Your SlideShare is downloading. ×
0
Securing Your WordPress Website             Vladimir Lasky         http://wpexpert.com.au/         WordCamp Sydney 2012   ...
What’s New In Today’s Talk?1.   The biggest security threats of 2012 and how     to deal with them2.   An updated list of ...
Big Events in Internet Security This Year1.   Yahoo, LinkedIn, eHarmony all experienced     security incidents that result...
4
5
Lessons From Password Disclosure Incidents1.   You cannot assume any website will properly secure their     databases.2.  ...
Wi-Fi Protected SetupWi-                        7
Lessons from WPS Vulnerability1.   The WPS exploit provides a backdoor to     wireless routers secured with WPA22.   Techn...
Example PHP Exploit Attempt                              9
Lessons from PHP Exploits1.   Many programmers are lazy or ignorant of     proper data validation practices2.   Obtaining ...
Essential Steps to Harden Your WP Installation                                         11
Install WP Firewall 2  This plugin analyses HTTP requests and checks  for suspicious parameters that indicate PHP or  SQL ...
Rename Your Admin Account1.   Use the plugin ‘Admin Renamer Extended’ to     rename the ‘admin’ account to something     u...
Change the Default MySQL Table Prefix1.   The WordPress default MySQL table prefix is     ‘wp_’.2.   By renaming this to s...
Prevent Plaintext Password Transmission – Best Option1.   Have your site hosted with a provider that supports     HTTPS an...
Prevent Plaintext Password Transmission – Next Best1.   If you can’t use HTTPS, then install the plugin     “Semisecure Lo...
Prevent Brute-Force Login Attempts        Brute-  Install one of the following plugins:1. Login Security Solution     –   ...
Install WP File Monitor Plus This plugin monitors files under your WP installation for changes. When a change is detected,...
Essential Security Habits                            19
Regularly Update Your Site, Plugins and Themes  The last talk stressed the importance of performing  regular updates to Wo...
Accessing Your Site From Untrusted PCs  Two-Factor authentication is mandatory  This is a combination of a password and a ...
Accessing Your Site From Untrusted Networks1.   If you can, use your smart phone or laptop     PC equipped with 3G, 4G or ...
Choosing a Password Twelve characters long as a minimum, but not a dictionary word Common number/letter substitutions prov...
Password Memorisation Techniques1.   Come up with a memorable sentence, and use the     first letters of each word to form...
Conclusion Slides from Previous Talk at Wordcamp GC 2011: – http://slidesha.re/tr2XA5 – Covers the “Three Pillars of Secur...
Upcoming SlideShare
Loading in...5
×

Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012

918

Published on

Vlad Las

Published in: Technology, Business
3 Comments
1 Like
Statistics
Notes
  • Hi Simon,

    I have never used Better WP Security, but I generally try to avoid all-in-one plugins.

    The approach I put forward is designed to maximise compatibility with other WordPress plugins and avoid accidentally breaking one's site, whilst ensuring that there would be comprehensive level of protection against real-world security threats.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great talk Vlad- really enjoyed it. I've written a breif overveiw of your talk on my blog: http://explainafide.com.au/internet-security-for-your-wordpress-website/

    Catch you at the next WP meet-up
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hey Vlad.

    I'd been using all the plugins you've listed in your slides, but have migrated away to one plugin called 'Better WP Security'. This performs all the functions you've listed in your slides - forcing SSL, renaming admin user, checking against vulnerabilities, checking modified files, protecting against multiple failed login attempts, and does a lot more - blacklisting users/agents/ip, renaming admin user ID away from '1', checking against 404 scanners etc. Let me know if you see any problems with moving from multiple plugins to one that does everything.

    Regards

    Simon Foxe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
918
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
9
Comments
3
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012"

