Basic WordPress Security 2018 - WordCamp ABQ

BlueSkyDigitalStrategy.com

WordPress Security
Kim Kuhlman, PhD
kim@blueskydigitalstrategy.com
Blue Sky Digital Strategy, LLC

What?
Ø  Why do YOU need Website Security?
Ø  HTTPS & SSL
Ø  4 Laws of Website Security
Ø  Firewalls
Ø  iQ Block Country
Ø  Security Plugins
Ø  Testing your Website Security
Ø  Other “Reputation Management” Considerations
1/19/18
2

The Fount of
All Knowledge
You have access to the greatest trove of
information in the history of the planet.
And, the amount of information is
accelerating every single day.
1/18/18
3

All you have
to do is ASK.
1/18/18
4

GOOGLE
(or Bing if you must)
If you encounter an error message, the chances are
very good that someone has been kind enough to
post somewhere about the solution.
Caveat: Be aware of code snippets. Don’t just copy
code without looking at it and understanding what it
does. You may inadvertently install a backdoor.
1/18/18
5

WordPress Security
Ø Why do you need it?
u  Protecting your Digital Assets
u  Examples of WordPress Hacks
Ø What can you do?
u  WordPress Core
u  Backups
u  Firewalls
u  Security Plugins
1/18/18
6

HTTPS & SSL
Ø  Secure Hypertext Transfer Protocol
u  Encrypted transfer of data between the client (browser) and
the server (your WordPress site).
u  Required for using any payment gateway such as Stripe.
Ø  Secured Socket Layer (SSL) Certiﬁcate
u  Use a reputable certiﬁcate reseller.
u  Proper .htaccess redirects (don’t allow both http and https
from your site.
u  This alone does NOT make your WordPress site secure.
1/18/18
7

https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress

HTTPS Plugins
1/19/18
8

First Law of
Website Security
NOTHING
is unhackable
1/18/18
9

Protect Your
Digital Asset
Ø Investment of Time/Money
Ø Traﬃc (e.g. ad revenue)
Ø Online Store (real revenue)
Ø Your Reputation (intangible)
1/18/18
10

Why?
Ø  Every week Google blacklists websites‡:
u  20,000 for malware
u  50,000 for phishing
Ø  Sucuri estimates that only about 15% of infected
websites get blacklisted. That means 85% of
infected sites are freely distributing malware*.
Ø  Being ﬂagged can be devastating
u  Aﬀect visitors accessing website
u  How it ranks
u  Deliverability of Email
‡http://www.wpbeginner.com/wordpress-security/
*https://sucuri.net/website-security/hacked-reports/2016-q3-hacked-website-report
1/18/18
11

Most Infamous
WordPress Hack
Ø  What is Mossack Fonseca?
Ø  Ever hear of the Panama Papers?
u  Data released in April 2016.
u  Partly a WP hack through the Revolution Slider plugin that was not kept up to
date. Also involved an email hack.
u  2.6 TB of data containing nearly 40 years of records.
u  Widespread illicit ﬁnancial activities and tax evasion through shell companies.
u  > $135B lost by almost 400 companies.
u  140 politicians from more than 50 countries.
u  Still running WP, but have put up a web application ﬁrewall (WAF).
https://panamapapers.icij.org/20161201-global-impact.html
https://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
1/19/18
12

Who Got Burned?
1/18/18
13

h?ps://panamapapers.icij.org/the_power_players/

Recent Examples
Ø  Captcha Plugin Backdoor
u  Commercial plugin with >300K active installs.
u  Sold in September 2017.
u  New owner installed a backdoor that allowed them to install cloaked
backlinks on aﬀected websites.
https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/
Ø  Cryptomining Campaign Brute Force Attacks
u  Targeted WordPress websites with Command & Control malware.
u  Used stolen resources to both launch attacks and mine Monero.
u  Malware detected by a Wordfence scan.
u  Check your server resources, and monitor blacklists.
u  Harden your site against Brute Force Attacks (BFAs).
https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/
1/18/18
14

WordPress Core
Ø Open Source
Ø Very Secure
u  Audited regularly by hundreds of developers.
Ø You MUST Keep it UPDATED!
u  Especially all plugins.
1/18/18
15

