Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WordPress 
Security Implementation Guideline 
Good practices and 
epic fails of WordPress implementations
About Me 
• Information Security Consultant 
– Application Security 
– Secure SDLC 
Dan VASILE 
http://www.pentest.ro 
dan...
Why do I talk about WordPress? 
• I use WordPress 
• Previous talk @OWASP Ro InfoSec Conf 2013 
• Working with 3rd parties...
Why do I talk about WordPress? 
WordPress Security Implementation Guideline
Scope 
• Not just WordPress but Open Source adoption 
• Framework for secure implementation 
• Large scale integration
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
General & Infrastructure Security 
General security
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
General & Infrastructure Security 
Infrastructure security
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large-scale integration
WordPress security 
WordPress Security Implementation Guideline 
20 subjects 
3 main components: 
• Core 
• Plugins 
• The...
WordPress security 
Updates 
3 main types of updates: 
• Core 
• Minor 
• Major 
WordPress > v3.7 – automatic updates for ...
WordPress security 
Updates 
Turn on auto-updates for Major/Core 
define( 'WP_AUTO_UPDATE_CORE', true ); 
For plugins and ...
WordPress security 
Choose plugins carefully
WordPress security 
Backup 
What? 
• Files 
• Core installation, plugins, themes, images & files 
• Database 
How? 
Manual...
WordPress security 
Backup horror story 1 
The good 
• Daily backup, files & database, 365 days retention 
policy 
The bad...
WordPress security 
Backup horror story 2 
The good 
• Proper backup to the cloud 
The bad 
• Backup credentials stored in...
WordPress security 
User roles 
• Super Admin 
• Administrator 
• Editor 
• Author 
• Contributor 
• Subscriber
WordPress security 
Restricting access 
Sensitive areas of the application must be protected 
from unauthorized access. 
....
WordPress security 
Prevent brute-forcing 
• Add CAPTCHA 
• Blacklist attackers 
• Lock accounts 
Write a plugin that will...
WordPress security 
Add blank index.php 
This should be covered by Apache configuration, 
but it’s not always the case.
WordPress security 
Missing blank index.php
WordPress security 
Force encryption on data in transit 
There are cases where both port 80 and 443 are 
used. 
Sensitive ...
Scope 
• General security 
• Infrastructure security 
• WordPress security 
• Large scale integration
Large scale integration 
Large scale integration 
• Creating a standard image 
• LDAP integration & Single Sign On 
• Mult...
Large scale integration 
Creating a standard image 
• Blank image (no data) 
• All the updates 
• All the basic shared plu...
Large scale integration 
LDAP integration & Single Sign On 
• Integration with Active Directory 
• Single Sign On (SSO) 
W...
Large scale integration 
Multisites 
• Built-in WordPress functionality 
• End users can create their own sites on 
demand...
Large scale integration 
Unified management of multiple installations 
• Self-hosted and cloud solutions 
Why? 
• Centrali...
What’s next? 
Next steps 
• Contribute to the project 
Wordpress Security Implementation Guideline 
• Share the knowledge ...
Q&A
Upcoming SlideShare
Loading in …5
×

1

Share

Download to read offline

WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

Download to read offline

This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and an invitation to consider and to analyze each individual case.

There is a long list of recommended resources for securing aspects of the WordPress implementation. The project is aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus of the project was on the free version.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

  1. 1. WordPress Security Implementation Guideline Good practices and epic fails of WordPress implementations
  2. 2. About Me • Information Security Consultant – Application Security – Secure SDLC Dan VASILE http://www.pentest.ro dan@pentest.ro @DanCVasile
  3. 3. Why do I talk about WordPress? • I use WordPress • Previous talk @OWASP Ro InfoSec Conf 2013 • Working with 3rd parties on secure WordPress implementation • The project: WordPress Security Implementation Guideline
  4. 4. Why do I talk about WordPress? WordPress Security Implementation Guideline
  5. 5. Scope • Not just WordPress but Open Source adoption • Framework for secure implementation • Large scale integration
  6. 6. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  7. 7. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  8. 8. General & Infrastructure Security General security
  9. 9. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  10. 10. General & Infrastructure Security Infrastructure security
  11. 11. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  12. 12. WordPress security WordPress Security Implementation Guideline 20 subjects 3 main components: • Core • Plugins • Themes Manual activities & plugin alternatives
  13. 13. WordPress security Updates 3 main types of updates: • Core • Minor • Major WordPress > v3.7 – automatic updates for Minor
  14. 14. WordPress security Updates Turn on auto-updates for Major/Core define( 'WP_AUTO_UPDATE_CORE', true ); For plugins and themes add a filter add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
  15. 15. WordPress security Choose plugins carefully
  16. 16. WordPress security Backup What? • Files • Core installation, plugins, themes, images & files • Database How? Manual vs Automatic
  17. 17. WordPress security Backup horror story 1 The good • Daily backup, files & database, 365 days retention policy The bad • No geographical redundancy, no disaster recovery plan The ugly • HDD fail on main machine, faulty HDD on the backup machine • Missing data and database structure
  18. 18. WordPress security Backup horror story 2 The good • Proper backup to the cloud The bad • Backup credentials stored in clear text The ugly • Attacker compromising site and deleting backups
  19. 19. WordPress security User roles • Super Admin • Administrator • Editor • Author • Contributor • Subscriber
  20. 20. WordPress security Restricting access Sensitive areas of the application must be protected from unauthorized access. .htaccess Order Deny,Allow Deny from all Allow from 127.0.0.1
  21. 21. WordPress security Prevent brute-forcing • Add CAPTCHA • Blacklist attackers • Lock accounts Write a plugin that will lock an account for a predefined period of time after a number of failed attempts.
  22. 22. WordPress security Add blank index.php This should be covered by Apache configuration, but it’s not always the case.
  23. 23. WordPress security Missing blank index.php
  24. 24. WordPress security Force encryption on data in transit There are cases where both port 80 and 443 are used. Sensitive operations must use SSL: define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
  25. 25. Scope • General security • Infrastructure security • WordPress security • Large scale integration
  26. 26. Large scale integration Large scale integration • Creating a standard image • LDAP integration & Single Sign On • Multisites • Unified management of multiple installations
  27. 27. Large scale integration Creating a standard image • Blank image (no data) • All the updates • All the basic shared plugins and themes (&data?) Purpose: • Testing ground for new stuff • Create new instances, secure by default
  28. 28. Large scale integration LDAP integration & Single Sign On • Integration with Active Directory • Single Sign On (SSO) Why? • Centralized user management • Use existing hierarchy
  29. 29. Large scale integration Multisites • Built-in WordPress functionality • End users can create their own sites on demand Downside • Shared components (plugins)
  30. 30. Large scale integration Unified management of multiple installations • Self-hosted and cloud solutions Why? • Centralized login and management • Push updates to all instances
  31. 31. What’s next? Next steps • Contribute to the project Wordpress Security Implementation Guideline • Share the knowledge • Write secure code for WordPress • Help others
  32. 32. Q&A
  • MinhTrietPhamTran

    Aug. 28, 2015

This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and an invitation to consider and to analyze each individual case. There is a long list of recommended resources for securing aspects of the WordPress implementation. The project is aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus of the project was on the free version.

Views

Total views

4,270

On Slideshare

0

From embeds

0

Number of embeds

2,843

Actions

Downloads

13

Shares

0

Comments

0

Likes

1

×