280 likes | 386 Views
Securing your WordPress Site Presented by Russ Sanderlin. Russ Sanderlin , RHCE. Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @ Tearstone. Agenda. Importance Attack Surface Basic Hardening Ongoing Security Plugins Read More. Importance.
E N D
Securing your WordPress Site Presented by Russ Sanderlin
Russ Sanderlin, RHCE Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @Tearstone
Agenda • Importance • Attack Surface • Basic Hardening • Ongoing Security • Plugins • Read More
Importance • WordPress continues to grow in popularity • Bigger the platform, the greater the reported incidents for security. • 2012 – 117,000 WordPress hacked sites were reported • 2013 – 73.2 % of the top 40,000+ WordPress sites were vulnerable to exploits Source: WP White Security
Attack Surface • Definition: Sum of the amount of points an attacker could use to get into a system. • Points of entry for extracting data, or inserting malware are called "attack vectors“ • Minimize attack vectors by minimizing the amount of code running on the site. • Minimize the amount of Themes, Plug-Ins Source: OWASP.ORG
NEW! Wordpress 3.8.2 • Potential authentication cookie forgery. • Privilege escalation: prevent contributors from publishing posts. • (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests. • (Hardening) Fix a low-impact SQL injection by trusted users. • (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Basic Hardening Start With A Secure Foundation
Users • Delete “admin” account, create new login with unusual name for administration. • All users, especially with elevated privileges should have complex passwords. • Changed every 60-90 days • At least 8 characters • Combination of mixed case, numbers and special character i.e. #5hN!uM • Avoid dictionary passwords
Database - MySQL • Use an abstract naming convention (security through obsecurity) • Database names • table prefixes, not wp_ • MySQL User names • Assign limited privileges to SQL user. • WordPress database user only needs SELECT, INSERT, DELETE and UPDATE • GRANT, DROP and ALTER are not needed
Webhost • Find a webhost that understands WordPress • Takes security seriously • Find out if host performs backups. • If not, implement a backup solution • Server side scans and malware cleanup • Host should have VPS options for growth and better security.
Site • Avoid running multiple WordPress installations on one domain • Do not run a development version of the site on your production site. • Disable FTP, use SFTP
Permissions • Unix/Linux permissions • R = 4, W = 2, X =1 (Combine values to set permission) • Owner – Group – Public • I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot write) • File and Folder Permissions • Default is 664 for files, 775 for folders • Wp-config.phpand .htaccess • 664 to allow for modification • 444 to allow read, not modify
Ongoing Security Ounce of prevention is worth a pound of cure – Benjamin Franklin
Update Your Site • Update WordPress Core, Plug-Ins and Themes • WP White Security found 42,106 Top Alexa-based ranked sites running WordPress: • 73.2% were running old versions which had documented vulnerabilities • 74 different versions of WordPress, 10 of which were reported as fake • Older versions of WordPress are not maintained with security updates.
Perform Routine Inspections • Perform site cleanups on a regular basis • Review all installed plug-ins • Remove themes and plug-ins no longer needed (reduce attack surface) • Identify anything you do not remember installing and handle with care
Scan with SiteCheck • Scan site with Scuri.NetSiteCheck • Free general site malware checker • Premium clean up service • Premium monitoring service
WPScan • Black Box WordPress security scanner • Pre-Installed on these operating systems • BlackBox Linux • Kali Linux • Pentoo • SamuraiWTF • Download, Install Instructions, Arguments found on http://wpscan.org
Security Plugins Providing a pre-coded helping hand
Understand Your Plugin • Understand what the security plugins do, and what effects they have on your site • Your requirements should drive the choice in plugin, the plugin should not drive your site requirements • Plugins have performance implications to WordPress sites, more code can slow down site loads. • Multiple plugins or excessive functionality extends attack surface • Misconfiguration can break your site • i.e. intrusion detection could stop search engines from crawling your site • Security plugins could lock you out of your own site • Plugin support can be a challenge
Limit Login Attempts • Customize the rate of invalid login attempts • Limit login attempts by IP • Limit login via cookies • Makes brute-force attacks impossible
Manage WP • Plugin that integrates with https://managewp.com/ • Centralize update administrations of multiple WordPress sites • Automated backups • Provides email notification alerts
iThemes Security(Better WP Security) • Automatically Secure Site from Basic Attacks • Prevent non-admins from accessing admin content • Default usernames with “admin” replaced • Brute force login protection • Prevent website scanning • Change admin, register and login URL • Limit Logins and time restrictions • Restrict max login attempts by user or host • Disable site access on a schedule • Blacklist: Users, Groups or IPs • Data Backup • Change Database Prefix
WordFence • Delivers Enterprise-Class Security • Includes • Fast Cache Engine • Firewall • (Premium) Anti-Virus Scanning • (Premium) Two-Factor authentication (use cell phone to login) • Repair core, theme and plugin files • Consumes a lot resources, not ideal for shared hosting.
Bulletproof Security • Automatically optimizes website for security • Protects WordPress site against a number of documented hack attempts. • Security Logging (Account use, HTTP errors) • File and Folder Permission Scans • Maintenance Mode with countdown timer • Focuses on .htaccess protection
All In One Security and Firewall • Security Points – Assesses a score based on how secure your site is • Classifies security configuration features on risk • Secures • User Accounts • User Logins • Database Security (Change table prefix) • Visual file system review • Blacklist IP addresses • Incorporates DB Backup to schedule automated backups
Sources, Read More • http://codex.wordpress.org/Hardening_WordPress • http://www.designwall.com/blog/how-to-handle-a-wordpress-security-attack/ • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html • https://managewp.com/security-plugins-problem • https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet • http://codex.wordpress.org/Changing_File_Permissions • http://codex.wordpress.org/Version_3.8.2