Misconception
Ø  Misconception that
WordPress is not
Secure.
Ø  WordPress is the
most hacked, but
only because it is by
far the most used.
1/18/18
16

h?p://news.soGpedia.com/news/wordpress-‐conJnues-‐to-‐be-‐by-‐far-‐the-‐
most-‐hacked-‐cms-‐508558.shtml

h?ps://w3techs.com/technologies/overview/content_management/all

Sucuri Analyses
2016
Ø  Distribution of infected
websites similar to
distribution of all
websites.
Ø  Only 55-61% of
infections due to
outdated WordPress
core software.
1/18/18
17

h?ps://sucuri.net/website-‐security/hacked-‐reports/
2016-‐q3-‐hacked-‐website-‐report

Most Vulnerable
Plugins
1/18/18
18

h?ps://sucuri.net/website-‐security/hacked-‐reports/2016-‐q3-‐hacked-‐website-‐report

Third-Party
Themes and Plugins
Ø  Thousands of them available with every
imaginable functionality.
Ø  They are your greatest vulnerability.
Ø  Try to use those that are well used and well
reviewed.
Ø  Only purchase plugins/themes from reputable
authors.
Keep them UPDATED!
1/18/18
19

Second Law of
Website Security
The Principle of
Least Privileges
1/18/18
20

Role Control
Ø  Give your users only the access privileges they need.
u  If a user can destroy something, they will.
u  Plugins such as Adminimize hide what you don’t want users
to access.
u  Plugins like Capability Manager Enhanced can help you
modify the standard roles within WordPress.
1/18/18
21

Strong Passwords
& Unique Nicknames
Ø  Enforce Strong Passwords
u  Users will complain, but they’ll get over it.
u  Use “Pass Phrases” like “Mary had a little lamb.”
u  NEVER allow the “admin” user account. If you have it,
remove it. It’s the ﬁrst thing hackers attack using seed lists
of common passwords.
Ø  Force users to use Unique Nicknames
u  Hackers can harvest usernames from author pages.
1/18/18
22

Third Law of
Website Security
Use Reliable
Hosting
1/18/18
23

Shared Hosting
Ø  Many websites on a single server
u  Budget solution.
u  Can be well over a hundred domains.
u  Shared resources.
u  Shared risks.
•  If the server is compromised by just one of the websites, all will
be at risk.
Ø  Recommended
u  Siteground
u  Stay away from shared hosts owned by Endurance Intl. Group.
u  If you must, try BlueHost or DreamHost (recommended by WordPress.org).
u  https://researchasahobby.com/full-list-eig-hosting-companies-brands/
1/18/18
24

Managed WordPress
Hosting
Ø  These hosts specialize in WordPress.
u  VPS (Virtual Private Server)
u  Managed Cloud Hosting
u  Dedicated Servers
Ø  Recommended
u  WPEngine
u  Liquid Web
1/18/18
25

DIY Cloud Hosting
Ø  Cloud Hosts
u  Digital Ocean
u  AWS (Amazon Web Services)
u  Google Cloud
u  UpCloud, etc…
Ø  Server Management - Serverpilot.io
u  Specializes in managing cloud servers running PHP.
u  Manages server updates.
u  Ubuntu Linux
1/18/18
26

Fourth Law of
Website Security
Backup Your
Website
1/18/18
27

Backup…?
Ø  ALWAYS backup your ENTIRE site
u  Backup both your MySQL Database and your site files.
u  Don’t necessarily need to backup the WordPress core files.
Ø  Backup OFF-SITE
u  Some plugins save your backups to your website files. Don’t
do this.
u  Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc.
u  I like duplicate backup sets.
Ø  AUTOMATE your backups
u  Choose a plugin that will schedule these for you.
u  Frequency depends on how often changes are made.
1/18/18
28

Backup Plugins
Ø  UpDraftPlus
u  1+ million active installations.
u  Saves zip ﬁles of plugins, themes, uploads, other, core
separately.
u  All major cloud services.
u  Automated.
u  Premium version allows backups to multiple services
and easy migration and cloning.
Ø  BackupBuddy (iThemes - Premium)
u  Many of the features of UpDraftPlus
u  I found migration and cloning diﬃcult.
Ø  Many others in the WP Repository
u  BackWPup, JetPack, Duplicator, VaultPress, etc.
1/18/18
29

