Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Basic WordPress Security 2018 - WordCamp ABQ

Presentation on basic WordPress Security Issues at WordCamp Albuquerque (ABQ)

  • Login to see the comments

  • Be the first to like this

Basic WordPress Security 2018 - WordCamp ABQ

  1. 1.   WordPress Security Kim Kuhlman, PhD Blue Sky Digital Strategy, LLC
  2. 2. What? Ø  Why do YOU need Website Security? Ø  HTTPS & SSL Ø  4 Laws of Website Security Ø  Firewalls Ø  iQ Block Country Ø  Security Plugins Ø  Testing your Website Security Ø  Other “Reputation Management” Considerations 1/19/18   2  
  3. 3. The Fount of All Knowledge You have access to the greatest trove of information in the history of the planet. And, the amount of information is accelerating every single day. 1/18/18   3  
  4. 4. All you have to do is ASK. 1/18/18   4  
  5. 5. GOOGLE (or Bing if you must) If you encounter an error message, the chances are very good that someone has been kind enough to post somewhere about the solution. Caveat: Be aware of code snippets. Don’t just copy code without looking at it and understanding what it does. You may inadvertently install a backdoor. 1/18/18   5  
  6. 6. WordPress Security Ø Why do you need it? u  Protecting your Digital Assets u  Examples of WordPress Hacks Ø What can you do? u  WordPress Core u  Backups u  Firewalls u  Security Plugins 1/18/18   6  
  7. 7. HTTPS & SSL Ø  Secure Hypertext Transfer Protocol u  Encrypted transfer of data between the client (browser) and the server (your WordPress site). u  Required for using any payment gateway such as Stripe. Ø  Secured Socket Layer (SSL) Certificate u  Use a reputable certificate reseller. u  Proper .htaccess redirects (don’t allow both http and https from your site. u  This alone does NOT make your WordPress site secure. 1/18/18   7
  8. 8. HTTPS Plugins 1/19/18   8  
  9. 9. First Law of Website Security NOTHING is unhackable 1/18/18   9  
  10. 10. Protect Your Digital Asset Ø Investment of Time/Money Ø Traffic (e.g. ad revenue) Ø Online Store (real revenue) Ø Your Reputation (intangible) 1/18/18   10  
  11. 11. Why? Ø  Every week Google blacklists websites‡: u  20,000 for malware u  50,000 for phishing Ø  Sucuri estimates that only about 15% of infected websites get blacklisted. That means 85% of infected sites are freely distributing malware*. Ø  Being flagged can be devastating u  Affect visitors accessing website u  How it ranks u  Deliverability of Email ‡ * 1/18/18   11  
  12. 12. Most Infamous WordPress Hack Ø  What is Mossack Fonseca? Ø  Ever hear of the Panama Papers? u  Data released in April 2016. u  Partly a WP hack through the Revolution Slider plugin that was not kept up to date. Also involved an email hack. u  2.6 TB of data containing nearly 40 years of records. u  Widespread illicit financial activities and tax evasion through shell companies. u  > $135B lost by almost 400 companies. u  140 politicians from more than 50 countries. u  Still running WP, but have put up a web application firewall (WAF). 1/19/18   12  
  13. 13. Who Got Burned? 1/18/18   13   h?ps://  
  14. 14. Recent Examples Ø  Captcha Plugin Backdoor u  Commercial plugin with >300K active installs. u  Sold in September 2017. u  New owner installed a backdoor that allowed them to install cloaked backlinks on affected websites. Ø  Cryptomining Campaign Brute Force Attacks u  Targeted WordPress websites with Command & Control malware. u  Used stolen resources to both launch attacks and mine Monero. u  Malware detected by a Wordfence scan. u  Check your server resources, and monitor blacklists. u  Harden your site against Brute Force Attacks (BFAs). 1/18/18   14  
  15. 15. WordPress Core Ø Open Source Ø Very Secure u  Audited regularly by hundreds of developers. Ø You MUST Keep it UPDATED! u  Especially all plugins. 1/18/18   15  
  16. 16. Misconception Ø  Misconception that WordPress is not Secure. Ø  WordPress is the most hacked, but only because it is by far the most used. 1/18/18   16   h?p://­‐conJnues-­‐to-­‐be-­‐by-­‐far-­‐the-­‐ most-­‐hacked-­‐cms-­‐508558.shtml   h?ps://  
  17. 17. Sucuri Analyses 2016 Ø  Distribution of infected websites similar to distribution of all websites. Ø  Only 55-61% of infections due to outdated WordPress core software. 1/18/18   17   h?ps://­‐security/hacked-­‐reports/ 2016-­‐q3-­‐hacked-­‐website-­‐report  
  18. 18. Most Vulnerable Plugins 1/18/18   18   h?ps://­‐security/hacked-­‐reports/2016-­‐q3-­‐hacked-­‐website-­‐report  
  19. 19. Third-Party Themes and Plugins Ø  Thousands of them available with every imaginable functionality. Ø  They are your greatest vulnerability. Ø  Try to use those that are well used and well reviewed. Ø  Only purchase plugins/themes from reputable authors. Keep them UPDATED! 1/18/18   19  
  20. 20. Second Law of Website Security The Principle of Least Privileges 1/18/18   20  
  21. 21. Role Control Ø  Give your users only the access privileges they need. u  If a user can destroy something, they will. u  Plugins such as Adminimize hide what you don’t want users to access. u  Plugins like Capability Manager Enhanced can help you modify the standard roles within WordPress. 1/18/18   21  
