Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Basic WordPress Security 2018 - WordCamp ABQ

1,150 views

Published on

Presentation on basic WordPress Security Issues at WordCamp Albuquerque (ABQ)

Published in: Internet
  • Earn a 6-Figure Side-Income Online... Signup for the free training HERE ●●● https://tinyurl.com/y3ylrovq
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Basic WordPress Security 2018 - WordCamp ABQ

  1. 1. BlueSkyDigitalStrategy.com   WordPress Security Kim Kuhlman, PhD kim@blueskydigitalstrategy.com Blue Sky Digital Strategy, LLC
  2. 2. What? Ø  Why do YOU need Website Security? Ø  HTTPS & SSL Ø  4 Laws of Website Security Ø  Firewalls Ø  iQ Block Country Ø  Security Plugins Ø  Testing your Website Security Ø  Other “Reputation Management” Considerations 1/19/18   BlueSkyDigitalStrategy.com   2  
  3. 3. The Fount of All Knowledge You have access to the greatest trove of information in the history of the planet. And, the amount of information is accelerating every single day. 1/18/18   BlueSkyDigitalStrategy.com   3  
  4. 4. All you have to do is ASK. 1/18/18   BlueSkyDigitalStrategy.com   4  
  5. 5. GOOGLE (or Bing if you must) If you encounter an error message, the chances are very good that someone has been kind enough to post somewhere about the solution. Caveat: Be aware of code snippets. Don’t just copy code without looking at it and understanding what it does. You may inadvertently install a backdoor. 1/18/18   BlueSkyDigitalStrategy.com   5  
  6. 6. WordPress Security Ø Why do you need it? u  Protecting your Digital Assets u  Examples of WordPress Hacks Ø What can you do? u  WordPress Core u  Backups u  Firewalls u  Security Plugins 1/18/18   BlueSkyDigitalStrategy.com   6  
  7. 7. HTTPS & SSL Ø  Secure Hypertext Transfer Protocol u  Encrypted transfer of data between the client (browser) and the server (your WordPress site). u  Required for using any payment gateway such as Stripe. Ø  Secured Socket Layer (SSL) Certificate u  Use a reputable certificate reseller. u  Proper .htaccess redirects (don’t allow both http and https from your site. u  This alone does NOT make your WordPress site secure. 1/18/18   BlueSkyDigitalStrategy.com   7   https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress
  8. 8. HTTPS Plugins 1/19/18   BlueSkyDigitalStrategy.com   8  
  9. 9. First Law of Website Security NOTHING is unhackable 1/18/18   BlueSkyDigitalStrategy.com   9  
  10. 10. Protect Your Digital Asset Ø Investment of Time/Money Ø Traffic (e.g. ad revenue) Ø Online Store (real revenue) Ø Your Reputation (intangible) 1/18/18   BlueSkyDigitalStrategy.com   10  
  11. 11. Why? Ø  Every week Google blacklists websites‡: u  20,000 for malware u  50,000 for phishing Ø  Sucuri estimates that only about 15% of infected websites get blacklisted. That means 85% of infected sites are freely distributing malware*. Ø  Being flagged can be devastating u  Affect visitors accessing website u  How it ranks u  Deliverability of Email ‡http://www.wpbeginner.com/wordpress-security/ *https://sucuri.net/website-security/hacked-reports/2016-q3-hacked-website-report 1/18/18   BlueSkyDigitalStrategy.com   11  
  12. 12. Most Infamous WordPress Hack Ø  What is Mossack Fonseca? Ø  Ever hear of the Panama Papers? u  Data released in April 2016. u  Partly a WP hack through the Revolution Slider plugin that was not kept up to date. Also involved an email hack. u  2.6 TB of data containing nearly 40 years of records. u  Widespread illicit financial activities and tax evasion through shell companies. u  > $135B lost by almost 400 companies. u  140 politicians from more than 50 countries. u  Still running WP, but have put up a web application firewall (WAF). https://panamapapers.icij.org/20161201-global-impact.html https://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/ https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/ 1/19/18   BlueSkyDigitalStrategy.com   12  
  13. 13. Who Got Burned? 1/18/18   BlueSkyDigitalStrategy.com   13   h?ps://panamapapers.icij.org/the_power_players/  