Firewall Plugins
1/19/18
30

Firewalls for
WordPress
Ø  UpDraftPlus
u  1+ million active installations.
u  Saves zip ﬁles of plugins, themes, uploads, other, core
separately.
u  All major cloud services.
u  Automated.
u  Premium version allows backups to multiple services
and easy migration and cloning.
Ø  BackupBuddy (iThemes - Premium)
u  Many of the features of UpDraftPlus
u  I found migration and cloning diﬃcult.
Ø  Many others in the WP Repository
u  BackWPup, JetPack, Duplicator, VaultPress, etc.
1/18/18
31

NinjaFirewall
Ø  WP Edition
u  20,000+ active installations.
u  Adds rules to .htaccess
u  Requires write access to your
root directory -> .user.ini
; BEGIN NinjaFirewall
auto_prepend_ﬁle = /srv/users/~~~/public/wp-content/
nfwlog/ninjaﬁrewall.php
; END NinjaFirewall
1/19/18
32

NF Policies #1
1/19/18
33

NF Policies #2
1/19/18
34

iQ Block Country
1/19/18
35

iQ Block Country
Ø  Free Plugin
Ø  30,000+ million active installations.
Ø  Blocks access to backend or frontend based on GeoIPLite database from
MaxMind.
Ø  Free database, but you must update occasionally.
Ø  Subscription to database = automatic updates.
Ø  Block all except whitelist.
1/19/18
36

iQ Block Country
Backend Options
1/19/18
37

Most Blocked
Countries
1/19/18
38

Most Blocked URLs
1/19/18
39

Last Blocked URLs
1/19/18
40

WordPress Security
Plugins
1/19/18
41

WordPress Security
Plugins
1/19/18
42

iThemes Security
Ø  Not the only solution.
Ø  Part of iTheme’s Toolkit.
u  Worth it just for the WordPress
training they provide.
u  iThemes Sync – Helps you keep
things up to date.
Ø  Many settings available.
Ø  Prevents Brute Force Attacks.
Ø  Can interfere with PHP scripts
you want to run.
1/19/18
43

iThemes Security
Dashboard #1
1/19/18
44

iThemes Security
Dashboard #2
1/19/18
45

Testing Your
Security
1/19/18
46

WPScan
Ø  Ruby Code
u  Sponsored by Sucuri.
u  Run from the command line on
Linux or MacOS.
u  Enumerate plugins & users
among other things.
u  Can be used to brute force
attack a WordPress website.
Ø  https://wpscans.com
u  Online version of WPScan
u  Must agree that you have
permission to scan a website.
Ø  WPScan will tell you if your
website is secure.
1/19/18
47

Sucuri
https://sitecheck.sucuri.net/
Undoubtedly incorporates WPScan.
Built in to iThemes Security
1/19/18
48

WordFence
“Gravityscan”
https://www.gravityscan.com/
https://www.wordfence.com/free-website-security-scan/
1/19/18
49

Other Security Related
Issues
1/19/18
50

Email Security
Ø  DNS Records
Ø  SPF – Sender Policy Framework
u  Authorizes servers to send mail for your domain
u  TXT Record – v=spf1 include:_spf.google.com ~all
Ø  DKIM – DomainKeys Identiﬁed Mail
u  Key-based DNS record for validating a domain name that is associated
with a message through cryptographic authentication.
u  DKIM.org
1/18/18
51

DMARC Record
Ø  DMARC – Domain-based Message Authentication,
Reporting and Conformance
u  DNS TXT Record
u  Email-validation by specifying a policy about how to handle SPF and
DKIM failures.
u  Detects and prevents Email Spooﬁng
u  Combats phishing and email spam
u  Protects your email reputation and keeps you oﬀ email blacklists.
u  DMARCian.com
1/18/18
52

DMARC Example
1/18/18
53

11/1/17
–
1/18/18

Further
Discussion
kim@blueskydigitalstrategy.com
https://www.facebook.com/blueskydigitalstrategy/
https://www.facebook.com/groups/blueskydigitalstrategy/
@blueskydigstrat
https://www.linkedin.com/in/blueskydigital
1/19/18
54

Basic WordPress Security 2018 - WordCamp ABQ

Basic WordPress Security 2018 - WordCamp ABQ

Recommended

More Related Content

What's hot

What's hot(11)

Similar to Basic WordPress Security 2018 - WordCamp ABQ

Similar to Basic WordPress Security 2018 - WordCamp ABQ(20)

Recently uploaded

Recently uploaded(13)

Basic WordPress Security 2018 - WordCamp ABQ