  22. 22. Strong Passwords & Unique Nicknames Ø  Enforce Strong Passwords u  Users will complain, but they’ll get over it. u  Use “Pass Phrases” like “Mary had a little lamb.” u  NEVER allow the “admin” user account. If you have it, remove it. It’s the first thing hackers attack using seed lists of common passwords. Ø  Force users to use Unique Nicknames u  Hackers can harvest usernames from author pages. 1/18/18   22  
  23. 23. Third Law of Website Security Use Reliable Hosting 1/18/18   23  
  24. 24. Shared Hosting Ø  Many websites on a single server u  Budget solution. u  Can be well over a hundred domains. u  Shared resources. u  Shared risks. •  If the server is compromised by just one of the websites, all will be at risk. Ø  Recommended u  Siteground u  Stay away from shared hosts owned by Endurance Intl. Group. u  If you must, try BlueHost or DreamHost (recommended by u 1/18/18   24  
  25. 25. Managed WordPress Hosting Ø  These hosts specialize in WordPress. u  VPS (Virtual Private Server) u  Managed Cloud Hosting u  Dedicated Servers Ø  Recommended u  WPEngine u  Liquid Web 1/18/18   25  
  26. 26. DIY Cloud Hosting Ø  Cloud Hosts u  Digital Ocean u  AWS (Amazon Web Services) u  Google Cloud u  UpCloud, etc… Ø  Server Management - u  Specializes in managing cloud servers running PHP. u  Manages server updates. u  Ubuntu Linux 1/18/18   26  
  27. 27. Fourth Law of Website Security Backup Your Website 1/18/18   27  
  28. 28. Backup…? Ø  ALWAYS backup your ENTIRE site u  Backup both your MySQL Database and your site files. u  Don’t necessarily need to backup the WordPress core files. Ø  Backup OFF-SITE u  Some plugins save your backups to your website files. Don’t do this. u  Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc. u  I like duplicate backup sets. Ø  AUTOMATE your backups u  Choose a plugin that will schedule these for you. u  Frequency depends on how often changes are made. 1/18/18   28  
  29. 29. Backup Plugins Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   29  
  30. 30. Firewall Plugins 1/19/18   30  
  31. 31. Firewalls for WordPress Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   31  
  32. 32. NinjaFirewall Ø  WP Edition u  20,000+ active installations. u  Adds rules to .htaccess u  Requires write access to your root directory -> .user.ini ; BEGIN NinjaFirewall auto_prepend_file = /srv/users/~~~/public/wp-content/ nfwlog/ninjafirewall.php ; END NinjaFirewall 1/19/18   32  
  33. 33. NF Policies #1 1/19/18   33  
  34. 34. NF Policies #2 1/19/18   34  
  35. 35. iQ Block Country 1/19/18   35  
  36. 36. iQ Block Country Ø  Free Plugin Ø  30,000+ million active installations. Ø  Blocks access to backend or frontend based on GeoIPLite database from MaxMind. Ø  Free database, but you must update occasionally. Ø  Subscription to database = automatic updates. Ø  Block all except whitelist. 1/19/18   36  
  37. 37. iQ Block Country Backend Options 1/19/18   37  
  38. 38. Most Blocked Countries 1/19/18   38  
  39. 39. Most Blocked URLs 1/19/18   39  
  40. 40. Last Blocked URLs 1/19/18   40  
  41. 41. WordPress Security Plugins 1/19/18   41  
  42. 42. WordPress Security Plugins 1/19/18   42  
  43. 43. iThemes Security Ø  Not the only solution. Ø  Part of iTheme’s Toolkit. u  Worth it just for the WordPress training they provide. u  iThemes Sync – Helps you keep things up to date. Ø  Many settings available. Ø  Prevents Brute Force Attacks. Ø  Can interfere with PHP scripts you want to run. 1/19/18   43  
  44. 44. iThemes Security Dashboard #1 1/19/18   44  
  45. 45. iThemes Security Dashboard #2 1/19/18   45  
  46. 46. Testing Your Security 1/19/18   46  
  47. 47. WPScan Ø  Ruby Code u  Sponsored by Sucuri. u  Run from the command line on Linux or MacOS. u  Enumerate plugins & users among other things. u  Can be used to brute force attack a WordPress website. Ø u  Online version of WPScan u  Must agree that you have permission to scan a website. Ø  WPScan will tell you if your website is secure. 1/19/18   47  
  48. 48. Sucuri Undoubtedly incorporates WPScan. Built in to iThemes Security 1/19/18   48  
  49. 49. WordFence “Gravityscan” 1/19/18   49  
  50. 50. Other Security Related Issues 1/19/18   50  
  51. 51. Email Security Ø  DNS Records Ø  SPF – Sender Policy Framework u  Authorizes servers to send mail for your domain u  TXT Record – v=spf1 ~all Ø  DKIM – DomainKeys Identified Mail u  Key-based DNS record for validating a domain name that is associated with a message through cryptographic authentication. u 1/18/18   51  
  52. 52. DMARC Record Ø  DMARC – Domain-based Message Authentication, Reporting and Conformance u  DNS TXT Record u  Email-validation by specifying a policy about how to handle SPF and DKIM failures. u  Detects and prevents Email Spoofing u  Combats phishing and email spam u  Protects your email reputation and keeps you off email blacklists. u 1/18/18   52  
  53. 53. DMARC Example 1/18/18   53   11/1/17  –  1/18/18  
  54. 54. Further Discussion @blueskydigstrat 1/19/18   54