Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seravo.com: WordPress Security 101

2,949 views

Published on

There are many alternative facts concerning WordPress website security. What is really important and what is not?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Seravo.com: WordPress Security 101

  1. 1. WORDPRESS SECURITY 101 what is important – and what is not © Seravo 2017
  2. 2. DEFINITION OF INFORMATION SECURITY 1. Confidentiality 2. Integrity 3. Availability
  3. 3. You must keep your WordPress site secure.
  4. 4. POTENTIAL CONSEQUENCES ● Corrupted orders database: webshop unable to ship anything or resolve payments ● Leaked customer database: angry customers, lawsuit for neglect of privacy laws ● Visitors get redirected to shady sites: lost reputation, marketing budget goes in vain ● Site spreads malware: Google might detect and ban from showing up in search results ● Site sends spam: could become blacklisted and legit email stops working
  5. 5. “BUT MY SITE IS NOT IMPORTANT!” Your site can be used to mount further attacks! If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.
  6. 6. What is REALLY important in keeping your WordPress site secure?
  7. 7. AVENUES OF UNAUTHORISED ACCESS: 1. Leaked passwords 2. Software vulnerabilities
  8. 8. LEAKED PASSWORDS
  9. 9. Remember password hygiene seravo.fi/2014/password-hygiene-every-mans-responsibility
  10. 10. HTTPS, SFTP, SSH Never submit passwords over an unencrypted connection!
  11. 11. Enforce HTTPS in WordPress 1. Your server needs to support HTTPS 2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);
  12. 12. Use captcha to avoid robot users Google reCaptcha recommended
  13. 13. SOFTWARE VULNERABILITIES
  14. 14. MINIMIZE VULNERABILITIES 1. Minimize the attack surface by minimizing the amount of software you have 2. For the software you really need, make sure you have updated to latest releases
  15. 15. HOW SECURE IS WORDPRESS CORE? Security bugs per 1000 lines of code written All time: 0,1 (204 CVE entries per 2,1 million lines of code) In 2015: 0,05 (11 CVE entries per 236 000 lines of code)
  16. 16. WORDPRESS CORE IS SECURE.
  17. 17. THE PROBLEM IS THE PLUGINS.
  18. 18. Combined core, plugin and theme vulnerability database: wpvulndb.com
  19. 19. Example case: Mossack Fonseca aka Panama papers ● The site www.mossfon.com was running WordPress ● Unauthorized access of WP lead to unauthorized access of MS Exchange email server on internal network and other sites at *.mossfon.com ● The intruders most likely came through an old and insecure version of the Revolution Slider plugin. ○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
  20. 20. Example case: Mossack Fonseca aka Panama papers ● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner able-slider-revolution/
  21. 21. WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS* If the logo is red and name contains revolution, don’t install it on your system! * a small dose of parody can’t hurt?
  22. 22. PLUGIN SECURITY 1. Minimize the attack surface by minimizing the amount of plugins (and themes) you have 2. For the plugins you really need, make sure you have updated to latest releases You will not minimize vulnerabilities by installing more plugins!
  23. 23. WordPress is insecure! Quickly, install a security plugin!
  24. 24. NO
  25. 25. DON’T WASTE TIME ON ● removing generator meta or hiding version numbers ● hiding login errors ● changing wp-admin location ● disabling xmlrpc ● removing readme.html or other files Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.
  26. 26. FALSE SENSE OF SECURITY Feels like a lot has been done when really very little has.
  27. 27. Example: useless readme.html blocking = don’t!
  28. 28. Example: useless readme.html blocking Versions leak anyway
  29. 29. Example: useless readme.html blocking Disclaimer: WordFence was used just as an example. It still the best guy in town. Many other security plugins are much worse. ..and other WordPress integrity checks trigger
  30. 30. SECURITY PLUGINS ARE NOT THE SOLUTION Scan results require interpretation. Recommended only for professionals.
  31. 31. The only recommended ones: WPScan and Google Webmaster Tools Almost no false positives and no business model based on spreading fear.
  32. 32. IF YOU RUN YOUR OWN SERVER Also remember to harden and keep updated ● operating system ● web server ● database server ● PHP environment
  33. 33. INSTALL ONLY FROM TRUSTED SOURCES Avoid random 3rd party repositories that don’t have any maintenance policy.
  34. 34. PROTECTION AGAINST DDOS What if the problem is not unauthorized access but the lack of authorized access?
  35. 35. DENIAL OF SERVICE ATTACKS Detect, withstand and block ● high performance servers and good caching ● detect repeated offenders and block at network level ○ e.g. failtoban + iptables ● detect and block at http level ○ e.g. Nginx rate limiting ● If you are trying to block at PHP/WordPress level, you’ve already lost DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.
  36. 36. BACKUP AND RECOVERY Because some day, sooner or later, everything else fails.
  37. 37. BACKUP GUIDELINES 1/2 Make sure your backup system meets these requirements ● automatic: not dependant on human action ● complete: both files and database ● incremental with a history: at least 30 days ● frequent: daily is good
  38. 38. BACKUP GUIDELINES 2/2 ● offsite: in case access to the original site is lost ● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups Personal favourite: mysqldump + rdiff-backup over SSH
  39. 39. ONCE MORE WITH A FEELING
  40. 40. WORDPRESS SECURITY 101 1. Always follow password hygiene. 2. Use captchas to stall robot users. 3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain text on any network connection. 4. Remove unnecessary software to reduce attack surface. 5. Keep WordPress plugins and all other software too updated to have all known vulnerability fixes installed. 6. Install software and update only from trusted sources. 7. Have a good backups system in place. 8. Choose a good service provider and trust them to take care of the rest.
  41. 41. THANK YOU! SERAVO.COM wordpress@seravo.com Twitter: @Seravocom

×