SlideShare a Scribd company logo
1 of 42
Download to read offline
WORDPRESS
SECURITY 101
what is important
– and what is not
© Seravo 2017
DEFINITION OF
INFORMATION SECURITY
1. Confidentiality
2. Integrity
3. Availability
You must keep your
WordPress site secure.
POTENTIAL CONSEQUENCES
● Corrupted orders database: webshop unable to ship anything or
resolve payments
● Leaked customer database: angry customers, lawsuit for neglect of
privacy laws
● Visitors get redirected to shady sites: lost reputation, marketing
budget goes in vain
● Site spreads malware: Google might detect and ban from showing up
in search results
● Site sends spam: could become blacklisted and legit email stops
working
“BUT MY SITE IS NOT IMPORTANT!”
Your site can be used to mount further attacks!
If you have clearly neglected the maintenance
of your own site, you could be held partly liable
for attacks on other sites.
What is REALLY important
in keeping your WordPress
site secure?
AVENUES OF
UNAUTHORISED ACCESS:
1. Leaked passwords
2. Software vulnerabilities
LEAKED PASSWORDS
Remember password hygiene
seravo.fi/2014/password-hygiene-every-mans-responsibility
HTTPS, SFTP, SSH
Never submit passwords over an unencrypted
connection!
Enforce HTTPS in WordPress
1. Your server needs to support HTTPS
2. Enforce in wp-config.php with:
define('FORCE_SSL_ADMIN', true);
Use captcha
to avoid robot users
Google reCaptcha recommended
SOFTWARE VULNERABILITIES
MINIMIZE VULNERABILITIES
1. Minimize the attack surface by minimizing the amount of
software you have
2. For the software you really need, make sure you have
updated to latest releases
HOW SECURE IS WORDPRESS CORE?
Security bugs per
1000 lines of code
written
All time: 0,1
(204 CVE entries per
2,1 million lines of
code)
In 2015: 0,05
(11 CVE entries per
236 000 lines of code)
WORDPRESS CORE
IS SECURE.
THE PROBLEM IS THE PLUGINS.
Combined
core, plugin
and theme
vulnerability
database:
wpvulndb.com
Example case: Mossack Fonseca aka Panama papers
● The site www.mossfon.com was running WordPress
● Unauthorized access of WP lead to unauthorized access of MS Exchange
email server on internal network and other sites at *.mossfon.com
● The intruders most likely came through an old and insecure version of the
Revolution Slider plugin.
○ Well known vulnerability, WordPress.org even has a patch as a separate plugin
(https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not
available at WordPress.org.
Example case: Mossack Fonseca aka Panama papers
● Case analysis at
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner
able-slider-revolution/
WP PLUGIN REVIEW GUIDELINES FOR
CAPITALISTS*
If the logo is red and
name contains revolution,
don’t install it on your system!
* a small dose of parody can’t hurt?
PLUGIN SECURITY
1. Minimize the attack surface by minimizing the amount of
plugins (and themes) you have
2. For the plugins you really need, make sure you have
updated to latest releases
You will not minimize vulnerabilities
by installing more plugins!
WordPress is
insecure!
Quickly, install a
security plugin!
NO
DON’T WASTE TIME ON
● removing generator meta or hiding version numbers
● hiding login errors
● changing wp-admin location
● disabling xmlrpc
● removing readme.html or other files
Only for WP geeks who love to research the pros and cons.
For normal users WordPress default settings are secure.
FALSE SENSE
OF SECURITY
Feels like a lot has been done
when really very little has.
Example: useless readme.html blocking = don’t!
Example: useless readme.html blocking
Versions leak anyway
Example: useless readme.html blocking
Disclaimer:
WordFence was used just as an example. It still the best guy in town.
Many other security plugins are much worse.
..and other WordPress integrity checks trigger
SECURITY PLUGINS ARE NOT THE SOLUTION
Scan results require interpretation. Recommended only for professionals.
The only recommended ones:
WPScan and Google Webmaster Tools
Almost no false positives and no business model based on spreading fear.
IF YOU RUN YOUR OWN SERVER
Also remember to harden and keep updated
● operating system
● web server
● database server
● PHP environment
INSTALL ONLY FROM TRUSTED SOURCES
Avoid random 3rd party repositories that don’t have any maintenance policy.
PROTECTION AGAINST DDOS
What if the problem is not unauthorized access but the
lack of authorized access?
DENIAL OF SERVICE ATTACKS
Detect, withstand and block
● high performance servers and good caching
● detect repeated offenders and block at network level
○ e.g. failtoban + iptables
● detect and block at http level
○ e.g. Nginx rate limiting
● If you are trying to block at PHP/WordPress level, you’ve already lost
DDOS is a constant race of new techniques of attack and defence. Try to find a
good hosting provider that takes care of DDOS at least on the network level.
BACKUP AND RECOVERY
Because some day,
sooner or later,
everything else fails.
BACKUP GUIDELINES 1/2
Make sure your backup system meets these requirements
● automatic: not dependant on human action
● complete: both files and database
● incremental with a history: at least 30 days
● frequent: daily is good
BACKUP GUIDELINES 2/2
● offsite: in case access to the original site is lost
● pull, not push: original site should not have access to the backups,
otherwise an attacker can delete both the original site and all backups
Personal favourite: mysqldump + rdiff-backup over SSH
ONCE MORE WITH A FEELING
WORDPRESS SECURITY 101
1. Always follow password hygiene.
2. Use captchas to stall robot users.
3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain
text on any network connection.
4. Remove unnecessary software to reduce attack surface.
5. Keep WordPress plugins and all other software too updated to have
all known vulnerability fixes installed.
6. Install software and update only from trusted sources.
7. Have a good backups system in place.
8. Choose a good service provider and trust them to take care of the
rest.
THANK YOU!
SERAVO.COM
wordpress@seravo.com
Twitter: @Seravocom

