WordPress.org SecurityNina SebescenDr. Brian ButlerINST 741December 12th, 2013

Project Objectives• Find out what specific security issues exist with

WordPress.org installations and find ways to prevent them

• Offer one-stop place to get more consolidated information on WordPress.org security issues

• Increase user awareness about WordPress.org security issues

Project Motivation• WordPress.org has an architectural model that is prone

to security attacks Standardization Use of plugins

• Users who are not aware of this problem, often get hacked

Project Deliverables• WordPress.org security plugins bundle – WPSecurity.zip

• Step-by-step video tutorial on how to install the bundle and configure the plugins

• Articles written about WordPress.org security issues posted on MIM Central to increase user awareness

Current Knowledge and Gaps• The vast majority of users only become aware of

security issues after being hacked

• There are various blogs/tutorials available online but none of them consolidate all the information

• There are YouTube videos available for specific plugins if you know what to search for. Very few provide information about multiple security plugins working together.

• Not much information is available about creating WordPress plugin bundles

Methodology• Read online blogs and various references to

understand where the security issues are and how they can be prevented

• Conducted a survey to understand user awareness about WordPress.org security issues

Main FindingsWordPress.org platform is very vulnerable to hacking attacks

Popularity (over 60 million people use WordPress.org) Ease of use which attracts wide variety of users Standardized architecture and installation packageso Default admin user account and DB ID 1o Default DB prefix wp_o Default file system structure

Plugin usage

Things To Be Aware Of• Hosting company choice• Local machine firewall and antivirus• FTP usage (SFTP preferred)• DB and file system backups• Admin account (application and DB)• Login security• Security plugins• Spam

Survey Findings – User Awareness• 19 users participated mainly from UMD• 58% not aware of any security issues• 42% left the default admin user• 84% didn’t change the DB prefix• 74% doesn’t do any scheduled DB backups• 79% doesn’t do any scheduled file system backups• 53% will start from scratch in case their site gets hacked• 48% specify huge time loss in case their site gets

hacked• 90% has no security plugins installed• 21% had their websites compromised

Solutions• Create a WordPress.org plugin bundle (WPRoller.com)

and a tutorial to explain in detail how each of the plugins works Better WP Security Conditional Captcha for WordPress Sucuri Security – SiteCheck Malware Scanner Google Authenticator

• Increase user awareness about WordPress.org security issues through posting articles on MIM Central

Address Questions Raised• How will the bundle be updated going forward?

Bundle is a set of plugins, so every plugin needs to be updated individually through a Dashboard

• How will the bundle creation be tested? New hosting domain has been setup to test the

bundle and all the plugin configuration• How will the bundle be tested to ensure site security?

Individual tests, checking spammed comments, and logs for activity

Future Considerations• Install Akismet WordPress.org plugin for additional

spam protection• Install Clef mobile app and WordPress.org plugin for

two-factor authentication

References

• http://moz.com/blog/the-definitive-guide-to-wordpress-security

• http://www.youtube.com/watch?v=8T2jxAqkrcU• http://codex.wordpress.org/Hardening_WordPress• http://codex.wordpress.org/FAQ_My_site_was_hacked• http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-

details-and-solutions/• http://www.slideshare.net/askwpgirl-boulder/wordcamp-

denver-security-presentation• http://www.zdnet.com/wordpress-hit-by-massive-botnet-

worse-to-come-experts-warn-7000014019/• http://wproller.com/• Blog.sucuri.net (various articles about WordPress)• WordPress.org (support page, plugins page)

DEMO