1 / 14

WordPress Security

Nina Sebescen Dr. Brian Butler INST 741 December 12 th , 2013. WordPress.org Security. Project Objectives. Find out what specific security issues exist with WordPress.org installations and find ways to prevent them

chaney-nichols
Download Presentation

WordPress Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nina Sebescen Dr. Brian Butler INST 741 December 12th, 2013 WordPress.org Security

  2. Project Objectives • Find out what specific security issues exist with WordPress.org installations and find ways to preventthem • Offer one-stop place to get more consolidated information on WordPress.org security issues • Increase user awareness about WordPress.org security issues

  3. Project Motivation • WordPress.org has an architectural model that is prone to security attacks • Standardization • Use of plugins • Users who are not aware of this problem, often get hacked

  4. Project Deliverables • WordPress.org security plugins bundle – WPSecurity.zip • Step-by-step video tutorial on how to install the bundle and configure the plugins • Articles written about WordPress.org security issues posted on MIM Central to increase user awareness

  5. Current Knowledge and Gaps • The vast majority of users only become aware of security issues after being hacked • There are various blogs/tutorials available online but none of them consolidate all the information • There are YouTube videos available for specific plugins if you know what to search for. Very few provide information about multiple security plugins working together. • Not much information is available about creating WordPress plugin bundles

  6. Methodology • Read online blogs and various references to understand where the security issues are and how they can be prevented • Conducted a survey to understand user awareness about WordPress.org security issues

  7. Main Findings WordPress.org platform is very vulnerable to hacking attacks • Popularity (over 60 million people use WordPress.org) • Ease of use which attracts wide variety of users • Standardized architecture and installation packages • Default admin user account and DB ID 1 • Default DB prefix wp_ • Default file system structure • Plugin usage

  8. Things To Be Aware Of • Hosting company choice • Local machine firewall and antivirus • FTP usage (SFTP preferred) • DB and file system backups • Admin account (application and DB) • Login security • Security plugins • Spam

  9. Survey Findings – User Awareness • 19 users participated mainly from UMD • 58% not aware of any security issues • 42% left the default admin user • 84% didn’t change the DB prefix • 74% doesn’t do any scheduled DB backups • 79% doesn’t do any scheduled file system backups • 53% will start from scratch in case their site gets hacked • 48% specify huge time loss in case their site gets hacked • 90% has no security plugins installed • 21% had their websites compromised

  10. Solutions • Create a WordPress.org plugin bundle (WPRoller.com) and a tutorial to explain in detail how each of the plugins works • Better WP Security • Conditional Captcha for WordPress • Sucuri Security – SiteCheck Malware Scanner • Google Authenticator • Increase user awareness about WordPress.org security issues through posting articles on MIM Central

  11. Address Questions Raised • How will the bundle be updated going forward? • Bundle is a set of plugins, so every plugin needs to be updated individually through a Dashboard • How will the bundle creation be tested? • New hosting domain has been setup to test the bundle and all the plugin configuration • How will the bundle be tested to ensure site security? • Individual tests, checking spammed comments, and logs for activity

  12. Future Considerations • Install Akismet WordPress.org plugin for additional spam protection • Install Clef mobile app and WordPress.org plugin for two-factor authentication

  13. References • http://moz.com/blog/the-definitive-guide-to-wordpress-security • http://www.youtube.com/watch?v=8T2jxAqkrcU • http://codex.wordpress.org/Hardening_WordPress • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/ • http://www.slideshare.net/askwpgirl-boulder/wordcamp-denver-security-presentation • http://www.zdnet.com/wordpress-hit-by-massive-botnet-worse-to-come-experts-warn-7000014019/ • http://wproller.com/ • Blog.sucuri.net (various articles about WordPress) • WordPress.org (support page, plugins page)

  14. DEMO

More Related