Successfully reported this slideshow.

Basic WordPress Security 2018 - WordCamp ABQ

1

Share

Loading in …3
×
1 of 54
1 of 54

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Basic WordPress Security 2018 - WordCamp ABQ

  1. 1. BlueSkyDigitalStrategy.com   WordPress Security Kim Kuhlman, PhD kim@blueskydigitalstrategy.com Blue Sky Digital Strategy, LLC
  2. 2. What? Ø  Why do YOU need Website Security? Ø  HTTPS & SSL Ø  4 Laws of Website Security Ø  Firewalls Ø  iQ Block Country Ø  Security Plugins Ø  Testing your Website Security Ø  Other “Reputation Management” Considerations 1/19/18   BlueSkyDigitalStrategy.com   2  
  3. 3. The Fount of All Knowledge You have access to the greatest trove of information in the history of the planet. And, the amount of information is accelerating every single day. 1/18/18   BlueSkyDigitalStrategy.com   3  
  4. 4. All you have to do is ASK. 1/18/18   BlueSkyDigitalStrategy.com   4  
  5. 5. GOOGLE (or Bing if you must) If you encounter an error message, the chances are very good that someone has been kind enough to post somewhere about the solution. Caveat: Be aware of code snippets. Don’t just copy code without looking at it and understanding what it does. You may inadvertently install a backdoor. 1/18/18   BlueSkyDigitalStrategy.com   5  
  6. 6. WordPress Security Ø Why do you need it? u  Protecting your Digital Assets u  Examples of WordPress Hacks Ø What can you do? u  WordPress Core u  Backups u  Firewalls u  Security Plugins 1/18/18   BlueSkyDigitalStrategy.com   6  
  7. 7. HTTPS & SSL Ø  Secure Hypertext Transfer Protocol u  Encrypted transfer of data between the client (browser) and the server (your WordPress site). u  Required for using any payment gateway such as Stripe. Ø  Secured Socket Layer (SSL) Certificate u  Use a reputable certificate reseller. u  Proper .htaccess redirects (don’t allow both http and https from your site. u  This alone does NOT make your WordPress site secure. 1/18/18   BlueSkyDigitalStrategy.com   7   https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress
  8. 8. HTTPS Plugins 1/19/18   BlueSkyDigitalStrategy.com   8  
  9. 9. First Law of Website Security NOTHING is unhackable 1/18/18   BlueSkyDigitalStrategy.com   9  
  10. 10. Protect Your Digital Asset Ø Investment of Time/Money Ø Traffic (e.g. ad revenue) Ø Online Store (real revenue) Ø Your Reputation (intangible) 1/18/18   BlueSkyDigitalStrategy.com   10  
  11. 11. Why? Ø  Every week Google blacklists websites‡: u  20,000 for malware u  50,000 for phishing Ø  Sucuri estimates that only about 15% of infected websites get blacklisted. That means 85% of infected sites are freely distributing malware*. Ø  Being flagged can be devastating u  Affect visitors accessing website u  How it ranks u  Deliverability of Email ‡http://www.wpbeginner.com/wordpress-security/ *https://sucuri.net/website-security/hacked-reports/2016-q3-hacked-website-report 1/18/18   BlueSkyDigitalStrategy.com   11  
  12. 12. Most Infamous WordPress Hack Ø  What is Mossack Fonseca? Ø  Ever hear of the Panama Papers? u  Data released in April 2016. u  Partly a WP hack through the Revolution Slider plugin that was not kept up to date. Also involved an email hack. u  2.6 TB of data containing nearly 40 years of records. u  Widespread illicit financial activities and tax evasion through shell companies. u  > $135B lost by almost 400 companies. u  140 politicians from more than 50 countries. u  Still running WP, but have put up a web application firewall (WAF). https://panamapapers.icij.org/20161201-global-impact.html https://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/ https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/ 1/19/18   BlueSkyDigitalStrategy.com   12  
  13. 13. Who Got Burned? 1/18/18   BlueSkyDigitalStrategy.com   13   h?ps://panamapapers.icij.org/the_power_players/  
  14. 14. Recent Examples Ø  Captcha Plugin Backdoor u  Commercial plugin with >300K active installs. u  Sold in September 2017. u  New owner installed a backdoor that allowed them to install cloaked backlinks on affected websites. https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/ Ø  Cryptomining Campaign Brute Force Attacks u  Targeted WordPress websites with Command & Control malware. u  Used stolen resources to both launch attacks and mine Monero. u  Malware detected by a Wordfence scan. u  Check your server resources, and monitor blacklists. u  Harden your site against Brute Force Attacks (BFAs). https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/ 1/18/18   BlueSkyDigitalStrategy.com   14  