More Related Content

What's hot

Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesOtto Kekäläinen
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”Valent Mustamin
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressSarah Dutkiewicz
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1Wataru OKAMOTO
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speedpdeschen
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 
Introduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildIntroduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildMartin de Keijzer
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017ElifTech
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...OVHcloud
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itOnni Hakala
 

What's hot (20)

Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themes
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
 
Drupal Development Tips
Drupal Development TipsDrupal Development Tips
Drupal Development Tips
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPress
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speed
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
 
Introduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildIntroduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap Build
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do it
 
04 web optimization
04 web optimization04 web optimization
04 web optimization
 

Viewers also liked

WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsOtto Kekäläinen
 
My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing Nihit Gandhi
 
Richmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate ProfileRichmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate ProfileMohit Shankhdhar
 
Richmen credentials interactive displays nv
Richmen credentials interactive displays nvRichmen credentials interactive displays nv
Richmen credentials interactive displays nvMohit Shankhdhar
 
Edge marketing profile - BTL and digital
Edge marketing profile - BTL and digitalEdge marketing profile - BTL and digital
Edge marketing profile - BTL and digitalVarun Wahi
 
Experiential Marketing
Experiential MarketingExperiential Marketing
Experiential MarketingChristy Belden
 
Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)Pointvoucher
 
Panadol Patch Activation Proposal
Panadol Patch Activation Proposal Panadol Patch Activation Proposal
Panadol Patch Activation Proposal Anto Soeyono
 
Brand Innovation and Activation
Brand Innovation and ActivationBrand Innovation and Activation
Brand Innovation and ActivationYanuar Rahman
 
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...Synergy Integrated MarCom India Pvt. Ltd.
 
TimTam Activation Proposal
TimTam Activation ProposalTimTam Activation Proposal
TimTam Activation ProposalAnto Soeyono
 
Brand activation
Brand activationBrand activation
Brand activationAli Hadi
 
Brand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road ShowsBrand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road ShowsGreen Flag Technologies
 
HartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the massesHartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the massesAntony Clay
 
Gardners Mi Overview
Gardners Mi OverviewGardners Mi Overview
Gardners Mi Overviewlancesfa
 
I Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo ProdiI Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo Prodicapitan_jo
 

Viewers also liked (20)

WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressions
 
My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing
 
Richmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate ProfileRichmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate Profile
 
Richmen credentials interactive displays nv
Richmen credentials interactive displays nvRichmen credentials interactive displays nv
Richmen credentials interactive displays nv
 
Edge marketing profile - BTL and digital
Edge marketing profile - BTL and digitalEdge marketing profile - BTL and digital
Edge marketing profile - BTL and digital
 
Marconix BTL
Marconix BTLMarconix BTL
Marconix BTL
 
"Below The Line" Presentation
"Below The Line" Presentation"Below The Line" Presentation
"Below The Line" Presentation
 
Experiential Marketing
Experiential MarketingExperiential Marketing
Experiential Marketing
 
Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)
 
Panadol Patch Activation Proposal
Panadol Patch Activation Proposal Panadol Patch Activation Proposal
Panadol Patch Activation Proposal
 
Brand Innovation and Activation
Brand Innovation and ActivationBrand Innovation and Activation
Brand Innovation and Activation
 
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
 
TimTam Activation Proposal
TimTam Activation ProposalTimTam Activation Proposal
TimTam Activation Proposal
 
Brand activation
Brand activationBrand activation
Brand activation
 
Brand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road ShowsBrand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road Shows
 
HartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the massesHartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the masses
 
Gardners Mi Overview
Gardners Mi OverviewGardners Mi Overview
Gardners Mi Overview
 
Sensei kukikan
Sensei kukikanSensei kukikan
Sensei kukikan
 
I Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo ProdiI Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo Prodi
 

Similar to Seravo.com: WordPress Security 101

WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 

Similar to Seravo.com: WordPress Security 101 (20)

WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your website
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 

Recently uploaded

Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 

Recently uploaded (20)

Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 

Seravo.com: WordPress Security 101

  • 1. WORDPRESS SECURITY 101 what is important – and what is not © Seravo 2017
  • 2. DEFINITION OF INFORMATION SECURITY 1. Confidentiality 2. Integrity 3. Availability
  • 3. You must keep your WordPress site secure.
  • 4. POTENTIAL CONSEQUENCES ● Corrupted orders database: webshop unable to ship anything or resolve payments ● Leaked customer database: angry customers, lawsuit for neglect of privacy laws ● Visitors get redirected to shady sites: lost reputation, marketing budget goes in vain ● Site spreads malware: Google might detect and ban from showing up in search results ● Site sends spam: could become blacklisted and legit email stops working
  • 5. “BUT MY SITE IS NOT IMPORTANT!” Your site can be used to mount further attacks! If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.
  • 6. What is REALLY important in keeping your WordPress site secure?
  • 7. AVENUES OF UNAUTHORISED ACCESS: 1. Leaked passwords 2. Software vulnerabilities
  • 10. HTTPS, SFTP, SSH Never submit passwords over an unencrypted connection!
  • 11. Enforce HTTPS in WordPress 1. Your server needs to support HTTPS 2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);
  • 12. Use captcha to avoid robot users Google reCaptcha recommended
  • 14. MINIMIZE VULNERABILITIES 1. Minimize the attack surface by minimizing the amount of software you have 2. For the software you really need, make sure you have updated to latest releases
  • 15. HOW SECURE IS WORDPRESS CORE? Security bugs per 1000 lines of code written All time: 0,1 (204 CVE entries per 2,1 million lines of code) In 2015: 0,05 (11 CVE entries per 236 000 lines of code)
  • 17. THE PROBLEM IS THE PLUGINS.
  • 19. Example case: Mossack Fonseca aka Panama papers ● The site www.mossfon.com was running WordPress ● Unauthorized access of WP lead to unauthorized access of MS Exchange email server on internal network and other sites at *.mossfon.com ● The intruders most likely came through an old and insecure version of the Revolution Slider plugin. ○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
  • 20. Example case: Mossack Fonseca aka Panama papers ● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner able-slider-revolution/
  • 21. WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS* If the logo is red and name contains revolution, don’t install it on your system! * a small dose of parody can’t hurt?
  • 22. PLUGIN SECURITY 1. Minimize the attack surface by minimizing the amount of plugins (and themes) you have 2. For the plugins you really need, make sure you have updated to latest releases You will not minimize vulnerabilities by installing more plugins!
  • 24. NO
  • 25.
  • 26. DON’T WASTE TIME ON ● removing generator meta or hiding version numbers ● hiding login errors ● changing wp-admin location ● disabling xmlrpc ● removing readme.html or other files Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.
  • 27. FALSE SENSE OF SECURITY Feels like a lot has been done when really very little has.
  • 28. Example: useless readme.html blocking = don’t!
  • 29. Example: useless readme.html blocking Versions leak anyway
  • 30. Example: useless readme.html blocking Disclaimer: WordFence was used just as an example. It still the best guy in town. Many other security plugins are much worse. ..and other WordPress integrity checks trigger
  • 31. SECURITY PLUGINS ARE NOT THE SOLUTION Scan results require interpretation. Recommended only for professionals.
  • 32. The only recommended ones: WPScan and Google Webmaster Tools Almost no false positives and no business model based on spreading fear.
  • 33. IF YOU RUN YOUR OWN SERVER Also remember to harden and keep updated ● operating system ● web server ● database server ● PHP environment
  • 34. INSTALL ONLY FROM TRUSTED SOURCES Avoid random 3rd party repositories that don’t have any maintenance policy.
  • 35. PROTECTION AGAINST DDOS What if the problem is not unauthorized access but the lack of authorized access?
  • 36. DENIAL OF SERVICE ATTACKS Detect, withstand and block ● high performance servers and good caching ● detect repeated offenders and block at network level ○ e.g. failtoban + iptables ● detect and block at http level ○ e.g. Nginx rate limiting ● If you are trying to block at PHP/WordPress level, you’ve already lost DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.
  • 37. BACKUP AND RECOVERY Because some day, sooner or later, everything else fails.
  • 38. BACKUP GUIDELINES 1/2 Make sure your backup system meets these requirements ● automatic: not dependant on human action ● complete: both files and database ● incremental with a history: at least 30 days ● frequent: daily is good
  • 39. BACKUP GUIDELINES 2/2 ● offsite: in case access to the original site is lost ● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups Personal favourite: mysqldump + rdiff-backup over SSH
  • 40. ONCE MORE WITH A FEELING
  • 41. WORDPRESS SECURITY 101 1. Always follow password hygiene. 2. Use captchas to stall robot users. 3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain text on any network connection. 4. Remove unnecessary software to reduce attack surface. 5. Keep WordPress plugins and all other software too updated to have all known vulnerability fixes installed. 6. Install software and update only from trusted sources. 7. Have a good backups system in place. 8. Choose a good service provider and trust them to take care of the rest.