wordpress security - nirjhor · 2018. 3. 30. · wordpress security. type of attacks that are...
TRANSCRIPT
NIRJHOR ANJUM
Head of Engineering, ADN Digital
Faculty Head, PeopleNTech Institute of IT
WordPress Security
Type of Attacks
that are Threat
to our WordPress Sites
SQL Injection Attack
Attack Types [1]
Cross Site Scripting (XSS)
Attack Types [2]
Brute Force Attack
Attack Types [3]
Session Hijacking Attack
Attack Types [4]
Cross Site Reference Forgery (CSRF) Attack
Attack Types [5]
And more…
Topics of Discussion
• General Measures of Security
• Security Measures using Plugin while Developing a Website
• Advance Security Measures while Developing Website with less dependency on Plugin
• Advanced Security Measures while Developing Plugin/Theme
Topics of Discussion!
General
Measures of Security
General Measures of Security [1]
• Quality Web Hosting– Always up to date
– Backup provision
– Web Application Firewall (WAF) provision
– Get Virus Scanner, like ClamAV
• SSL Certificate– Security through Data Encryption
• Use CDN, like CloudFlare– A Layer in Internet Ecosystem
General Measures of Security [2]
• Keep your Website up to Date– Get latest security updates
– Stay safe from latest threats
• Use Safe Theme/Plugin– Avoid Nulled or Cracked things
– Avoid Low Rated or Untested things
– Remove unused Theme/Plugins
General Measures of Security [3]
• Use Captcha in Login Forms– Stay away from Brute-Force Attack
– Stay safe from Bot Attempts
• Use Spam Protection Mechanism– Use Akismet, the best one
– Use Antispam Bee
General Measures of Security [4]
• Use Safer Password– Make it using Alphabet, Letter, Symbol
– Make it Long
– Never save it on a Open File or Browser
• Hide the Admin Name– Don’t use default username “admin”
– Rename the Nick and Username of System Admin
General Measures of Security [5]
• Change your Secret Keys in “wp-config.php”
Source: https://api.WordPress.org/Secret-Key/1.1/Salt/
Security Measures
using Plugin
while Developing a
Website
Security Measures using Plugin [1]
• Creates Firewall
• Real-time Monitoring
• Stronger Login Practice
• Repair Files by Overwriting
• Scans Suspicious Contents
• Block various type of Threats Attempts
• Sends Alert on Vulnerability over Email
• Scan Core, Plugins, Themes, and other Files
• Finds Injections, Redirection Codes etc
Security Measures using Plugin [2]
• Limits Login Attempts
• Customize Login Page URL
• Prevent Brute Force Attacks
• Restrict Access from IP
• Log Users Attempts
• Block User on Prohibited Username Attempt
• Adds reCaptcha
• Disable Right Click
• Removes Version Info from CSS/JS
• Removes WP Generated Meta from HTML
• Backup of Security Settings
• Scheduled Database Backup
Security Measures using Plugin [3]
• Track Post/Page/Tag/Comments Activities
• Track Widget/Menu Change
• Track Core and System Settings Change
• Track User/Profile Changes
• Track Forum, Ecommerce Shop Changes
Security Measures using Plugin [4]
• Change Theme Style File-name
• Change Plugins URL
• Change Individual Plugin URLs
• Custom Upload URL
• Remove WordPress Version
Security Measures using Plugin [5]
• SQL Injection Attack Prevention
• XSS and CSRF Attack Prevention
• Brute Force Attack Prevention
• Blocks Direct Access to PHP Files
• Disable Directory Listing
• Minify CSS
Security Measures using Plugin [6]
• Backup Database, Settings, Theme, Plugin, Images etc.