  15. 15. WordPress Core Ø Open Source Ø Very Secure u  Audited regularly by hundreds of developers. Ø You MUST Keep it UPDATED! u  Especially all plugins. 1/18/18   BlueSkyDigitalStrategy.com   15  
  16. 16. Misconception Ø  Misconception that WordPress is not Secure. Ø  WordPress is the most hacked, but only because it is by far the most used. 1/18/18   BlueSkyDigitalStrategy.com   16   h?p://news.soGpedia.com/news/wordpress-­‐conJnues-­‐to-­‐be-­‐by-­‐far-­‐the-­‐ most-­‐hacked-­‐cms-­‐508558.shtml   h?ps://w3techs.com/technologies/overview/content_management/all  
  17. 17. Sucuri Analyses 2016 Ø  Distribution of infected websites similar to distribution of all websites. Ø  Only 55-61% of infections due to outdated WordPress core software. 1/18/18   BlueSkyDigitalStrategy.com   17   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/ 2016-­‐q3-­‐hacked-­‐website-­‐report  
  18. 18. Most Vulnerable Plugins 1/18/18   BlueSkyDigitalStrategy.com   18   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/2016-­‐q3-­‐hacked-­‐website-­‐report  
  19. 19. Third-Party Themes and Plugins Ø  Thousands of them available with every imaginable functionality. Ø  They are your greatest vulnerability. Ø  Try to use those that are well used and well reviewed. Ø  Only purchase plugins/themes from reputable authors. Keep them UPDATED! 1/18/18   BlueSkyDigitalStrategy.com   19  
  20. 20. Second Law of Website Security The Principle of Least Privileges 1/18/18   BlueSkyDigitalStrategy.com   20  
  21. 21. Role Control Ø  Give your users only the access privileges they need. u  If a user can destroy something, they will. u  Plugins such as Adminimize hide what you don’t want users to access. u  Plugins like Capability Manager Enhanced can help you modify the standard roles within WordPress. 1/18/18   BlueSkyDigitalStrategy.com   21  
  22. 22. Strong Passwords & Unique Nicknames Ø  Enforce Strong Passwords u  Users will complain, but they’ll get over it. u  Use “Pass Phrases” like “Mary had a little lamb.” u  NEVER allow the “admin” user account. If you have it, remove it. It’s the first thing hackers attack using seed lists of common passwords. Ø  Force users to use Unique Nicknames u  Hackers can harvest usernames from author pages. 1/18/18   BlueSkyDigitalStrategy.com   22  
  23. 23. Third Law of Website Security Use Reliable Hosting 1/18/18   BlueSkyDigitalStrategy.com   23  
  24. 24. Shared Hosting Ø  Many websites on a single server u  Budget solution. u  Can be well over a hundred domains. u  Shared resources. u  Shared risks. •  If the server is compromised by just one of the websites, all will be at risk. Ø  Recommended u  Siteground u  Stay away from shared hosts owned by Endurance Intl. Group. u  If you must, try BlueHost or DreamHost (recommended by WordPress.org). u  https://researchasahobby.com/full-list-eig-hosting-companies-brands/ 1/18/18   BlueSkyDigitalStrategy.com   24  
  25. 25. Managed WordPress Hosting Ø  These hosts specialize in WordPress. u  VPS (Virtual Private Server) u  Managed Cloud Hosting u  Dedicated Servers Ø  Recommended u  WPEngine u  Liquid Web 1/18/18   BlueSkyDigitalStrategy.com   25  
  26. 26. DIY Cloud Hosting Ø  Cloud Hosts u  Digital Ocean u  AWS (Amazon Web Services) u  Google Cloud u  UpCloud, etc… Ø  Server Management - Serverpilot.io u  Specializes in managing cloud servers running PHP. u  Manages server updates. u  Ubuntu Linux 1/18/18   BlueSkyDigitalStrategy.com   26  
  27. 27. Fourth Law of Website Security Backup Your Website 1/18/18   BlueSkyDigitalStrategy.com   27  
  28. 28. Backup…? Ø  ALWAYS backup your ENTIRE site u  Backup both your MySQL Database and your site files. u  Don’t necessarily need to backup the WordPress core files. Ø  Backup OFF-SITE u  Some plugins save your backups to your website files. Don’t do this. u  Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc. u  I like duplicate backup sets. Ø  AUTOMATE your backups u  Choose a plugin that will schedule these for you. u  Frequency depends on how often changes are made. 1/18/18   BlueSkyDigitalStrategy.com   28  
