Professional WordPress Security: Beyond Security Plugins

1. Professional WordPress Security: Beyond Security Plugins Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/

2. About This Presentation • WordPress security is an often neglected topic, and with WordPress being used for more complex and business-critical sites, it needs to be treated far more seriously. • It’s not uncommon to hear comments like “just install a security plugin and it’ll be right!“. Security plugins and services are a step in the right direction, but there are many other steps you can take to keep your site secure. • In this presentation, Chris will provide some practical advice on how you can add additional layers of security to your WordPress website. About This Presentation • WordPress security is an often neglected topic, and with WordPress being used for more complex and business- critical sites, it needs to be treated far more seriously. • It’s not uncommon to hear comments like “just install a security plugin and it’ll be right!“. Security plugins and services are a step in the right direction, but there are many other steps you can take to keep your site secure. • In this presentation, Chris will provide some practical advice on how you can add additional layers of security to your WordPress website.

3. Overview • Who Is This Guy? • Why Should I Care? • How Sites Are Compromised • Prevention • Practical Detection • What Can You Do? • Further Resources

4. Who Is This Guy? • Chris Burgess • Passionate about web development, security and digital marketing • Passionate about keeping up-to-date with the latest web technologies

5. Why Should I Care?

6. Is This How You Feel About The Topic?

7. Not Everyone Loves Security But Everyone Should Care About It. • Are you a WordPress developer? • Do you have your own WordPress site? • Do you manage WordPress sites for your clients? If you answered ”Yes” to any of the above questions, then you should factor WordPress security practices into your workflow.

8. Security Is Not Absolute. It’s About Risks And Managing The Risks. It’s all about context…

9. “Security is not a product, security is a process" Bruce Schneier

10. Probability vs Severity

11. Don’t Wait Until You See Something Like This Before You Care. https://www.google.com/webmasters/hacked/

12. Be Proactive. Not Just Reactive. http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html

13. There Is No Such Thing As Absolute Security But You Can Reduce Risks

14. How Sites Are Compromised

15. Common Myths And Misconceptions “WordPress sites always get hacked.” “No one is interested in attacking my site.” “I’ve got nothing valuable for anyone to steal.” “Security is not my problem, my host/developer/plugin takes care of security for me.”

16. Attackers • A person or group who’s trying to attack your site • It may personal, but the majority of the time, you’re just a victim of opportunity • Typically, your website is just one faceless entity on a massive list of sites/addresses being scanned and probed. • Mostly motivated by economic gain

17. They Can Do It Via… OUT OF DATE OR VULNERABLE THEMES OUT OF DATE OR VULNERABLE PLUGINS OUT OF DATE VERSION OF WORDPRESS INTEGRATIONS POOR PROCESSES BAD PASSWORDS AND PASSWORD MANAGEMENT MISCONFIGURATION HUMAN ERROR

18. Sucuri Website Hacked Trend Report 2018 https://sucuri.net/reports/2018-hacked-website-report/

19. What Sites Are Mostly Affected? https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf

20. https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf

21. https://www.google.com/webmasters/hacked/

22. Real example of a compromised site in Google search results

23. Real example of a compromised site in Google search results

24. Real Example of a DoS attack

25. Google Search Console

26. Netregistry email about compromised site

27. Real example of a malicious plugin

28. Real example of a malicious file

29. Google Search Console

30. Ahrefs and Google Search Console

31. Real example of black hat SEO

32. Real example of anchor text from ahrefs.

33. Real example of links in Google Search Console

34. Real example of a malicious plugin.

35. Real example of a malicious plugin.

36. Real example of black hat SEO.

37. Why WordPress Is A Popular Target? https://trends.builtwith.com/cms/country/Australiahttps://trends.builtwith.com/cms

38. Example Of WordPress Vulnerabilities Source: http://wptavern.com

39. “Most successful WordPress hack attacks are typically the result of human error, be human error, be it a configuration error or configuration error or failing to maintain maintain WordPress, such as keeping keeping core and all plugins up to date, or to date, or installing insecure plugins etc.” plugins etc.” - Robert Abela (@robertabela)

40. What Are The Impacts On Businesses? • Loss in revenue and customers • Cost of professional help, your time & resources • Potential legal and compliance issues • Affects brand reputation • Compromise to your visitors • Loss of trust and confidence amongst clients IMPACTS BOTTOM LINE DAMAGE TO REPUTATION STRESS ON TEAM TECHNICAL ISSUES • Causes you unnecessary stress dealing with it • Causes stress to your team • Causes stress to colleagues and clients • Domain & IP reputation, website blacklisting & email deliverability • SEO and SEM impacts • Downtime and outages

41. Prevention

42. Security Plugins https://www.wordfence.com/ https://sucuri.net/ https://ithemes.com/security/

43. Defense in depth https://technet.microsoft.com/en-us/library/cc512681.aspx

44. "Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You’re vulnerable. Now, go do something useful about it." -- Bruce Schneier http://www.schneier.com/blog/archives/2007/05/is_penetration.htm l

45. https://www.edureka.co/blog/what-is-cybersecurity/

46. Defense In Depth “While we boast the idea of employing a defense in depth strategy in the design of our offering, we can’t say it’s the only defense in depth strategy an organization will need. The strategy involves much more than our tools. Instead, we say that we are a complementary solution to your existing security posture and we encourage you to use any other tools you require to round out your defensive position.” Sucuri

47. https://bigideatech.com/how-a-defense-in-depth-strategy-protects-businesses-from-ransomware-and-other-cyberattacks/

48. https://www.slideshare.net/helhum/typo3-develop

49. https://newsroom.fb.com/news/2019/01/designing-security-for-billions/

50. Defense In Depth • We can't talk about WordPress security without talking about the other layers. • While more layers help secure our assets, they also introduce other issues such as complacency and a false sense of security. • UX, additional security measures can be cumbersome to manage. (that said, I'd rather manage these issues than deal with a security incident)

51. Practical Detection

52. Tools • You can’t rely only on tools, they won’t always detect a compromise. • Most WordPress security tools work by using signatures. • Scanning your site with online tools work only if your site has active malware, is defaced or blacklisted. • If a site has been compromised, it cannot be trusted.

