1 / 28

Securing your WordPress Site Presented by Russ Sanderlin

Securing your WordPress Site Presented by Russ Sanderlin. Russ Sanderlin , RHCE. Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @ Tearstone. Agenda. Importance Attack Surface Basic Hardening Ongoing Security Plugins Read More. Importance.

duyen
Download Presentation

Securing your WordPress Site Presented by Russ Sanderlin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing your WordPress Site Presented by Russ Sanderlin

  2. Russ Sanderlin, RHCE Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @Tearstone

  3. Agenda • Importance • Attack Surface • Basic Hardening • Ongoing Security • Plugins • Read More

  4. Importance • WordPress continues to grow in popularity • Bigger the platform, the greater the reported incidents for security. • 2012 – 117,000 WordPress hacked sites were reported • 2013 – 73.2 % of the top 40,000+ WordPress sites were vulnerable to exploits Source: WP White Security

  5. Attack Surface • Definition: Sum of the amount of points an attacker could use to get into a system.  • Points of entry for extracting data, or inserting malware are called "attack vectors“ • Minimize attack vectors by minimizing the amount of code running on the site.  • Minimize the amount of Themes, Plug-Ins Source: OWASP.ORG

  6. NEW! Wordpress 3.8.2 • Potential authentication cookie forgery. • Privilege escalation: prevent contributors from publishing posts. • (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests. • (Hardening) Fix a low-impact SQL injection by trusted users. • (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

  7. Basic Hardening Start With A Secure Foundation

  8. Users • Delete “admin” account, create new login with unusual name for administration. • All users, especially with elevated privileges should have complex passwords. • Changed every 60-90 days • At least 8 characters • Combination of mixed case, numbers and special character i.e. #5hN!uM • Avoid dictionary passwords

  9. Database - MySQL • Use an abstract naming convention (security through obsecurity) • Database names • table prefixes, not wp_ • MySQL User names • Assign limited privileges to SQL user. • WordPress database user only needs SELECT, INSERT, DELETE and UPDATE • GRANT, DROP and ALTER are not needed

  10. Webhost • Find a webhost that understands WordPress • Takes security seriously • Find out if host performs backups. • If not, implement a backup solution • Server side scans and malware cleanup • Host should have VPS options for growth and better security.

  11. Site • Avoid running multiple WordPress installations on one domain • Do not run a development version of the site on your production site. • Disable FTP, use SFTP

  12. Permissions • Unix/Linux permissions • R = 4, W = 2, X =1 (Combine values to set permission) • Owner – Group – Public • I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot write) • File and Folder Permissions • Default is 664 for files, 775 for folders • Wp-config.phpand .htaccess • 664 to allow for modification • 444 to allow read, not modify

  13. Ongoing Security Ounce of prevention is worth a pound of cure – Benjamin Franklin

  14. Update Your Site • Update WordPress Core, Plug-Ins and Themes • WP White Security found 42,106 Top Alexa-based ranked sites running WordPress: • 73.2% were running old versions which had documented vulnerabilities • 74 different versions of WordPress, 10 of which were reported as fake • Older versions of WordPress are not maintained with security updates.

  15. Perform Routine Inspections • Perform site cleanups on a regular basis • Review all installed plug-ins • Remove themes and plug-ins no longer needed (reduce attack surface) • Identify anything you do not remember installing and handle with care

  16. Scan with SiteCheck • Scan site with Scuri.NetSiteCheck • Free general site malware checker • Premium clean up service • Premium monitoring service

  17. WPScan • Black Box WordPress security scanner • Pre-Installed on these operating systems • BlackBox Linux • Kali Linux • Pentoo • SamuraiWTF • Download, Install Instructions, Arguments found on http://wpscan.org

  18. Security Plugins Providing a pre-coded helping hand

  19. Understand Your Plugin • Understand what the security plugins do, and what effects they have on your site • Your requirements should drive the choice in plugin, the plugin should not drive your site requirements • Plugins have performance implications to WordPress sites, more code can slow down site loads. • Multiple plugins or excessive functionality extends attack surface • Misconfiguration can break your site • i.e. intrusion detection could stop search engines from crawling your site • Security plugins could lock you out of your own site • Plugin support can be a challenge

  20. Limit Login Attempts • Customize the rate of invalid login attempts • Limit login attempts by IP • Limit login via cookies • Makes brute-force attacks impossible

  21. Manage WP • Plugin that integrates with https://managewp.com/ • Centralize update administrations of multiple WordPress sites • Automated backups • Provides email notification alerts

  22. iThemes Security(Better WP Security) • Automatically Secure Site from Basic Attacks • Prevent non-admins from accessing admin content • Default usernames with “admin” replaced • Brute force login protection • Prevent website scanning • Change admin, register and login URL • Limit Logins and time restrictions • Restrict max login attempts by user or host • Disable site access on a schedule • Blacklist: Users, Groups or IPs • Data Backup • Change Database Prefix

  23. WordFence • Delivers Enterprise-Class Security • Includes • Fast Cache Engine • Firewall • (Premium) Anti-Virus Scanning • (Premium) Two-Factor authentication (use cell phone to login) • Repair core, theme and plugin files • Consumes a lot resources, not ideal for shared hosting.

  24. Bulletproof Security • Automatically optimizes website for security • Protects WordPress site against a number of documented hack attempts. • Security Logging (Account use, HTTP errors) • File and Folder Permission Scans • Maintenance Mode with countdown timer • Focuses on .htaccess protection

  25. All In One Security and Firewall • Security Points – Assesses a score based on how secure your site is • Classifies security configuration features on risk • Secures • User Accounts • User Logins • Database Security (Change table prefix) • Visual file system review • Blacklist IP addresses • Incorporates DB Backup to schedule automated backups

  26. Sources, Read More • http://codex.wordpress.org/Hardening_WordPress • http://www.designwall.com/blog/how-to-handle-a-wordpress-security-attack/ • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html • https://managewp.com/security-plugins-problem • https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet • http://codex.wordpress.org/Changing_File_Permissions • http://codex.wordpress.org/Version_3.8.2

  27. Any Questions??

  28. Grab a WordPress Decal

More Related