150 likes | 302 Views
Nina Sebescen Dr. Brian Butler INST 741 December 12 th , 2013. WordPress.org Security. Project Objectives. Find out what specific security issues exist with WordPress.org installations and find ways to prevent them
E N D
Nina Sebescen Dr. Brian Butler INST 741 December 12th, 2013 WordPress.org Security
Project Objectives • Find out what specific security issues exist with WordPress.org installations and find ways to preventthem • Offer one-stop place to get more consolidated information on WordPress.org security issues • Increase user awareness about WordPress.org security issues
Project Motivation • WordPress.org has an architectural model that is prone to security attacks • Standardization • Use of plugins • Users who are not aware of this problem, often get hacked
Project Deliverables • WordPress.org security plugins bundle – WPSecurity.zip • Step-by-step video tutorial on how to install the bundle and configure the plugins • Articles written about WordPress.org security issues posted on MIM Central to increase user awareness
Current Knowledge and Gaps • The vast majority of users only become aware of security issues after being hacked • There are various blogs/tutorials available online but none of them consolidate all the information • There are YouTube videos available for specific plugins if you know what to search for. Very few provide information about multiple security plugins working together. • Not much information is available about creating WordPress plugin bundles
Methodology • Read online blogs and various references to understand where the security issues are and how they can be prevented • Conducted a survey to understand user awareness about WordPress.org security issues
Main Findings WordPress.org platform is very vulnerable to hacking attacks • Popularity (over 60 million people use WordPress.org) • Ease of use which attracts wide variety of users • Standardized architecture and installation packages • Default admin user account and DB ID 1 • Default DB prefix wp_ • Default file system structure • Plugin usage
Things To Be Aware Of • Hosting company choice • Local machine firewall and antivirus • FTP usage (SFTP preferred) • DB and file system backups • Admin account (application and DB) • Login security • Security plugins • Spam
Survey Findings – User Awareness • 19 users participated mainly from UMD • 58% not aware of any security issues • 42% left the default admin user • 84% didn’t change the DB prefix • 74% doesn’t do any scheduled DB backups • 79% doesn’t do any scheduled file system backups • 53% will start from scratch in case their site gets hacked • 48% specify huge time loss in case their site gets hacked • 90% has no security plugins installed • 21% had their websites compromised
Solutions • Create a WordPress.org plugin bundle (WPRoller.com) and a tutorial to explain in detail how each of the plugins works • Better WP Security • Conditional Captcha for WordPress • Sucuri Security – SiteCheck Malware Scanner • Google Authenticator • Increase user awareness about WordPress.org security issues through posting articles on MIM Central
Address Questions Raised • How will the bundle be updated going forward? • Bundle is a set of plugins, so every plugin needs to be updated individually through a Dashboard • How will the bundle creation be tested? • New hosting domain has been setup to test the bundle and all the plugin configuration • How will the bundle be tested to ensure site security? • Individual tests, checking spammed comments, and logs for activity
Future Considerations • Install Akismet WordPress.org plugin for additional spam protection • Install Clef mobile app and WordPress.org plugin for two-factor authentication
References • http://moz.com/blog/the-definitive-guide-to-wordpress-security • http://www.youtube.com/watch?v=8T2jxAqkrcU • http://codex.wordpress.org/Hardening_WordPress • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/ • http://www.slideshare.net/askwpgirl-boulder/wordcamp-denver-security-presentation • http://www.zdnet.com/wordpress-hit-by-massive-botnet-worse-to-come-experts-warn-7000014019/ • http://wproller.com/ • Blog.sucuri.net (various articles about WordPress) • WordPress.org (support page, plugins page)