Ithemes presentation

12,252 views

Published on

This presentation covers WordPress security using the popular iThemes Security plugin. We go over details and settings for both the free and premium versions of the plugin.

Published in: Internet
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
12,252
On SlideShare
0
From Embeds
0
Number of Embeds
11,267
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 4 key components to WP security
  • We use WP Engine. They keep daily backups for 30 days and have a partnership with Sucuri for scanning havked sites and fixing issues
  • This gives attackers less avenues for gaining access.
  • - Formerly BetterWPSecurity (believe the free version shows up as that still in the file directory)
    - Upon activating iThemes Security you’ll get the important first steps screen
  • Good idea to take care of high priority items
  • Need to allow for iThemes to write to wp-config.php file
  • - Error messages to display to users / hosts for different lockout reasons
  • - Allows users / hosts to be banned for hitting a certain limit of lockouts within a certain time period
  • If you’re forgetful you may want to white list your IP.
    - Use this sparingly
  • Detects hosts that are hitting an unusually high number of 404 pages
    This can occur when an attacker is scanning for known vulnerabilities in plugins and themes on your site if those files don’t exist
  • Let’s you completely block access to the backend during certain periods
    Can set up daily or one-time limits
  • -Allows you to use hackrepair.coms list of known bad hosts / bots
    -Enabling ban users let’s you permanently ban bad hosts
  • - Brute Force Protection let’s you limit the number of bad login attempts before temporarily locking out the offending host
  • Good idea to avoid the iThemes defaults because as it becomes more commonly used attackers will learn the defaults (not a big thing)
  • Let’s you get a copy of the database emailed or stored on the server
    I’d suggest using other backup software that let’s you store backups at an external source such as Dropbox or Google Drive
  • Can detect if files were changed and show which files
    Can be annoying with plugin / theme updates
  • Makes it harder for an attacker to find your login area
  • -Allows you to force SSL if you have it set up on your server
    -
  • Allows you to force users at or above a certain role to use a strong password
  • Probably good to have these on for most simple WordPress sites
  • Removing the generator meta tag and displaying a random version make it more difficult for an attacker to zero in on known vulnerabilities with past versions
    Who doesn’t want to reduce comment spam?
  • -Disable the file editor hides the edit function from plugins and the Apperance menu. If you edit your theme directly form the WP-Admin you’ll want to leave the file editor on. I always edit my code from a separate program as it is more secure to have the file editor hidden.
  • -I don’t mess with replacing the jQuery version as it could cause issues with themes functionality if they were built for a specific version
    I generally leave the login error message enabled
    Forcing a unique nickname helps prevent users from displaying their username within a post.
  • Allows you to change the admin username if ‘admin’ exists and change the user id if there is a user with id of 1.
    Both are good to do as an attacker usually knows that account has the most access
  • -Salts are secret keys used by WordPress in the wp-config.php files to increase security. These can be updated from iThemes.
    -I generally don’t mess with this as I generate salts during the initial WordPress install
  • - This one can be tricky. It’s probably unneccesary on WP specific hosts as they’ll have measures in to protect wp-content and may not even allow you to change the name of this directory
  • -changing the database prefix to something other than wp_ is good to make it harder for an attacker to find your database tables
  • -These are some of the pro features for the paid version
    - Privilege escalation let’s you temporarily increase a users privileges, say if you have a developer that needs admin access for a week
  • Pro also gives you more password options such as:
    - adding a password generator to user profiles
    - setting password expirations
    - and forcing users to change their password on their next login
  • You can also add a Google reCAPTCHA field to your login screen that will help to prevent people from brute forcing your site
  • Pro also allows you to give users the option for Two Factor Authentication through the Google Authenticator app.
    This requires users to enter a specially generated 6 digit code from their phone when logging into the site
    A huge increase of security
  • -User logging let’s you track actions of users at or above a certain role
    -Actions like logging in and saving content
  • Ithemes presentation

