SlideShare a Scribd company logo
1 of 32
Download to read offline
WordPress 
Security Implementation Guideline 
Good practices and 
epic fails of WordPress implementations
About Me 
• Information Security Consultant 
– Application Security 
– Secure SDLC 
Dan VASILE 
http://www.pentest.ro 
dan@pentest.ro 
@DanCVasile
Why do I talk about WordPress? 
• I use WordPress 
• Previous talk @OWASP Ro InfoSec Conf 2013 
• Working with 3rd parties on secure WordPress 
implementation 
• The project: 
WordPress Security Implementation Guideline
Why do I talk about WordPress? 
WordPress Security Implementation Guideline
Scope 
• Not just WordPress but Open Source adoption 
• Framework for secure implementation 
• Large scale integration
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
General & Infrastructure Security 
General security
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
General & Infrastructure Security 
Infrastructure security
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
WordPress security 
WordPress Security Implementation Guideline 
20 subjects 
3 main components: 
• Core 
• Plugins 
• Themes 
Manual activities & plugin alternatives
WordPress security 
Updates 
3 main types of updates: 
• Core 
• Minor 
• Major 
WordPress > v3.7 – automatic updates for Minor
WordPress security 
Updates 
Turn on auto-updates for Major/Core 
define( 'WP_AUTO_UPDATE_CORE', true ); 
For plugins and themes add a filter 
add_filter( 'auto_update_plugin', '__return_true' ); 
add_filter( 'auto_update_theme', '__return_true' );
WordPress security 
Choose plugins carefully
WordPress security 
Backup 
What? 
• Files 
• Core installation, plugins, themes, images & files 
• Database 
How? 
Manual vs Automatic
WordPress security 
Backup horror story 1 
The good 
• Daily backup, files & database, 365 days retention 
policy 
The bad 
• No geographical redundancy, no disaster recovery plan 
The ugly 
• HDD fail on main machine, faulty HDD on the backup 
machine 
• Missing data and database structure
WordPress security 
Backup horror story 2 
The good 
• Proper backup to the cloud 
The bad 
• Backup credentials stored in clear text 
The ugly 
• Attacker compromising site and deleting backups
WordPress security 
User roles 
• Super Admin 
• Administrator 
• Editor 
• Author 
• Contributor 
• Subscriber
WordPress security 
Restricting access 
Sensitive areas of the application must be protected 
from unauthorized access. 
.htaccess 
Order Deny,Allow 
Deny from all 
Allow from 127.0.0.1
WordPress security 
Prevent brute-forcing 
• Add CAPTCHA 
• Blacklist attackers 
• Lock accounts 
Write a plugin that will lock an account 
for a predefined period of time after a 
number of failed attempts.
WordPress security 
Add blank index.php 
This should be covered by Apache configuration, 
but it’s not always the case.
WordPress security 
Missing blank index.php
WordPress security 
Force encryption on data in transit 
There are cases where both port 80 and 443 are 
used. 
Sensitive operations must use SSL: 
define('FORCE_SSL_LOGIN', true); 
define('FORCE_SSL_ADMIN', true);
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large scale integration
Large scale integration 
Large scale integration 
• Creating a standard image 
• LDAP integration & Single Sign On 
• Multisites 
• Unified management of multiple installations
Large scale integration 
Creating a standard image 
• Blank image (no data) 
• All the updates 
• All the basic shared plugins and themes (&data?) 
Purpose: 
• Testing ground for new stuff 
• Create new instances, secure by default
Large scale integration 
LDAP integration & Single Sign On 
• Integration with Active Directory 
• Single Sign On (SSO) 
Why? 
• Centralized user management 
• Use existing hierarchy
Large scale integration 
Multisites 
• Built-in WordPress functionality 
• End users can create their own sites on 
demand 
Downside 
• Shared components (plugins)
Large scale integration 
Unified management of multiple installations 
• Self-hosted and cloud solutions 
Why? 
• Centralized login and management 
• Push updates to all instances
What’s next? 
Next steps 
• Contribute to the project 
Wordpress Security Implementation Guideline 
• Share the knowledge 
• Write secure code for WordPress 
• Help others
Q&A

More Related Content

What's hot

WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guideMickey Mellen
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesKevin Koehler
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hackedMarko Heijnen
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
Web Security Programming I I
Web  Security  Programming  I IWeb  Security  Programming  I I
Web Security Programming I IPavu Jas
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Nigel Harding
 
Ignite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksIgnite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksevilzenscientist
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 

What's hot (18)

WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy pieces
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Web Security Programming I I
Web  Security  Programming  I IWeb  Security  Programming  I I
Web Security Programming I I
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?
 
