wordpress security best practices 2015 update
TRANSCRIPT
WordPress SecurityBest Practices
Wil Brown@LimeCanvas
Security is serious…
@LimeCanvas #wpsyd
There is always a current threatThe worst type of threats are those you don’t know about
So be prepared!
You need to understand your weaknessesYou need to build a solid defenceYou need to have a plan of attack
The Art of War - Sun Tzu ~512BC
Been there…Got the T-Shirt
Ultimate Secure Site
@LimeCanvas #wpsyd
Locked away in a deep dark basementNo internet connectionNo user interaction
= Pretty useless website= There is a balance to be had
Before we start…
@LimeCanvas #wpsyd
Everything is HackableBest we can do is make our site less attractive than others to hack into.Would you attempt to break into this car?
Before we start…
@LimeCanvas #wpsyd
The most vulnerable part of your website is…
YOURead this book!
Usernames & Passwords
@LimeCanvas #wpsyd
Not just WordPresscPanel, email, FTP, SSH, MySQL, WordPress
Avoid typical “Administrator” usernamesadmin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …
Fundamentals
Usernames & Passwords
@LimeCanvas #wpsyd
No personal information such as DoBe.g. bob1976
No footie clubs, car regos, pet or family names
Use a random 16 (at least) character passwordUPPER, lower, digits, punctuation
e.g. b9G#Z4YVemTN^X6S
Fundamentals
Usernames & Passwords
@LimeCanvas #wpsyd
Random character passwords= difficult for you to remember = difficult for hackers to guess
Use a password service such as LastPassLocal 256-bit encryption, SSL data transfer, 2-factor authentication
https://lastpass.com
Fundamentals
Usernames & Passwords
@LimeCanvas #wpsyd
Consider forcing users to have a strong password
Force Strong Passwords plugin.http://wordpress.org/plugins/force-strong-passwords/
Better passwords coming soon to WordPress 4.3
Fundamentals
Usernames & Passwords
@LimeCanvas #wpsyd
Only allow one login per device.
Restrict logins under same username on multiple devices (i.e. username/pass sharing)
WordPress Bouncer pluginhttp://wordpress.org/plugins/wp-bouncer/
Fundamentals
Admin User Roles
@LimeCanvas #wpsyd
Restrict the number of users with the Administrator role.
You do need at lease 1 Admin user – do you need any more than that?
Editor role is sufficient for somebody to manage 90% of all the site’s day-to-day content.
Fundamentals
Linux Permissions
@LimeCanvas #wpsyd
Understanding Linux file permissions is key
Files & Perms
Files, Folders & Permissions
@LimeCanvas #wpsyd
In general…WordPress folders/directories = 755WordPress files = 644
Some hosting companies may recommend you set /wp-content/uploads to 777
Move to another hosting company!
Files & Perms
Config Files & Permissions
@LimeCanvas #wpsyd
Probably your three most important sys files are:.htaccess (Apache) or nginx.conf (nginx)
= permalinks, redirects, etcphp.ini
= PHP settingswp-config.php
= WordPress DB username & pass
These should be locked down to CHMOD 444
Files & Perms
Malware Clean Server
@LimeCanvas #wpsyd
Malware can be hidden in Themes, Plugins & other server scriptsSucuri detects and cleans malware on servers
De-blacklists your server/siteNotify by SMS, Email, Private Twitter etc
http://sucuri.net/ USD $89.99 /site /year
Happy Servers
Update Regularly
@LimeCanvas #wpsyd
Update WordPress Core, Themes and Plugins regularly = at least weeklyManageWP service good for multiple siteshttps://managewp.com
WordPress
Update Regularly
@LimeCanvas #wpsyd
Automatic Updates are in WordPress core for point releases only by default
More control = “Automatic Updater” pluginhttp://wordpress.org/plugins/automatic-updater/
Choose to update Core, Themes and/or Plugins
WordPress
Check Free Downloads
@LimeCanvas #wpsyd
Especially “free” themes and torrents– Very common to “insert” links into footer areas– Code can read your wp-config.php file and
email/send it elsewhere = you’re screwed– Don’t use themes or plugins from Torrent sites!– Always try to download from original source
Read: http://premium.wpmudev.org/blog/free-wordpress-themes-ultimate-guide/
Free or Dodgy?
Check Free Downloads
@LimeCanvas #wpsyd
Search through files for:Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authenticity Checkerhttp://wordpress.org/plugins/tac/
Exploit Scannerhttp://wordpress.org/plugins/exploit-scanner/
Free or Dodgy?
Base64
@LimeCanvas #wpsyd
Not all Base64_decode function calls are evil
WordPress uses the function extensively throughout the core.
Should be easy to decode and work out if good or bad in plugins or themes.
Free or Dodgy?
Beware of TimThumb
@LimeCanvas #wpsyd
Popular image/thumbnail resizing scriptBundled in many themes and pluginsResponsible for many WordPress security breaches“The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.”
Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
Evil TimThumb
Beware of TimThumb
@LimeCanvas #wpsyd
Script was “fixed” of exploits however old versions still lurk out there.
Search for TimThumb and check you are using the “fixed” version 2.8.14https://code.google.com/p/timthumb/
Evil TimThumb
Beware of TimThumb
@LimeCanvas #wpsyd
The nature of TimThumb still makes it potentially very dangerous to have on your site.
