Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security Fundamentals - WordCamp Biratnagar 2018

336 views

Published on

This talk is all about the common security threads WordPress websites face. The audience will learn the type of attacks that WordPress websites get, how users will measure the security and how they will protect WordPress websites from the common security threads. The session easy suitable for any WordPress user, developer or enthusiast. It’s a 25 minutes session in the English language.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WordPress Security Fundamentals - WordCamp Biratnagar 2018

  1. 1. WordPress Security Fundamentals
  2. 2. ABUL KHAYER CTO, Search English Limited Proprietor, Biggestech Deputy, WordPress Community Team Organizer, Dhaka WordPress Meetup About Me
  3. 3. Type of Attacks that are Threat to WordPress Sites
  4. 4. SQL Injection Attack Attack Types [1] Image Source: acunetix.com
  5. 5. Cross Site Scripting (XSS) Attack Types [2] Image Source: acunetix.com
  6. 6. Attack Types [3] Brute Force Attack Image Source: security.stackexchange.com
  7. 7. Attack Types [4] Session Hijacking Attack Image Source: geeksforgeeks.org
  8. 8. Cross Site Request Forgery (CSRF) Attack Attack Types [5] And more… Image Source: securityevaluators.com
  9. 9. Topics of Discussion
  10. 10. • General Measures of Security • Security Measures using Plugin while Developing a Website • Advance Security Measures while Developing Website with less dependency on Plugin • Advanced Security Measures while Developing Plugin/Theme Topics of Discussion!
  11. 11. General Measures of Security
  12. 12. General Measures of Security [1] • Quality Web Hosting – Always up to date – Backup provision – Web Application Firewall (WAF) provision – Get Virus Scanner, like ClamAV • SSL Certificate – Security through Data Encryption • Use CDN – A Layer in Internet Ecosystem
  13. 13. General Measures of Security [2] • Keep your Website up to Date – Get latest security updates – Stay safe from latest threats • Use Safe Theme/Plugin – Avoid Nulled or Cracked derivatives – Avoid Low Rated or Untested things – Remove unused Theme/Plugins
  14. 14. General Measures of Security [3] • Use Captcha in Login Forms – Stay away from Brute-Force Attack – Stay safe from Bot Attempts • Use Spam Protection Mechanism – Use Akismet, the best one – Use Antispam Bee
  15. 15. General Measures of Security [4] • Use Safer Password – Make it using Alphabet, Letter, Symbol – Make it Long – Never save it on a Open File or Browser • Hide the Admin Name – Don’t use default username “admin” – Rename the Nick and Profile Name of System Admin
  16. 16. General Measures of Security [5] • Change your Secret Keys in “wp-config.php” Generate: https://api.wordpress.org/secret-key/1.1/salt/ define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );
  17. 17. Security Measures using Plugin while Developing a Website
  18. 18. Security Measures using Plugin [1] • Creates Firewall • Real-time Monitoring • Stronger Login Practice • Repair Files by Overwriting • Scans Suspicious Contents • Block various type of Threats Attempts • Sends Alert on Vulnerability over Email • Scan Core, Plugins, Themes, and other Files • Finds Injections, Redirection Codes etc
  19. 19. Security Measures using Plugin [2] • Limits Login Attempts • Customize Login Page URL • Prevent Brute Force Attacks • Restrict Access from IP • Log Users Attempts • Block User on Prohibited Username Attempt • Adds reCaptcha • Disable Right Click • Removes Version Info from CSS/JS • Removes WP Generated Meta from HTML • Backup of Security Settings • Scheduled Database Backup All In One WP Security & Firewall
  20. 20. Security Measures using Plugin [3] • Track Post/Page/Tag/Comments Activities • Track Widget/Menu Change • Track Core and System Settings Change • Track User/Profile Changes • Track Forum, Ecommerce Shop Changes
  21. 21. Security Measures using Plugin [4] • Change Theme Style File-name • Change Plugins URL • Change Individual Plugin URLs • Custom Upload URL • Remove WordPress Version
  22. 22. Security Measures using Plugin [5] • SQL Injection Attack Prevention • XSS and CSRF Attack Prevention • Brute Force Attack Prevention • Blocks Direct Access to PHP Files • Disable Directory Listing • Minify CSS
  23. 23. Security Measures using Plugin [6] • Backup Database, Settings, Theme, Plugin, Images etc. • Download Backup as Zip or Tar • Run Schedule Backup as Daily / Weekly / Monthly • Store Backup on Remote FTP Server • Store Backup on Dropbox/Google Drive • Send Backup to Email Address
  24. 24. Security Measures using Plugin [7] • On-Change File Comparison to check Vulnerability • Can Expire Password to Reset new Password • Generates Strong Password with Salt • Two Factor Authentication • Malware Scanner • Login Captcha
  25. 25. Advance Security Measures while Developing Website with less dependency on Plugin
  26. 26. Advanced Security Measures without Plugin [1] Add an Extra Layer of Protection on Login Page: <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName "Private Access" AuthType Basic require user MySecretUsername </Files> MySecretUsername:$apr1$KW5IP d9r$/C4HkGhAX7WqaOrJ1k9my1 .htaccess .htpasswd Hash Pass Generator: http://www.htaccesstools.com/htpasswd-generator/