Ignite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksIgnite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricks
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 

Similar to WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerBrett Palmer
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程Duran Hsieh
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12gameaxt
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress MultisiteWPMU DEV
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsChris Burgess
 

Similar to WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014 (20)

WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with Docker
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
 

Recently uploaded

Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielpratamakiki860
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 

Recently uploaded (11)

Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobiel
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 

WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

  • 1. WordPress Security Implementation Guideline Good practices and epic fails of WordPress implementations
  • 2. About Me • Information Security Consultant – Application Security – Secure SDLC Dan VASILE http://www.pentest.ro dan@pentest.ro @DanCVasile
  • 3. Why do I talk about WordPress? • I use WordPress • Previous talk @OWASP Ro InfoSec Conf 2013 • Working with 3rd parties on secure WordPress implementation • The project: WordPress Security Implementation Guideline
  • 4. Why do I talk about WordPress? WordPress Security Implementation Guideline
  • 5. Scope • Not just WordPress but Open Source adoption • Framework for secure implementation • Large scale integration
  • 6. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 7. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 8. General & Infrastructure Security General security
  • 9. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 10. General & Infrastructure Security Infrastructure security
  • 11. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 12. WordPress security WordPress Security Implementation Guideline 20 subjects 3 main components: • Core • Plugins • Themes Manual activities & plugin alternatives
  • 13. WordPress security Updates 3 main types of updates: • Core • Minor • Major WordPress > v3.7 – automatic updates for Minor
  • 14. WordPress security Updates Turn on auto-updates for Major/Core define( 'WP_AUTO_UPDATE_CORE', true ); For plugins and themes add a filter add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
  • 15. WordPress security Choose plugins carefully
  • 16. WordPress security Backup What? • Files • Core installation, plugins, themes, images & files • Database How? Manual vs Automatic
  • 17. WordPress security Backup horror story 1 The good • Daily backup, files & database, 365 days retention policy The bad • No geographical redundancy, no disaster recovery plan The ugly • HDD fail on main machine, faulty HDD on the backup machine • Missing data and database structure
  • 18. WordPress security Backup horror story 2 The good • Proper backup to the cloud The bad • Backup credentials stored in clear text The ugly • Attacker compromising site and deleting backups
  • 19. WordPress security User roles • Super Admin • Administrator • Editor • Author • Contributor • Subscriber
  • 20. WordPress security Restricting access Sensitive areas of the application must be protected from unauthorized access. .htaccess Order Deny,Allow Deny from all Allow from 127.0.0.1
  • 21. WordPress security Prevent brute-forcing • Add CAPTCHA • Blacklist attackers • Lock accounts Write a plugin that will lock an account for a predefined period of time after a number of failed attempts.
  • 22. WordPress security Add blank index.php This should be covered by Apache configuration, but it’s not always the case.
  • 23. WordPress security Missing blank index.php
  • 24. WordPress security Force encryption on data in transit There are cases where both port 80 and 443 are used. Sensitive operations must use SSL: define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
  • 25. Scope • General security • Infrastructure security • WordPress security • Large scale integration
  • 26. Large scale integration Large scale integration • Creating a standard image • LDAP integration & Single Sign On • Multisites • Unified management of multiple installations
  • 27. Large scale integration Creating a standard image • Blank image (no data) • All the updates • All the basic shared plugins and themes (&data?) Purpose: • Testing ground for new stuff • Create new instances, secure by default
  • 28. Large scale integration LDAP integration & Single Sign On • Integration with Active Directory • Single Sign On (SSO) Why? • Centralized user management • Use existing hierarchy
  • 29. Large scale integration Multisites • Built-in WordPress functionality • End users can create their own sites on demand Downside • Shared components (plugins)
  • 30. Large scale integration Unified management of multiple installations • Self-hosted and cloud solutions Why? • Centralized login and management • Push updates to all instances
  • 31. What’s next? Next steps • Contribute to the project Wordpress Security Implementation Guideline • Share the knowledge • Write secure code for WordPress • Help others
  • 32. Q&A