TimThumb is no longer supported or maintained as of Sept 2014http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
Read this: http://www.limecanvas.com/timthumb-is-evil/
Evil TimThumb
SSL Certificates
@LimeCanvas #wpsyd
Won’t make your site “secure” from hacks
Will encrypt the data transmitted between computer and server
More on SSL certificates athttp://www.symantec.com/en/au/ssl-certificates
SSL Certs
HTTPS on Dashboard
@LimeCanvas #wpsyd
If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.phpdefine('FORCE_SSL_ADMIN', true);define('FORCE_SSL_LOGIN', true);
Secure Logins
Software Firewalls
@LimeCanvas #wpsyd
Gives additional level of security.WordFence plugin is recommended:http://www.wordfence.com/
Scans for…malware, TimThumb, differences in core/plugin/theme files from repository, new available updates, login limiter, force strong passwords, trojans, SQL injection, DNS changes, files outside WordPress folder, hide login errors, prevent creating ‘admin’ user, country blocking*, cell phone sign-in*, advanced scheduled scans*
*premium functions
Firewalls
Prevent Login Attempts
@LimeCanvas #wpsyd
Brute force attacks try to repeatedly guess username & password.
Block IP address after X number of login attempts within a period.
Limit Login Attempts pluginhttp://wordpress.org/plugins/limit-login-attempts/
Login Limits
Don’t Show Login Errors
@LimeCanvas #wpsyd
Don’t give the hackers a helping hand
Remove that info!
Add this to functions.phpadd_filter(‘login_errors', '__return_null');
No Freebies
Back Your Site Up
@LimeCanvas #wpsyd
There is NO EXCUSE not to back up your entire site frequently (real-time, hourly, daily, weekly).Back up to email http://wordpress.org/plugins/wponlinebackup/
Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/
Backup Buddy http://ithemes.com/purchase/backupbuddy/
VaultPress http://vaultpress.com/
Set your retention frequency.Can you restore from an issue that’s been happening for 2 months?
Check your backup files – do a test restore!
Back Up
Security For the Paranoid
@LimeCanvas #wpsyd
Pimp My Security
Two Factor Authentication
@LimeCanvas #wpsyd
Using another device to generate an authentication code e.g. Mobile phone app
Verification code + login = 2 factor authGoogle Authenticatorhttp://wordpress.org/plugins/google-authenticator/
Pimp My Security
Biometric Authentication
@LimeCanvas #wpsyd
Is two factor authenticationnot enough for you?
Biometric authentication uses part of our own body as the second verification part.
This is going to be the normal way of authenticating with systems in the not so distant future.
Pimp My Security
Biometric Authentication
@LimeCanvas #wpsyd
VoxedIn is a Smartphone app that lets you log in to your WordPress site using voice biometrics.http://wordpress.org/plugins/voxedin/
Pimp My Security
Move wp-content Folder
@LimeCanvas #wpsyd
Move the wp-content folder to a new location.
Add the following into wp-config.php before the line: /* That's all, stop editing! Happy blogging. */
define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');
Warning: badly developed plugins & themes may have hard-coded wp-content location.
Pimp My Security
Protect wp-config.php
@LimeCanvas #wpsyd
Use .htaccess to protect your wp-config.php file<files wp-config.php>order allow,denydeny from all</files>
Nobody can access the wp-config.php file now except for the web server owner.
Pimp My Security
SQL Injection Protection
@LimeCanvas #wpsyd
Use .htaccess to stop SQL Injection attacksOptions +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
Any requests or changes to global variables containing <script> gets blocked.
Pimp My Security
Prevent Directory Browsing
@LimeCanvas #wpsyd
Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsingOptions –Indexes
Pimp My Security
Secure wp-admin Folder
@LimeCanvas #wpsyd
Password protect wp-admin folder using cPanel and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
Pimp My Security
Disable User File Editor
@LimeCanvas #wpsyd
Remove the WordPress dashboard Editor for themes and plugins
Add to wp-config.phpdefine('DISALLOW_FILE_EDIT', true);
Pimp My Security
Change Default Table Prefix
@LimeCanvas #wpsyd
Default MySQL DB table prefix is wp_ Change before installing new WordPress sites.
Add to wp-config.php$table_prefix = ‘mynewprefix_';
Existing websites – use WP Security Scanhttp://wordpress.org/plugins/wp-security-scan/
Pimp My Security
Be “Big Brother”
@LimeCanvas #wpsyd
Monitor who does what on your WordPress site.
WP Security Audit Loghttp://wordpress.org/plugins/wp-security-audit-log/
Pimp My Security
Change wp-login.php
@LimeCanvas #wpsyd
Using .htaccessRewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:http://www.mywebsite.com/login
Pimp My Security
Change /wp-admin/ - Step 1
@LimeCanvas #wpsyd
Add to wp-config.php:define('WP_ADMIN_DIR', 'secret-folder');define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
Add to functions.php:add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3);function lc_wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); }
Pimp My Security
Change /wp-admin/ - Step 2
@LimeCanvas #wpsyd
Add to .htaccess:RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:http://www.mysite.com/secret-folder/
Pimp My Security
Denial of Service Attacks
@LimeCanvas #wpsyd
Known as DoS or DDoS (distributed)
There is nothing YOU* cando to pre-emptively stopDoS attacks.
Contact your host company
Pimp My Security
*Unless you own your own data centre
Image Credits
@LimeCanvas #wpsyd
• [4] activerain.com • [5] mybroadband.co.za• [6] wired.com• [12] www.zzee.com• [12] acm.uiuc.edu • [12] danielmiessler.com• [19] wordpress.org/plugins/tac/• [21] www.promptwebhosting.com.au• [29] www.bestwpthemez.com• [31] blog.eternalvigilance.me• [32] www.mobyware.ru • [33] www.ibmsystemsmag.com• [34] disruptive.io• [38] www.gobalakrishnan.com
• [39] www.trickytechs.com• [39] www.wpbeginner.com • [40] www.limecanvas.com• [46] www.computerworld.com
Questions Anyone?
@LimeCanvas
@LimeCanvas #wpsyd