  14. 14. Recent Examples Ø  Captcha Plugin Backdoor u  Commercial plugin with >300K active installs. u  Sold in September 2017. u  New owner installed a backdoor that allowed them to install cloaked backlinks on affected websites. https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/ Ø  Cryptomining Campaign Brute Force Attacks u  Targeted WordPress websites with Command & Control malware. u  Used stolen resources to both launch attacks and mine Monero. u  Malware detected by a Wordfence scan. u  Check your server resources, and monitor blacklists. u  Harden your site against Brute Force Attacks (BFAs). https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/ 1/18/18   BlueSkyDigitalStrategy.com   14  
  15. 15. WordPress Core Ø Open Source Ø Very Secure u  Audited regularly by hundreds of developers. Ø You MUST Keep it UPDATED! u  Especially all plugins. 1/18/18   BlueSkyDigitalStrategy.com   15  
  16. 16. Misconception Ø  Misconception that WordPress is not Secure. Ø  WordPress is the most hacked, but only because it is by far the most used. 1/18/18   BlueSkyDigitalStrategy.com   16   h?p://news.soGpedia.com/news/wordpress-­‐conJnues-­‐to-­‐be-­‐by-­‐far-­‐the-­‐ most-­‐hacked-­‐cms-­‐508558.shtml   h?ps://w3techs.com/technologies/overview/content_management/all  
  17. 17. Sucuri Analyses 2016 Ø  Distribution of infected websites similar to distribution of all websites. Ø  Only 55-61% of infections due to outdated WordPress core software. 1/18/18   BlueSkyDigitalStrategy.com   17   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/ 2016-­‐q3-­‐hacked-­‐website-­‐report  
  18. 18. Most Vulnerable Plugins 1/18/18   BlueSkyDigitalStrategy.com   18   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/2016-­‐q3-­‐hacked-­‐website-­‐report  
  19. 19. Third-Party Themes and Plugins Ø  Thousands of them available with every imaginable functionality. Ø  They are your greatest vulnerability. Ø  Try to use those that are well used and well reviewed. Ø  Only purchase plugins/themes from reputable authors. Keep them UPDATED! 1/18/18   BlueSkyDigitalStrategy.com   19  
  20. 20. Second Law of Website Security The Principle of Least Privileges 1/18/18   BlueSkyDigitalStrategy.com   20  
  21. 21. Role Control Ø  Give your users only the access privileges they need. u  If a user can destroy something, they will. u  Plugins such as Adminimize hide what you don’t want users to access. u  Plugins like Capability Manager Enhanced can help you modify the standard roles within WordPress. 1/18/18   BlueSkyDigitalStrategy.com   21  
  22. 22. Strong Passwords & Unique Nicknames Ø  Enforce Strong Passwords u  Users will complain, but they’ll get over it. u  Use “Pass Phrases” like “Mary had a little lamb.” u  NEVER allow the “admin” user account. If you have it, remove it. It’s the first thing hackers attack using seed lists of common passwords. Ø  Force users to use Unique Nicknames u  Hackers can harvest usernames from author pages. 1/18/18   BlueSkyDigitalStrategy.com   22  
  23. 23. Third Law of Website Security Use Reliable Hosting 1/18/18   BlueSkyDigitalStrategy.com   23  
  24. 24. Shared Hosting Ø  Many websites on a single server u  Budget solution. u  Can be well over a hundred domains. u  Shared resources. u  Shared risks. •  If the server is compromised by just one of the websites, all will be at risk. Ø  Recommended u  Siteground u  Stay away from shared hosts owned by Endurance Intl. Group. u  If you must, try BlueHost or DreamHost (recommended by WordPress.org). u  https://researchasahobby.com/full-list-eig-hosting-companies-brands/ 1/18/18   BlueSkyDigitalStrategy.com   24  
  25. 25. Managed WordPress Hosting Ø  These hosts specialize in WordPress. u  VPS (Virtual Private Server) u  Managed Cloud Hosting u  Dedicated Servers Ø  Recommended u  WPEngine u  Liquid Web 1/18/18   BlueSkyDigitalStrategy.com   25  
  26. 26. DIY Cloud Hosting Ø  Cloud Hosts u  Digital Ocean u  AWS (Amazon Web Services) u  Google Cloud u  UpCloud, etc… Ø  Server Management - Serverpilot.io u  Specializes in managing cloud servers running PHP. u  Manages server updates. u  Ubuntu Linux 1/18/18   BlueSkyDigitalStrategy.com   26  
  27. 27. Fourth Law of Website Security Backup Your Website 1/18/18   BlueSkyDigitalStrategy.com   27  
  28. 28. Backup…? Ø  ALWAYS backup your ENTIRE site u  Backup both your MySQL Database and your site files. u  Don’t necessarily need to backup the WordPress core files. Ø  Backup OFF-SITE u  Some plugins save your backups to your website files. Don’t do this. u  Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc. u  I like duplicate backup sets. Ø  AUTOMATE your backups u  Choose a plugin that will schedule these for you. u  Frequency depends on how often changes are made. 1/18/18   BlueSkyDigitalStrategy.com   28  
