280 likes | 291 Views
Learn about the importance of securing your WordPress site, minimizing attack vectors, basic hardening techniques, ongoing security measures, and using security plugins. Presented by Russ Sanderlin, Senior Network Systems Analyst at AAA National Office and Owner of Tearstone Graphics.
E N D
Securing your WordPress Site Presented by Russ Sanderlin
Russ Sanderlin, RHCE Senior Network Systems Analyst, AAA National Office Owner, Tearstone Graphics @Tearstone
Agenda • Importance • Attack Surface • Basic Hardening • Ongoing Security • Plugins • Read More
Importance • WordPress continues to grow in popularity • Bigger the platform, the greater the reported incidents for security. • 2012 – 117,000 WordPress hacked sites were reported • 2013 – 73.2 % of the top 40,000+ WordPress sites were vulnerable to exploits Source: WP White Security
Attack Surface • Definition: Sum of the amount of points an attacker could use to get into a system. • Points of entry for extracting data, or inserting malware are called "attack vectors“ • Minimize attack vectors by minimizing the amount of code running on the site. • Minimize the amount of Themes, Plug-Ins Source: OWASP.ORG
NEW! Wordpress 3.8.2 • Potential authentication cookie forgery. • Privilege escalation: prevent contributors from publishing posts. • (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests. • (Hardening) Fix a low-impact SQL injection by trusted users. • (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Basic Hardening Start With A Secure Foundation
Users • Delete “admin” account, create new login with unusual name for administration. • All users, especially with elevated privileges should have complex passwords. • Changed every 60-90 days • At least 8 characters • Combination of mixed case, numbers and special character i.e. #5hN!uM • Avoid dictionary passwords
Database - MySQL • Use an abstract naming convention (security through obsecurity) • Database names • table prefixes, not wp_ • MySQL User names • Assign limited privileges to SQL user. • WordPress database user only needs SELECT, INSERT, DELETE and UPDATE • GRANT, DROP and ALTER are not needed
Webhost • Find a webhost that understands WordPress • Takes security seriously • Find out if host performs backups. • If not, implement a backup solution • Server side scans and malware cleanup • Host should have VPS options for growth and better security.
Site • Avoid running multiple WordPress installations on one domain • Do not run a development version of the site on your production site. • Disable FTP, use SFTP
Permissions • Unix/Linux permissions • R = 4, W = 2, X =1 (Combine values to set permission) • Owner – Group – Public • I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot write) • File and Folder Permissions • Default is 664 for files, 775 for folders • Wp-config.phpand .htaccess • 664 to allow for modification • 444 to allow read, not modify
Ongoing Security Ounce of prevention is worth a pound of cure – Benjamin Franklin
Update Your Site • Update WordPress Core, Plug-Ins and Themes • WP White Security found 42,106 Top Alexa-based ranked sites running WordPress: • 73.2% were running old versions which had documented vulnerabilities • 74 different versions of WordPress, 10 of which were reported as fake • Older versions of WordPress are not maintained with security updates.
Perform Routine Inspections • Perform site cleanups on a regular basis • Review all installed plug-ins • Remove themes and plug-ins no longer needed (reduce attack surface) • Identify anything you do not remember installing and handle with care
Scan with SiteCheck • Scan site with Scuri.NetSiteCheck • Free general site malware checker • Premium clean up service • Premium monitoring service
WPScan • Black Box WordPress security scanner • Pre-Installed on these operating systems • BlackBox Linux • Kali Linux • Pentoo • SamuraiWTF • Download, Install Instructions, Arguments found on http://wpscan.org
Security Plugins Providing a pre-coded helping hand
Understand Your Plugin • Understand what the security plugins do, and what effects they have on your site • Your requirements should drive the choice in plugin, the plugin should not drive your site requirements • Plugins have performance implications to WordPress sites, more code can slow down site loads. • Multiple plugins or excessive functionality extends attack surface • Misconfiguration can break your site • i.e. intrusion detection could stop search engines from crawling your site • Security plugins could lock you out of your own site • Plugin support can be a challenge
Limit Login Attempts • Customize the rate of invalid login attempts • Limit login attempts by IP • Limit login via cookies • Makes brute-force attacks impossible
Manage WP • Plugin that integrates with https://managewp.com/ • Centralize update administrations of multiple WordPress sites • Automated backups • Provides email notification alerts
iThemes Security(Better WP Security) • Automatically Secure Site from Basic Attacks • Prevent non-admins from accessing admin content • Default usernames with “admin” replaced • Brute force login protection • Prevent website scanning • Change admin, register and login URL • Limit Logins and time restrictions • Restrict max login attempts by user or host • Disable site access on a schedule • Blacklist: Users, Groups or IPs • Data Backup • Change Database Prefix
WordFence • Delivers Enterprise-Class Security • Includes • Fast Cache Engine • Firewall • (Premium) Anti-Virus Scanning • (Premium) Two-Factor authentication (use cell phone to login) • Repair core, theme and plugin files • Consumes a lot resources, not ideal for shared hosting.
Bulletproof Security • Automatically optimizes website for security • Protects WordPress site against a number of documented hack attempts. • Security Logging (Account use, HTTP errors) • File and Folder Permission Scans • Maintenance Mode with countdown timer • Focuses on .htaccess protection
All In One Security and Firewall • Security Points – Assesses a score based on how secure your site is • Classifies security configuration features on risk • Secures • User Accounts • User Logins • Database Security (Change table prefix) • Visual file system review • Blacklist IP addresses • Incorporates DB Backup to schedule automated backups
Sources, Read More • http://codex.wordpress.org/Hardening_WordPress • http://www.designwall.com/blog/how-to-handle-a-wordpress-security-attack/ • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html • https://managewp.com/security-plugins-problem • https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet • http://codex.wordpress.org/Changing_File_Permissions • http://codex.wordpress.org/Version_3.8.2