nina sebescen dr brian butler inst 741 december 12 th 2013 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
WordPress Security PowerPoint Presentation
Download Presentation
WordPress Security

Loading in 2 Seconds...

play fullscreen
1 / 14

WordPress Security - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Nina Sebescen Dr. Brian Butler INST 741 December 12 th , 2013. WordPress.org Security. Project Objectives. Find out what specific security issues exist with WordPress.org installations and find ways to prevent them

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'WordPress Security' - chaney-nichols


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nina sebescen dr brian butler inst 741 december 12 th 2013
Nina Sebescen

Dr. Brian Butler

INST 741

December 12th, 2013

WordPress.org Security

project objectives
Project Objectives
  • Find out what specific security issues exist with WordPress.org installations and find ways to preventthem
  • Offer one-stop place to get more consolidated information on WordPress.org security issues
  • Increase user awareness about WordPress.org security issues
project motivation
Project Motivation
  • WordPress.org has an architectural model that is prone to security attacks
    • Standardization
    • Use of plugins
  • Users who are not aware of this problem, often get hacked
project deliverables
Project Deliverables
  • WordPress.org security plugins bundle – WPSecurity.zip
  • Step-by-step video tutorial on how to install the bundle and configure the plugins
  • Articles written about WordPress.org security issues posted on MIM Central to increase user awareness
current knowledge and gaps
Current Knowledge and Gaps
  • The vast majority of users only become aware of security issues after being hacked
  • There are various blogs/tutorials available online but none of them consolidate all the information
  • There are YouTube videos available for specific plugins if you know what to search for. Very few provide information about multiple security plugins working together.
  • Not much information is available about creating WordPress plugin bundles
methodology
Methodology
  • Read online blogs and various references to understand where the security issues are and how they can be prevented
  • Conducted a survey to understand user awareness about WordPress.org security issues
main findings
Main Findings

WordPress.org platform is very vulnerable to hacking attacks

  • Popularity (over 60 million people use WordPress.org)
  • Ease of use which attracts wide variety of users
  • Standardized architecture and installation packages
  • Default admin user account and DB ID 1
  • Default DB prefix wp_
  • Default file system structure
  • Plugin usage
things to be aware of
Things To Be Aware Of
  • Hosting company choice
  • Local machine firewall and antivirus
  • FTP usage (SFTP preferred)
  • DB and file system backups
  • Admin account (application and DB)
  • Login security
  • Security plugins
  • Spam
survey findings user awareness
Survey Findings – User Awareness
  • 19 users participated mainly from UMD
  • 58% not aware of any security issues
  • 42% left the default admin user
  • 84% didn’t change the DB prefix
  • 74% doesn’t do any scheduled DB backups
  • 79% doesn’t do any scheduled file system backups
  • 53% will start from scratch in case their site gets hacked
  • 48% specify huge time loss in case their site gets hacked
  • 90% has no security plugins installed
  • 21% had their websites compromised
solutions
Solutions
  • Create a WordPress.org plugin bundle (WPRoller.com) and a tutorial to explain in detail how each of the plugins works
  • Better WP Security
  • Conditional Captcha for WordPress
  • Sucuri Security – SiteCheck Malware Scanner
  • Google Authenticator
  • Increase user awareness about WordPress.org security issues through posting articles on MIM Central
address questions raised
Address Questions Raised
  • How will the bundle be updated going forward?
  • Bundle is a set of plugins, so every plugin needs to be updated individually through a Dashboard
  • How will the bundle creation be tested?
  • New hosting domain has been setup to test the bundle and all the plugin configuration
  • How will the bundle be tested to ensure site security?
  • Individual tests, checking spammed comments, and logs for activity
future considerations
Future Considerations
  • Install Akismet WordPress.org plugin for additional spam protection
  • Install Clef mobile app and WordPress.org plugin for two-factor authentication
references
References
  • http://moz.com/blog/the-definitive-guide-to-wordpress-security
  • http://www.youtube.com/watch?v=8T2jxAqkrcU
  • http://codex.wordpress.org/Hardening_WordPress
  • http://codex.wordpress.org/FAQ_My_site_was_hacked
  • http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/
  • http://www.slideshare.net/askwpgirl-boulder/wordcamp-denver-security-presentation
  • http://www.zdnet.com/wordpress-hit-by-massive-botnet-worse-to-come-experts-warn-7000014019/
  • http://wproller.com/
  • Blog.sucuri.net (various articles about WordPress)
  • WordPress.org (support page, plugins page)