wordpress security
DESCRIPTION
Nina Sebescen Dr. Brian Butler INST 741 December 12 th , 2013. WordPress.org Security. Project Objectives. Find out what specific security issues exist with WordPress.org installations and find ways to prevent them - PowerPoint PPT PresentationTRANSCRIPT
WordPress.org SecurityNina SebescenDr. Brian ButlerINST 741December 12th, 2013
Project Objectives• Find out what specific security issues exist with
WordPress.org installations and find ways to prevent them
• Offer one-stop place to get more consolidated information on WordPress.org security issues
• Increase user awareness about WordPress.org security issues
Project Motivation• WordPress.org has an architectural model that is prone
to security attacks Standardization Use of plugins
• Users who are not aware of this problem, often get hacked
Project Deliverables• WordPress.org security plugins bundle – WPSecurity.zip
• Step-by-step video tutorial on how to install the bundle and configure the plugins
• Articles written about WordPress.org security issues posted on MIM Central to increase user awareness
Current Knowledge and Gaps• The vast majority of users only become aware of
security issues after being hacked
• There are various blogs/tutorials available online but none of them consolidate all the information
• There are YouTube videos available for specific plugins if you know what to search for. Very few provide information about multiple security plugins working together.
• Not much information is available about creating WordPress plugin bundles
Methodology• Read online blogs and various references to
understand where the security issues are and how they can be prevented
• Conducted a survey to understand user awareness about WordPress.org security issues
Main FindingsWordPress.org platform is very vulnerable to hacking attacks
Popularity (over 60 million people use WordPress.org) Ease of use which attracts wide variety of users Standardized architecture and installation packageso Default admin user account and DB ID 1o Default DB prefix wp_o Default file system structure
Plugin usage
Things To Be Aware Of• Hosting company choice• Local machine firewall and antivirus• FTP usage (SFTP preferred)• DB and file system backups• Admin account (application and DB)• Login security• Security plugins• Spam
Survey Findings – User Awareness• 19 users participated mainly from UMD• 58% not aware of any security issues• 42% left the default admin user• 84% didn’t change the DB prefix• 74% doesn’t do any scheduled DB backups• 79% doesn’t do any scheduled file system backups• 53% will start from scratch in case their site gets hacked• 48% specify huge time loss in case their site gets
hacked• 90% has no security plugins installed• 21% had their websites compromised
Solutions• Create a WordPress.org plugin bundle (WPRoller.com)
and a tutorial to explain in detail how each of the plugins works Better WP Security Conditional Captcha for WordPress Sucuri Security – SiteCheck Malware Scanner Google Authenticator
• Increase user awareness about WordPress.org security issues through posting articles on MIM Central
Address Questions Raised• How will the bundle be updated going forward?
Bundle is a set of plugins, so every plugin needs to be updated individually through a Dashboard
• How will the bundle creation be tested? New hosting domain has been setup to test the
bundle and all the plugin configuration• How will the bundle be tested to ensure site security?
Individual tests, checking spammed comments, and logs for activity
Future Considerations• Install Akismet WordPress.org plugin for additional
spam protection• Install Clef mobile app and WordPress.org plugin for
two-factor authentication
References
• http://moz.com/blog/the-definitive-guide-to-wordpress-security
• http://www.youtube.com/watch?v=8T2jxAqkrcU• http://codex.wordpress.org/Hardening_WordPress• http://codex.wordpress.org/FAQ_My_site_was_hacked• http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-
details-and-solutions/• http://www.slideshare.net/askwpgirl-boulder/wordcamp-
denver-security-presentation• http://www.zdnet.com/wordpress-hit-by-massive-botnet-
worse-to-come-experts-warn-7000014019/• http://wproller.com/• Blog.sucuri.net (various articles about WordPress)• WordPress.org (support page, plugins page)
DEMO