Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pubcon Vegas Session - WordPress Site Security Audits


Published on

Slides from my presentation on WordPress Security issues and how to help avert being hacked.

Published in: Technology

Pubcon Vegas Session - WordPress Site Security Audits

  1. 1. #pubcon @schachin Word Press Security Audits Kristine Schachinger @schachin
  2. 2. #pubcon @schachin Word Press is used by between 25-30% of sites.
  3. 3. #pubcon @schachin
  4. 4. #pubcon @schachin State of Security • As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing.
  5. 5. #pubcon @schachin Word Press is used by between 25-30% of sites (or 10 million if Gary Ilyes is correct – either or it is a lot! )
  6. 6. #pubcon @schachin “Over a third of the websites online are powered by four key platforms: WordPress, Joomla!, Drupal, and Magento. WordPress is leading the CMS market with over 60% market share. This explosion and dominance by WordPress is facilitated by global-user adoption, a highly extensible platform and focus on end users. Other platform technologies have experienced growth in more niche markets, like Magento in the online commerce domain with large and enterprise organizations, and Drupal in large, enterprise, and federal organizations.” WordPress is King!
  7. 7. #pubcon @schachin
  8. 8. #pubcon @schachin
  9. 9. #pubcon @schachin
  10. 10. #pubcon @schachin
  11. 11. #pubcon @schachin
  12. 12. #pubcon @schachin Approximately 31% of all infection cases are misused for SEO Spam campaigns (either through PHP, Database injections or.htaccess redirections) where the site was infected with spam content or redirected visitors to spam-specific pages. The content used is often in the form of Pharmaceutical ad placements (i.e., erectile dysfunction, Viagra, Cialis, etc...) and includes others injections for industries like Fashion and Entertainment (i.e., Casino, Porn). #1 REASON for Getting Hacked on WordPress – SEO SPAM!
  13. 13. #pubcon @schachin
  14. 14. #pubcon @schachin Low Hanging Fruit
  15. 15. #pubcon @schachin Most Hackers Are Not Human
  16. 16. #pubcon @schachin WordPress Has A Lot Of Low Hanging Fruit
  17. 17. #pubcon @schachin • SEO - multiple uses here including DDOS • SPAM – site used to send SPAM emails • MALWARE – hides the origin of the malware • THEFT – Passwords, credit card information, banking information, etc. • ATTACKING OTHER SITES – Sometimes a hacker’s objective is to make a website unavailable to users. Why Would Anyone Want to Hack Your Word Press Website?
  18. 18. #pubcon @schachin Press-Blog-Infographic.jpg
  19. 19. #pubcon @schachin Press-Blog-Infographic.jpg • 41% by hosting platform vulnerabilities • 29% by means of an insecure theme • 22% via a vulnerable plugin • 8% because of weak passwords How Do WordPress Sites Get Hacked?
  20. 20. #pubcon @schachin Low Hanging Fruit – Gets Picked
  21. 21. #pubcon @schachin Don’t Be Low Hanging Fruit
  22. 22. #pubcon @schachin Fortifying Your Site
  23. 23. #pubcon @schachin Analysis = Audit Need to review •Access •Security (Walls) •Hosting •Logins •Plugins
  24. 24. #pubcon @schachin • Secure WPConfig. Makes accessing specific parts or your Word Press installation more difficult. Secure your wp- config.php file by moving it one directory above your Word Press installation. • File Editor. Disable the File Editor in the Word Press Admin panel which means a hacker will require FTP access to access core and theme files. • Limit Roles. Limiting access also includes the use of appropriate user roles. Don’t assign an administrator role unless a person actually requires admin functionality. Access – Has it been limited?
  25. 25. #pubcon @schachin State of Security “… out of the 11,000 + infected websites analyzed, 75% of them were on the WordPress platform and over 50% of those websites were out of date. Compare that to other similar platforms that placed less emphasis on backwards compatability, like Joomla! and Drupal, the percentage of out-of-date software was above 80%.” ~ Sucuri
  26. 26. #pubcon @schachin Update. Update. Update. Typical biggest hole in a WordPress site. Update not only only WordPress, but … - Inactive themes and plugins (better to delete) - Plugins - Check that all plugins have updates - If a plugin has not been updated in some time take it off the site. Good example is W3Cache Security