• Download Backup as Zip or Tar
• Run Schedule Backup as Daily / Weekly / Monthly
• Store Backup on Remote FTP Server
• Store Backup on Dropbox/Google Drive
• Send Backup to Email Address
Security Measures using Plugin [7]
• On-Change File Comparison to check Vulnerability
• Can Expire Password to Reset new Password
• Generates Strong Password with Salt
• Two Factor Authentication
• Malware Scanner
• Login Captcha
Advance Security Measures
while Developing Website
with less dependency on Plugin
Advanced Security Measures without Plugin [1]
Add an Extra Layer of Protection on Login Page:
<Files wp-login.php>AuthUserFile ~/.htpasswdAuthName "Private Access"AuthType Basicrequire user MySecretUsername</Files>
MySecretUsername:$apr1$KW5IPd9r$/C4HkGhAX7WqaOrJ1k9my1
.htaccess .htpasswd
Hash Pass Generator: http://www.htaccesstools.com/htpasswd-generator/
Restrict visiting Admin Panel by IP:
# Block Access to WP-Adminorder deny, allowallow from 172.0.0.1 deny from all
.htaccess
Advanced Security Measures without Plugin [2]
Disable Directory Listing:
Options All -Indexes
.htaccess
Advanced Security Measures without Plugin [3]
Show Error Page while User is trying Unknown URLs/Pages:
# Way OneErrorDocument 404 "<H1>Page not found</H1>"
# Way TwoErrorDocument 404 /not-found/
.htaccess
Advanced Security Measures without Plugin [4]
Restrict visiting WordPress Configuration File:
# PROTECT CONFIG FILE<files wp-config.php>Order deny, allowDeny from all</files>
.htaccess
Advanced Security Measures without Plugin [5]
Restrict Execution of PHP Code in “Uploads” Directory:
# Kill PHP EXECUTION
<Files ~ "\.ph(?:p[345]?|t|tml)$">deny from all
</Files>
.htaccess
Advanced Security Measures without Plugin [5]
Implement Security using “mod_rewrite”, the Module
Enable HTTP Strict Transport SecurityEnable (XSS) FilterHide Server Application InformationRestrict Visiting Open DirectoriesBlock Access to Hidden Files
And, many more…
Source: http://htaccess.DB-Dzine.com/en-us
Advanced Security Measures without Plugin [6]
Disable File Editing in the WordPress Dashboard/Panel
Force Admin to use https:// (SSL Certificate enabled Path)
# Disable Editing in Dashboarddefine('DISALLOW_FILE_EDIT', true);
wp-config.php
Advanced Security Measures without Plugin [7]
# Force Admin to use SSLdefine('FORCE_SSL_ADMIN', true);
wp-config.php
If Host has the Provision, then allow FTPS
If Host has the Provision, then allow SFTP
# Enable FTPSdefine('FTP_SSL', true);
wp-config.php
Advanced Security Measures without Plugin [7]
# Enable SFTPdefine('FS_METHOD', 'ssh2');
wp-config.php
Disable Creating Error Log
Disable Showing Error Log
# Disable Debug Modedefine('WP_DEBUG', false);
wp-config.php
Advanced Security Measures without Plugin [8]
# Disable Front-end Error Loggingdefine('WP_DEBUG_DISPLAY', false);
wp-config.php
Enable Auto WordPress Version Update
Get Security Updates and more… Stay safe…
# Enable Auto WordPress Updatedefine('WP_AUTO_UPDATE_CORE', true);
wp-config.php
Advanced Security Measures without Plugin [8]
Advanced Security Measures
while Developing Plugin/Theme
Follow the Important Rules
Don’t Trust any Data
Rely on the WordPress API
Keep your codes Up to Date
Security while Developing Plugin/Theme [1]
Validate your Data using PHP Functions
Security while Developing Plugin/Theme [2]
Functions Description
isset() , empty() Value has or not
mb_strlen() , strlen() Identify whether String length is valid or not
preg_match() , strpos() Find certain characters inside String
in_array() Find whether your element exists in the Array or not
strip_tags() Removes HTML Tags from your String
filter_var() Identify Email, URL, Variable Type etc.
md5() , sha1() Secure your Password
Validate your Data using WordPress Functions
Security while Developing Plugin/Theme [2]
Functions Description
is_user_logged_in() Whether current user is Logged-in or Not
username_exists() , email_exists() Whether Username or Email exists or not
term_exists() Whether a Tag, Category or Term exists or not
validate_file() Whether a File Path valid or not
is_admin_bar_showing() Whether Admin Bar is visible or not
Secure your Input Data (Sanitize) using WordPress Functions
Security while Developing Plugin/Theme [3]
Functions Description
sanitize_email() Filters Email Address
sanitize_file_name() Filters File Name
sanitize_key() Filters the Internal Keys
sanitize_user() Filters the Username
sanitize_text_field() Filters the Input Fields
sanitize_title() Filters the Title
sanitize_sql_orderby() Filters Order By Clauses of SQL Queries
Sample Code: sanitize_####( $email );
Secure your Output Data (Escape) using WordPress Functions
Security while Developing Plugin/Theme [4]
Functions Description
esc_html() Prints safe HTML code, Removes Tags
esc_url() Prints safe URL, Removes unsafe Characters
esc_js()Helps executing PHP codes inside JavaScript, escaping Single
Quotes, HTML Special Characters and fixing Line Endings
esc_sql() Helps to filter the Strings within SQL Queries
esc_attr() Helps to filter the Attributes inside HTML tags for keeping XSS Safe
Sample Code: <h2><?php echo esc_####( $url ); ?></h2>
Use “Nonces” to Prevent CSRF Attacks
Security while Developing Plugin/Theme [4]
Helps to add a Token while moving from an URL to another
Avoid writing Traditional Query
Security while Developing Plugin/Theme [5]
Unsafe
Avoid writing Traditional Query
You can hide Database Errors for Safety
Security while Developing Plugin/Theme [5]
Safe
Avoid using Deprecated Codes
Test your WordPress Website Online
Security while Developing Plugin/Theme [6]
https://developer.wordpress.org/reference/
https://wpscans.com/