  29. 29. Backup Plugins Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   29  
  30. 30. Firewall Plugins 1/19/18   BlueSkyDigitalStrategy.com   30  
  31. 31. Firewalls for WordPress Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   31  
  32. 32. NinjaFirewall Ø  WP Edition u  20,000+ active installations. u  Adds rules to .htaccess u  Requires write access to your root directory -> .user.ini ; BEGIN NinjaFirewall auto_prepend_file = /srv/users/~~~/public/wp-content/ nfwlog/ninjafirewall.php ; END NinjaFirewall 1/19/18   BlueSkyDigitalStrategy.com   32  
  33. 33. NF Policies #1 1/19/18   BlueSkyDigitalStrategy.com   33  
  34. 34. NF Policies #2 1/19/18   BlueSkyDigitalStrategy.com   34  
  35. 35. iQ Block Country 1/19/18   BlueSkyDigitalStrategy.com   35  
  36. 36. iQ Block Country Ø  Free Plugin Ø  30,000+ million active installations. Ø  Blocks access to backend or frontend based on GeoIPLite database from MaxMind. Ø  Free database, but you must update occasionally. Ø  Subscription to database = automatic updates. Ø  Block all except whitelist. 1/19/18   BlueSkyDigitalStrategy.com   36  
  37. 37. iQ Block Country Backend Options 1/19/18   BlueSkyDigitalStrategy.com   37  
  38. 38. Most Blocked Countries 1/19/18   BlueSkyDigitalStrategy.com   38  
  39. 39. Most Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   39  
  40. 40. Last Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   40  
  41. 41. WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   41  
  42. 42. WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   42  
  43. 43. iThemes Security Ø  Not the only solution. Ø  Part of iTheme’s Toolkit. u  Worth it just for the WordPress training they provide. u  iThemes Sync – Helps you keep things up to date. Ø  Many settings available. Ø  Prevents Brute Force Attacks. Ø  Can interfere with PHP scripts you want to run. 1/19/18   BlueSkyDigitalStrategy.com   43  
  44. 44. iThemes Security Dashboard #1 1/19/18   BlueSkyDigitalStrategy.com   44  
  45. 45. iThemes Security Dashboard #2 1/19/18   BlueSkyDigitalStrategy.com   45  
  46. 46. Testing Your Security 1/19/18   BlueSkyDigitalStrategy.com   46  
  47. 47. WPScan Ø  Ruby Code u  Sponsored by Sucuri. u  Run from the command line on Linux or MacOS. u  Enumerate plugins & users among other things. u  Can be used to brute force attack a WordPress website. Ø  https://wpscans.com u  Online version of WPScan u  Must agree that you have permission to scan a website. Ø  WPScan will tell you if your website is secure. 1/19/18   BlueSkyDigitalStrategy.com   47  
  48. 48. Sucuri https://sitecheck.sucuri.net/ Undoubtedly incorporates WPScan. Built in to iThemes Security 1/19/18   BlueSkyDigitalStrategy.com   48  
  49. 49. WordFence “Gravityscan” https://www.gravityscan.com/ https://www.wordfence.com/free-website-security-scan/ 1/19/18   BlueSkyDigitalStrategy.com   49  
  50. 50. Other Security Related Issues 1/19/18   BlueSkyDigitalStrategy.com   50  
  51. 51. Email Security Ø  DNS Records Ø  SPF – Sender Policy Framework u  Authorizes servers to send mail for your domain u  TXT Record – v=spf1 include:_spf.google.com ~all Ø  DKIM – DomainKeys Identified Mail u  Key-based DNS record for validating a domain name that is associated with a message through cryptographic authentication. u  DKIM.org 1/18/18   BlueSkyDigitalStrategy.com   51  
  52. 52. DMARC Record Ø  DMARC – Domain-based Message Authentication, Reporting and Conformance u  DNS TXT Record u  Email-validation by specifying a policy about how to handle SPF and DKIM failures. u  Detects and prevents Email Spoofing u  Combats phishing and email spam u  Protects your email reputation and keeps you off email blacklists. u  DMARCian.com 1/18/18   BlueSkyDigitalStrategy.com   52  
  53. 53. DMARC Example 1/18/18   BlueSkyDigitalStrategy.com   53   11/1/17  –  1/18/18  
  54. 54. Further Discussion kim@blueskydigitalstrategy.com https://www.facebook.com/blueskydigitalstrategy/ https://www.facebook.com/groups/blueskydigitalstrategy/ @blueskydigstrat https://www.linkedin.com/in/blueskydigital 1/19/18   BlueSkyDigitalStrategy.com   54  

×