  29. 29. Backup Plugins Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   29  
  30. 30. Firewall Plugins 1/19/18   BlueSkyDigitalStrategy.com   30  
  31. 31. Firewalls for WordPress Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   31  
  32. 32. NinjaFirewall Ø  WP Edition u  20,000+ active installations. u  Adds rules to .htaccess u  Requires write access to your root directory -> .user.ini ; BEGIN NinjaFirewall auto_prepend_file = /srv/users/~~~/public/wp-content/ nfwlog/ninjafirewall.php ; END NinjaFirewall 1/19/18   BlueSkyDigitalStrategy.com   32  
  33. 33. NF Policies #1 1/19/18   BlueSkyDigitalStrategy.com   33  
  34. 34. NF Policies #2 1/19/18   BlueSkyDigitalStrategy.com   34  
  35. 35. iQ Block Country 1/19/18   BlueSkyDigitalStrategy.com   35  
  36. 36. iQ Block Country Ø  Free Plugin Ø  30,000+ million active installations. Ø  Blocks access to backend or frontend based on GeoIPLite database from MaxMind. Ø  Free database, but you must update occasionally. Ø  Subscription to database = automatic updates. Ø  Block all except whitelist. 1/19/18   BlueSkyDigitalStrategy.com   36  
  37. 37. iQ Block Country Backend Options 1/19/18   BlueSkyDigitalStrategy.com   37  
  38. 38. Most Blocked Countries 1/19/18   BlueSkyDigitalStrategy.com   38  
  39. 39. Most Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   39  
  40. 40. Last Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   40  
  41. 41. WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   41  
  42. 42. WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   42  
  43. 43. iThemes Security Ø  Not the only solution. Ø  Part of iTheme’s Toolkit. u  Worth it just for the WordPress training they provide. u  iThemes Sync – Helps you keep things up to date. Ø  Many settings available. Ø  Prevents Brute Force Attacks. Ø  Can interfere with PHP scripts you want to run. 1/19/18   BlueSkyDigitalStrategy.com   43  
  44. 44. iThemes Security Dashboard #1 1/19/18   BlueSkyDigitalStrategy.com   44  
  45. 45. iThemes Security Dashboard #2 1/19/18   BlueSkyDigitalStrategy.com   45  
  46. 46. Testing Your Security 1/19/18   BlueSkyDigitalStrategy.com   46  
  47. 47. WPScan Ø  Ruby Code u  Sponsored by Sucuri. u  Run from the command line on Linux or MacOS. u  Enumerate plugins & users among other things. u  Can be used to brute force attack a WordPress website. Ø  https://wpscans.com u  Online version of WPScan u  Must agree that you have permission to scan a website. Ø  WPScan will tell you if your website is secure. 1/19/18   BlueSkyDigitalStrategy.com   47  
  48. 48. Sucuri https://sitecheck.sucuri.net/ Undoubtedly incorporates WPScan. Built in to iThemes Security 1/19/18   BlueSkyDigitalStrategy.com   48  
  49. 49. WordFence “Gravityscan” https://www.gravityscan.com/ https://www.wordfence.com/free-website-security-scan/ 1/19/18   BlueSkyDigitalStrategy.com   49  
  50. 50. Other Security Related Issues 1/19/18   BlueSkyDigitalStrategy.com   50  
  51. 51. Email Security Ø  DNS Records Ø  SPF – Sender Policy Framework u  Authorizes servers to send mail for your domain u  TXT Record – v=spf1 include:_spf.google.com ~all Ø  DKIM – DomainKeys Identified Mail u  Key-based DNS record for validating a domain name that is associated with a message through cryptographic authentication. u  DKIM.org 1/18/18   BlueSkyDigitalStrategy.com   51  
  52. 52. DMARC Record Ø  DMARC – Domain-based Message Authentication, Reporting and Conformance u  DNS TXT Record u  Email-validation by specifying a policy about how to handle SPF and DKIM failures. u  Detects and prevents Email Spoofing u  Combats phishing and email spam u  Protects your email reputation and keeps you off email blacklists. u  DMARCian.com 1/18/18   BlueSkyDigitalStrategy.com   52  
  53. 53. DMARC Example 1/18/18   BlueSkyDigitalStrategy.com   53   11/1/17  –  1/18/18  
  54. 54. Further Discussion kim@blueskydigitalstrategy.com https://www.facebook.com/blueskydigitalstrategy/ https://www.facebook.com/groups/blueskydigitalstrategy/ @blueskydigstrat https://www.linkedin.com/in/blueskydigital 1/19/18   BlueSkyDigitalStrategy.com   54  

×