    1. 1. WordPress Security using iThemes Security Jason Yingling | Lead Developer Red8 Interactive | red8interactive.com @jason_yingling | jasonyingling.me
    2. 2. HHAM • Hosting • Hardening • Access • Maintenance
    3. 3. WordPress Hosting • Support for latest software • Optimized for running WordPress • Malware scanning • Work with WordPress 24/7 • Backups
    4. 4. Hardening • Protecting your site from common security risks – Don’t use the ‘admin’ username – Strong passwords – Hide the login area – Brute Force Protection – 404 Protection – Malware scanning
    5. 5. Access • Minimize number of administrators • Remove file editing from dashboard • Two Factor Authentication
    6. 6. Maintenance • Keep WordPress up to date • Keep plugins up to date • Remove unused themes and plugins
    7. 7. iThemes Security
    8. 8. iThemes Landing Page • Broken down into high priority, medium priority, and low priority
    9. 9. Global Settings • Write to wp- config.php • Emails for lockout notifications, file change warnings, etc.
    10. 10. Global Settings • Error messages to display to locked out users
    11. 11. Global Settings • Enables blacklisting repeat offenders • Good idea to switch these up from the defaults
    12. 12. Global Settings • Enables blacklisting repeat offenders • Good idea to switch these up from the defaults
    13. 13. 404 Detection • Blocks attacker for scanning for known vulnerabilities
    14. 14. Away Mode • Allows for disabling access to the dashboard between certain hours • Do you really need to be able to edit 24/7? • Taking a vacation
    15. 15. Banned Users • Enable HackRepair.com’s blacklist feature • Enable Ban Users • Permanently bans attackers IPs
    16. 16. Brute Force Protection • Limit the number of bad login attempts before temporarily locking out the offending host
    17. 17. Brute Force Protection • Switch it up from the default • 4 Max Login Attempts Per Host • 9 Max Login Attempts Per User • 6 Minutes to Remember Bad Login
    18. 18. Database Backups • Sends a database backup via email or stores on server • Plugins – BackupBuddy – BackWPUp – WPmudev Snapshot – VaultPress
    19. 19. File Change Detection • Allows you to include and exclude specific files that may change often • Helpful to see what files were changed if an attack happens
    20. 20. Hide Login Area • Change login url from /wp-admin • Makes it more difficult for attacker to find login area • Avoid using iThemes default /wplogin
    21. 21. SSL • Requires SSL setup on server • Allows you to force SSL for Dashboard
    22. 22. Strong Passwords • Enables you to force strong passwords for users for certain user roles
    23. 23. System Tweaks • Some of this may be performed by your host • Good idea to have on unless you know something conflicts on your site
    24. 24. WordPress Tweaks
    25. 25. WordPress Tweaks
    26. 26. WordPress Tweaks
    27. 27. Advanced Settings • Change name of ‘admin’ user • Change user with id of 1
    28. 28. Advanced Settings • Change WordPress salts
    29. 29. Advanced Settings • Change name of wp-content directory • Not necessary on most WP specific hosts
    30. 30. Advanced Settings • Change database prefix to make your tables harder to find
    31. 31. iThemes Security Pro • Allow you to temporarily bump a users access
    32. 32. iThemes Security Pro • More password options • Password generator on user profile • Password expiration • Force password change
    33. 33. iThemes Security Pro • Use Google’s reCAPTCHA for login, registration, and commenting
    34. 34. iThemes Security Pro • Allow users to setup Two Factor Authentication using Google Authenticator app
    35. 35. iThemes Security Pro • Log user activities at a certain role such as login, saving content, and more
    36. 36. Locked yourself out? • Login to your database via phpMyAdmin or a program like Sequel Pro • Navigate to the itsec_lockouts table • Delete the row with your IP
    37. 37. Locked yourself out? • Disable plugin via FTP • Navigate to /wp-content/plugins • Rename the ithemes-security plugin directory
    38. 38. Questions? • Jason Yingling | Red8 Interactive • @jason_yingling • http://jasonyingling.me

    ×