. intrusion detection could stop search engines from crawling your

site• Security plugins could lock you out of your own

site• Plugin support can be a challenge

Page 20: Securing your WordPress Site Presented by Russ  Sanderlin

Limit Login Attempts• Customize the rate of invalid login attempts

o Limit login attempts by IPo Limit login via cookies

• Makes brute-force attacks impossible

Page 21: Securing your WordPress Site Presented by Russ  Sanderlin

Manage WP• Plugin that integrates with https://managewp.com

/• Centralize update administrations of multiple

WordPress sites• Automated backups• Provides email notification alerts

Page 22: Securing your WordPress Site Presented by Russ  Sanderlin

iThemes Security(Better WP Security)

• Automatically Secure Site from Basic Attackso Prevent non-admins from accessing admin contento Default usernames with “admin” replacedo Brute force login protectiono Prevent website scanning

• Change admin, register and login URL• Limit Logins and time restrictions

o Restrict max login attempts by user or hosto Disable site access on a schedule

• Blacklist: Users, Groups or IPs• Data Backup• Change Database Prefix

Page 23: Securing your WordPress Site Presented by Russ  Sanderlin

WordFence• Delivers Enterprise-Class Security• Includes

o Fast Cache Engineo Firewallo (Premium) Anti-Virus Scanningo (Premium) Two-Factor authentication (use cell phone to login)

• Repair core, theme and plugin files• Consumes a lot resources, not ideal for shared

hosting.

Page 24: Securing your WordPress Site Presented by Russ  Sanderlin

Bulletproof Security• Automatically optimizes website for security• Protects WordPress site against a number of

documented hack attempts. • Security Logging (Account use, HTTP errors)• File and Folder Permission Scans• Maintenance Mode with countdown timer• Focuses on .htaccess protection

Page 25: Securing your WordPress Site Presented by Russ  Sanderlin

All In One Security and Firewall

• Security Points – Assesses a score based on how secure your site is

• Classifies security configuration features on risk• Secures

o User Accountso User Loginso Database Security (Change table prefix)o Visual file system reviewo Blacklist IP addresses

• Incorporates DB Backup to schedule automated backups

Page 27: Securing your WordPress Site Presented by Russ  Sanderlin

Any Questions??

Page 28: Securing your WordPress Site Presented by Russ  Sanderlin

Grab a WordPress Decal