  1. 1. Securing Your WordPress Website Vladimir Lasky http://wpexpert.com.au/ WordCamp Sydney 2012 1
  2. 2. What’s New In Today’s Talk?1. The biggest security threats of 2012 and how to deal with them2. An updated list of essential WordPress hardening steps for EVERY site3. New WordPress management services that make your life easier 2
  3. 3. Big Events in Internet Security This Year1. Yahoo, LinkedIn, eHarmony all experienced security incidents that resulted in users’ passwords/hashes being published2. Lots of exploits targeting code using vulnerable PHP libraries including TimThumb and Uploadify3. Wi-Fi Protected Setup (WPS) vulnerability in Wireless Routers revealed in December 2011 3
  4. 4. 4
  5. 5. 5
  6. 6. Lessons From Password Disclosure Incidents1. You cannot assume any website will properly secure their databases.2. Plenty of computational power exists for brute-force password cracking of password hashes – spare no effort to prevent these from being leaked.3. People who reuse the same password across different sites are asking to get “p0wned” and become targets for identity theft.4. Having a unique, secure password for every Internet account is mandatory. 6
  7. 7. Wi-Fi Protected SetupWi- 7
  8. 8. Lessons from WPS Vulnerability1. The WPS exploit provides a backdoor to wireless routers secured with WPA22. Technologies that overcome security burdens often introduce security holes3. Disable WPS in every Wi-Fi Router that you control. In some cases, this will require a firmware upgrade or possibly even replacing the router 8
  9. 9. Example PHP Exploit Attempt 9
  10. 10. Lessons from PHP Exploits1. Many programmers are lazy or ignorant of proper data validation practices2. Obtaining plugins and themes from official sources reduces risk, but does not guaratee security3. Application firewalls are a NECESSITY 10
  11. 11. Essential Steps to Harden Your WP Installation 11
  12. 12. Install WP Firewall 2 This plugin analyses HTTP requests and checks for suspicious parameters that indicate PHP or SQL injection attempts It will protect you against the majority of zero- day exploits Set the configuration option ‘Suppress similar attack warning emails’ to ‘On’, to prevent being deluged with identical warnings. 12
  13. 13. Rename Your Admin Account1. Use the plugin ‘Admin Renamer Extended’ to rename the ‘admin’ account to something unique.2. From the WP Dashboard, go to Users->Your Profile. For the option set ‘Display Name Publicly as’, choose something that is not the same as your admin account name 13
  14. 14. Change the Default MySQL Table Prefix1. The WordPress default MySQL table prefix is ‘wp_’.2. By renaming this to something else, ie. ‘tb132_’ we can foil the majority of blind SQL injection attempts3. For an existing site, use the plugin “WordPress Table Rename” to make this easier. 14
  15. 15. Prevent Plaintext Password Transmission – Best Option1. Have your site hosted with a provider that supports HTTPS and provides either: – Their own Shared SSL Certificate – The ability to install your own – The ability to obtain one for you and install it (usually for a fee)2. Install the plugin “WP HTTPS (SSL)” and enable the option “Force SSL Administration”.3. This will prevent your password and session cookies from being sniffed (captured) over the Network 15
  16. 16. Prevent Plaintext Password Transmission – Next Best1. If you can’t use HTTPS, then install the plugin “Semisecure Login Reimagined”.2. This uses Javascript to encrypt your password before sending it to the server3. Make sure you logout from WordPress to prevent network eavedroppers from sniffing (capturing) and re-using your session key. 16
  17. 17. Prevent Brute-Force Login Attempts Brute- Install one of the following plugins:1. Login Security Solution – Slows down response time of your website after multiple failed attempts – Prevents users from choosing weak passwords and2. Limit Login Attempts – Locks out accounts for a set time period after multiple failed attempts 17
  18. 18. Install WP File Monitor Plus This plugin monitors files under your WP installation for changes. When a change is detected, it displays a dashboard alert and can also send an email As an administrator, you can view the list of changes and spot anything unexpected or unusual 18
  19. 19. Essential Security Habits 19
  20. 20. Regularly Update Your Site, Plugins and Themes The last talk stressed the importance of performing regular updates to WordPress, themes and plugins and performing regular remotely-initiated backups Several WordPress management services now exist to simply and speed up these steps: – ManageWP (hosted) – InfiniteWP (self-hosted) – WP Remote (hosted) – Worpit (hosted) 20
  21. 21. Accessing Your Site From Untrusted PCs Two-Factor authentication is mandatory This is a combination of a password and a random number from a key fob, SMS message or a mobile phone app that you obtain each time you log in WordPress Two-Factor plugins include: 1. Second Factor 2. Google Authenticator 3. Duo Two-Factor Authentication 21
  22. 22. Accessing Your Site From Untrusted Networks1. If you can, use your smart phone or laptop PC equipped with 3G, 4G or GPRS Mobile Internet2. If you are forced to use a public WiFi access point or LAN, ensure that any sites requiring authentication are accessed via their HTTPS (secure) link. 22
  23. 23. Choosing a Password Twelve characters long as a minimum, but not a dictionary word Common number/letter substitutions provide little extra security – cracking tools almost always check for these 23
  24. 24. Password Memorisation Techniques1. Come up with a memorable sentence, and use the first letters of each word to form the password e.g. – “Jack and Jill went up the hill to fetch a pale of water” could form a 13-character password “JaJwuthtfapow”2. Three unrelated unconnected dictionary words one after the other, misspelt a certain way known to you On your own trusted PC, consider using an encrypted password manager like KeePass 24
  25. 25. Conclusion Slides from Previous Talk at Wordcamp GC 2011: – http://slidesha.re/tr2XA5 – Covers the “Three Pillars of Security”, the aims of attackers and other WordPress security plugins ManageWP - 30% discount on all plans for WordCamp Sydney Attendees: – http://managewp.com/wcsyd Questions and Comments: – http://wpexpert.com.au/contact-us/ 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×