  27. 27. Restrict visiting Admin Panel by IP: # Block Access to WP-Admin order deny, allow allow from 172.0.0.1 deny from all .htaccess Advanced Security Measures without Plugin [2]
  28. 28. Disable Directory Listing: Options All -Indexes .htaccess Advanced Security Measures without Plugin [3]
  29. 29. Show Error Page while User is trying Unknown URLs/Pages: # Way One ErrorDocument 404 "<H1>Page not found</H1>" # Way Two ErrorDocument 404 /not-found/ .htaccess Advanced Security Measures without Plugin [4]
  30. 30. Restrict visiting WordPress Configuration File: # PROTECT CONFIG FILE <files wp-config.php> Order deny, allow Deny from all </files> .htaccess Advanced Security Measures without Plugin [5]
  31. 31. Restrict Execution of PHP Code in “Uploads” Directory: # Kill PHP EXECUTION <Files ~ ".ph(?:p[345]?|t|tml)$"> deny from all </Files> .htaccess Advanced Security Measures without Plugin [5]
  32. 32. Implement Security using “mod_rewrite”, the Module Enable HTTP Strict Transport Security Enable (XSS) Filter Hide Server Application Information Restrict Visiting Open Directories Block Access to Hidden Files And, many more… Source: http://htaccess.DB-Dzine.com/en-us Advanced Security Measures without Plugin [6]
  33. 33. Disable File Editing in the WordPress Dashboard/Panel Force Admin to use https:// (SSL Certificate enabled Path) # Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true); wp-config.php Advanced Security Measures without Plugin [7] # Force Admin to use SSL define('FORCE_SSL_ADMIN', true); wp-config.php
  34. 34. If Host has the Provision, then allow FTPS If Host has the Provision, then allow SFTP # Enable FTPS define('FTP_SSL', true); wp-config.php Advanced Security Measures without Plugin [7] # Enable SFTP define('FS_METHOD', 'ssh2'); wp-config.php
  35. 35. Disable Creating Error Log Disable Showing Error Log # Disable Debug Mode define('WP_DEBUG', false); wp-config.php Advanced Security Measures without Plugin [8] # Disable Front-end Error Logging define('WP_DEBUG_DISPLAY', false); wp-config.php
  36. 36. Enable Auto WordPress Version Update Get Security Updates and more… Stay safe… # Enable Auto WordPress Update define('WP_AUTO_UPDATE_CORE', true); wp-config.php Advanced Security Measures without Plugin [8]
  37. 37. Advanced Security Measures while Developing Plugin/Theme
  38. 38. Follow the Important Rules Don’t Trust any Data Rely on the WordPress API Keep your codes Up to Date Security while Developing Plugins/Themes [1]
  39. 39. Validate your Data using PHP Functions Security while Developing Plugins/Themes [2] Functions Description isset() , empty() Value has or not mb_strlen() , strlen() Identify whether String length is valid or not preg_match() , strpos() Find certain characters inside String in_array() Find whether your element exists in the Array or not strip_tags() Removes HTML Tags from your String filter_var() Identify Email, URL, Variable Type etc. md5() , sha1() Secure your Password
  40. 40. Validate your Data using WordPress Functions Security while Developing Plugins/Themes [2] Functions Description is_user_logged_in() Whether current user is Logged-in or Not username_exists() , email_exists() Whether Username or Email exists or not term_exists() Whether a Tag, Category or Term exists or not validate_file() Whether a File Path valid or not is_admin_bar_showing() Whether Admin Bar is visible or not
  41. 41. Secure your Input Data (Sanitize) using WordPress Functions Security while Developing Plugins/Themes [3] Functions Description sanitize_email() Filters Email Address sanitize_file_name() Filters File Name sanitize_key() Filters the Internal Keys sanitize_user() Filters the Username sanitize_text_field() Filters the Input Fields sanitize_title() Filters the Title sanitize_sql_orderby() Filters Order By Clauses of SQL Queries Sample Code: sanitize_####( $email );
  42. 42. Secure your Output Data (Escape) using WordPress Functions Security while Developing Plugins/Themes [4] Functions Description esc_html() Prints safe HTML code, Removes Tags esc_url() Prints safe URL, Removes unsafe Characters esc_js() Helps executing PHP codes inside JavaScript, escaping Single Quotes, HTML Special Characters and fixing Line Endings esc_sql() Helps to filter the Strings within SQL Queries esc_attr() Helps to filter the Attributes inside HTML tags for keeping XSS Safe Sample Code: <h2><?php echo esc_####( $url ); ?></h2>
  43. 43. Use “Nonces” to Prevent CSRF Attacks Security while Developing Plugins/Themes [4] Helps to add a Token while moving from an URL to another
  44. 44. Avoid writing Traditional Query Security while Developing Plugins/Themes [5] Unsafe
  45. 45. Avoid writing Traditional Query You can hide Database Errors for Safety Security while Developing Plugins/Themes [5] Safe
  46. 46. Avoid using Deprecated Codes Test your WordPress Website Online Security while Developing Plugins/Themes [6] https://developer.wordpress.org/reference/ https://wpscans.com/
  47. 47. • General Measures of Security • Security Measures using Plugin while Developing a Website • Advance Security Measures while Developing Website with less dependency on Plugin • Advanced Security Measures while Developing Plugin/Theme Recap
  48. 48. Any Question?
  49. 49. www.abulkhayer.com www.facebook.com/MyselfKhayer +8801683551692 info@abulkhayer.com ThankYou

×