securing your wordpress site presented by russ sanderlin
DESCRIPTION
Securing your WordPress Site Presented by Russ Sanderlin. Russ Sanderlin , RHCE. Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @ Tearstone. Agenda. Importance Attack Surface Basic Hardening Ongoing Security Plugins Read More. Importance. - PowerPoint PPT PresentationTRANSCRIPT
Securing your WordPress SitePresented by Russ Sanderlin
Russ Sanderlin, RHCESenior Network Systems Analyst, AAA National OfficeOwner, Tearstone Graphics
@Tearstone
Agenda• Importance• Attack Surface• Basic Hardening• Ongoing Security• Plugins• Read More
Importance• WordPress continues to grow in popularity• Bigger the platform, the greater the reported
incidents for security.• 2012 – 117,000 WordPress hacked sites were
reported• 2013 – 73.2 % of the top 40,000+ WordPress sites
were vulnerable to exploits
Source: WP White Security
Attack Surface• Definition: Sum of the amount of points an
attacker could use to get into a system. • Points of entry for extracting data, or inserting
malware are called "attack vectors“• Minimize attack vectors by minimizing the
amount of code running on the site. o Minimize the amount of Themes, Plug-Ins
Source: OWASP.ORG
NEW! Wordpress 3.8.2• Potential authentication cookie forgery. • Privilege escalation: prevent contributors from
publishing posts. • (Hardening) Pass along additional information
when processing pingbacks to help hosts identify potentially abusive requests.
• (Hardening) Fix a low-impact SQL injection by trusted users.
• (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Basic HardeningStart With A Secure Foundation
Users• Delete “admin” account, create new login with
unusual name for administration.• All users, especially with elevated privileges
should have complex passwords.o Changed every 60-90 dayso At least 8 characterso Combination of mixed case, numbers and special character i.e. #5hN!
uMo Avoid dictionary passwords
Database - MySQL• Use an abstract naming convention (security
through obsecurity)o Database nameso table prefixes, not wp_o MySQL User names
• Assign limited privileges to SQL user. o WordPress database user only needs SELECT, INSERT, DELETE and
UPDATEo GRANT, DROP and ALTER are not needed
Webhost• Find a webhost that understands WordPress• Takes security seriously• Find out if host performs backups.
o If not, implement a backup solution• Server side scans and malware cleanup• Host should have VPS options for growth and
better security.
Site• Avoid running multiple WordPress installations on
one domain• Do not run a development version of the site on
your production site.• Disable FTP, use SFTP
Permissions• Unix/Linux permissions
o R = 4, W = 2, X =1 (Combine values to set permission)o Owner – Group – Publico I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot
write)
• File and Folder Permissionso Default is 664 for files, 775 for folderso Wp-config.php and .htaccess
• 664 to allow for modification• 444 to allow read, not modify
Ongoing SecurityOunce of prevention is worth a pound of cure – Benjamin
Franklin
Update Your Site• Update WordPress Core, Plug-Ins and Themes • WP White Security found 42,106 Top Alexa-based
ranked sites running WordPress:o 73.2% were running old versions which had documented vulnerabilitieso 74 different versions of WordPress, 10 of which were reported as fake
• Older versions of WordPress are not maintained with security updates.
Perform Routine Inspections
• Perform site cleanups on a regular basis• Review all installed plug-ins• Remove themes and plug-ins no longer needed
(reduce attack surface)• Identify anything you do not remember installing
and handle with care
Scan with SiteCheck• Scan site with Scuri.Net SiteCheck• Free general site malware checker• Premium clean up service• Premium monitoring service
WPScan• Black Box WordPress security scanner• Pre-Installed on these operating systems
o BlackBox Linuxo Kali Linuxo Pentooo SamuraiWTF
• Download, Install Instructions, Arguments found on http://wpscan.org
Security PluginsProviding a pre-coded helping hand
Understand Your Plugin
• Understand what the security plugins do, and what effects they have on your siteo Your requirements should drive the choice in plugin, the plugin should
not drive your site requirementso Plugins have performance implications to WordPress sites, more code
can slow down site loads.o Multiple plugins or excessive functionality extends attack surface
• Misconfiguration can break your site o i.e. intrusion detection could stop search engines from crawling your
site• Security plugins could lock you out of your own
site• Plugin support can be a challenge
Limit Login Attempts• Customize the rate of invalid login attempts
o Limit login attempts by IPo Limit login via cookies
• Makes brute-force attacks impossible
Manage WP• Plugin that integrates with https://managewp.com
/• Centralize update administrations of multiple
WordPress sites• Automated backups• Provides email notification alerts
iThemes Security(Better WP Security)
• Automatically Secure Site from Basic Attackso Prevent non-admins from accessing admin contento Default usernames with “admin” replacedo Brute force login protectiono Prevent website scanning
• Change admin, register and login URL• Limit Logins and time restrictions
o Restrict max login attempts by user or hosto Disable site access on a schedule
• Blacklist: Users, Groups or IPs• Data Backup• Change Database Prefix
WordFence• Delivers Enterprise-Class Security• Includes
o Fast Cache Engineo Firewallo (Premium) Anti-Virus Scanningo (Premium) Two-Factor authentication (use cell phone to login)
• Repair core, theme and plugin files• Consumes a lot resources, not ideal for shared
hosting.
Bulletproof Security• Automatically optimizes website for security• Protects WordPress site against a number of
documented hack attempts. • Security Logging (Account use, HTTP errors)• File and Folder Permission Scans• Maintenance Mode with countdown timer• Focuses on .htaccess protection
All In One Security and Firewall
• Security Points – Assesses a score based on how secure your site is
• Classifies security configuration features on risk• Secures
o User Accountso User Loginso Database Security (Change table prefix)o Visual file system reviewo Blacklist IP addresses
• Incorporates DB Backup to schedule automated backups
Sources, Read More• http://codex.wordpress.org/Hardening_WordPress• http://www.designwall.com/blog/how-to-handle-a-wordpress
-security-attack/• http://www.cvedetails.com/vulnerability-list/vendor_id-2337/
product_id-4096/Wordpress-Wordpress.html• https://managewp.com/security-plugins-problem• https://
www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
• http://codex.wordpress.org/Changing_File_Permissions • http://codex.wordpress.org/Version_3.8.2
Any Questions??
Grab a WordPress Decal