  27. 27. #pubcon @schachin Two Most Popular Security Tools • WordFence. – one of the most popular security plug-ins. • Sucuri – step above just a security plug-in with their paid service you get 24/7 server side monitoring including databases and file changes • Here are list of other Malware tools for Word Press. Security Plug-Ins
  28. 28. #pubcon @schachin BE VERY CAREFUL TO NEVER use the ONLY WHITE LIST IPs setting in any security plug-in. You can block unknown IPs for search engine crawlers Security Plug-Ins
  29. 29. #pubcon @schachin Hosting
  30. 30. #pubcon @schachin Hosting is one of the most important ways to prevent hacking attempts. What should I look for in a good host? • Database Support. Besides supporting the latest versions of PHP and MySQL. • Security & Malware Scanning. They should perform regular scans for malware • Backups. Company should give perform daily backups. • Site Support. Helpful to have support to chat with if your site does get hacked • WordPress Hosting Specific. WordPress has a unique set of issues not only with security, but with how it loads. WordPress providers have specialized in addressing these issues. Review of hosting providers. Hosting
  31. 31. #pubcon @schachin Hosting + SSL
  32. 32. #pubcon @schachin • SSL (HTTPS) is an added layer of security on your site and provides a slight ranking boost in Google. • Don’t get FREE Certificates. Go to a reputable hosting company and purchase one. • SEO Caveat. There are many SEO issues related to moving from http to https, so make sure you have checked off those. – Aleyda Solis has created an excellent checklist. Hosting + SSL
  33. 33. #pubcon @schachin Logins
  34. 34. #pubcon @schachin Securing your Logins. • Frequently change your passwords • Avoid using the admin username • Create a strong password • Force users to use strong passwords with Force Strong Passwords • Store passwords in a secure place like LastPass You can take it one step further and … • Limit login attempts. Plugins like Wordfence, Sucuri, Login LockDown and Login Security Solution enable you to constrain the number of login attempts from a single IP address within a certain amount of time. Perfect for keeping brute force attacks at bay. • Employ two-step authentication. Adds a second layer of security that can only be passed by means of your cell phone, social network account or else. Options include Duo Two-Factor Authentication, OpenID, and Clef. • Hide your login page. Moving wp-admin and wp-login to non-standard addresses makes it harder for hackers to attack them. You can do so via Rename wp-login.php, HideLogin+ or Lockdown WP Admin. Logins
  35. 35. #pubcon @schachin Plugins
  36. 36. #pubcon @schachin Plugins These were the top three out of date, vulnerable, plugins at the point in which a website engaged Sucuri for incident response services
  37. 37. #pubcon @schachin Hosting is one of the most important ways to prevent hacking attempts. There is … • Get it from a known source like Yoast, Scuri, Wordfence – Hackers, SEO, Affiliate Marketers, others create legitimate plugins to get backdoor access to your site • Check last update by developer – If it has not been updated recently, it is likely vulnerable. • Check reviews sometimes good plugins go bad • Check number of installations Plugins
  38. 38. #pubcon @schachin Advanced
  39. 39. #pubcon @schachin Add SALTs To wp-config.php • Word Press security keys were introduced in Word Press 2.6. • SALTs encrypt user cookies and make it more difficult to access this data The keys go into your wp-config.php file here Advanced
  40. 40. #pubcon @schachin Add SALTs To wp-config.php cont. Replace them with code from the Word Press SALT generator and you get something like this .. Advanced
  41. 41. #pubcon @schachin Hide Your WP Version Number • Word Press adds a meta tag to your site’s head section that shows off which version of the CMS you are running. Knowing what version you are using helps hackers know what vulnerabilities are in your site. Below is a useful piece of code that stops Word Press from doing so: – remove_action('wp_head', 'wp_generator'); Just add it to your functions.php file and you are done with it. Advanced
  42. 42. #pubcon @schachin Word Press Security Audits Kristine Schachinger @schachin