53. WPScan

54. Example of WPScan

55. 1500+ Files In A Default WordPress Installation – Excluding Themes & Plugins. • WordPress relies on a many popular Open Source libraries (as does most software). • Here are a few of the most common ones: • jQuery • jQuery Masonry • jQuery Hotkeys • jQuery Suggest • jQuery Form • jQuery Color • jQuery Migrate • jQuery Schedule • jQuery UI • Backbone • colorpicker • hoverIntent • SWFObject • TinyMCE • Atom Lib • Text Diff • SimplePie • Pomo • ID3 • Snoopy • PHPMailer • POP3 Class • PHPass • PemFTP

56. Isolation • Look out for a shared web root, “addon” domains in cPanel, other web apps in subfolders.

57. example.com/index.php

58. example.com/otherapp/

59. example.com/*

60. example.com/*

61. A Word On Staging/Test Environments • While it’s never been easier to clone, copy, spin-up a new instance of an environment, it’s also never been easier to lose track and manage these environments. • In many respects, these are softer targets than your production sites, so make sure they’re protected.

62. Checking Content • You can check your site from both a back end and front end perspective, this is particularly useful since malware will use measures to hide its existence • Grep for server side • ScreamingFrog for crawling Internet facing (rendered) content

63. If The Server Has Been Compromised, It Cannot Be Trusted.

64. System Monitoring • Resources (Bandwidth/CPU/RAM/IO) • Logins • Processes

65. Integrity Monitoring • Tripwire • git • wp-cli • Any diff tools • Plugins

66. Firewalls • Network Firewalls • Web Application Firewalls • Security Services • Proxies

67. IDS/IPS • Typically at the host level • OSSEC

68. Logging • /var/log (access, error, php) • Centralised Logging or Log Shipping • Audit trails

69. Places To Check… • Content/files • Running processes • Running scripts, open files (look at full paths in processes) • Memory • Cron jobs • Database • Date and timestamps • Suspicious plugins • Suspicious directories/files • Sitemaps/SERPs • WordPress Admin Users • Other users in GSC • Code audit

70. What Can You Do?

71. Image Source: https://twitter.com/sittingduckdev

72. Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.

73. What Can You Do? • Establish basic processes • Practice the principle of least privilege (POLP) • Take backups seriously • Be ruthless with your Plugin choices • Maintain • Monitor • Choose a good host

74. Be Practically Paranoid http://favoritememes.com/_nw/37/42148895.jpg

75. Practice Principle Of Least Privilege

76. Regular Backups & Offsite Storage • Server Level Backups - cPanel/Plesk, Replication, Snapshots • Backup Services • Backup Plugins - Updraft Plus, WordPress Backup to Dropbox, VaultPress, Backup Buddy, Duplicator etc. • Manual Backups • Exports IMPORTANT: Don’t have publicly accessible backups (e.g /backup.zip) or config files (wp-config.php.old)

77. Choose Only Quality Plugins

78. Regular Website Maintenance “Patch early and patch often”

79. Use Isolation • Separate Users/Servers/Instances • Keeps attacks isolated • Far more advantages than disadvantages

80. Use SSL • SSL is now free on most good hosts • Make sure it’s configured correctly (or use Really Simple SSL)

81. Use Strong Encryption Everywhere • SFTP/SCP • SSH • HTTPS • Avoid ”Less Secure” options

82. Use Google Search Console

83. Use Password/Key Management • LastPass • Dashlane • 1Password • Browser Password Manager • Native OS • KeePass • Passwordsafe

84. Use Two Factor Authentication

85. Maintain Server Security • Monitoring • Integrity Monitoring • Firewalls • IDS/IPS • Logging

86. Just Because… • We don’t rely ONLY on security plugins doesn’t mean we shouldn’t use them… • Sucuri, Wordfence, iThemes Security etc. are all excellent choices. Learn to use them effectively. • For high value assets, I’d highly recommend paying for a premium licence.

87. Further Resources

88. Reading • WordPress Docs/Codex • OWASP • OS/Platform Specific Resources (AWS, Ubuntu, Docker etc.) • Host Management Specific Resources (Plesk, cPanel etc.) • Stay Updated

89. Other Resources • WordPress.org • https://wordpress.org/about/security/ • https://wordpress.org/news/category/security/ • Google Safe Browsing - https://www.google.com/transparencyreport/safebrowsing/diagnostic/ • OWASP WordPress Security - https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementati on_Guideline

90. • https://wpvulndb.com/ • https://www.wpsecuritybloggers.com • https://www.wpwhitesecurity.com • https://sucuri.net/ • https://wpscan.org/

91. Places to Learn about General Web App Security • OWASP (global): https://www.owasp.org/index.php/Main_Page • OWASP Melbourne: https://www.meetup.com/Application-Security-OWASP- Melbourne/

92. https://www.owasp.org/index.php/Main_Page

93. https://wpaustralia.org/

94. Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/ Thanks/Questions?

Professional WordPress Security: Beyond Security Plugins

You are reading a preview.

Check these out next

Professional WordPress Security: Beyond Security Plugins

More Related Content

Slideshows for you (20)

Similar to Professional WordPress Security: Beyond Security Plugins (20)

More from Chris Burgess (19)

Recently uploaded (20)