Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security, more important than ever!

2,075 views

Published on

In the last couple of years, security has become a bigger focus point and it hasn’t been different for WordPress. During this talk, I dive into this a bit more by focusing on our role in making sure that projects are delivered as secure as they can be. This by going over several security issues that were discovered this year and ways how you can prevent yourself.

Published in: Technology
  • Be the first to comment

Security, more important than ever!

  1. 1. SECURITY More important than ever
  2. 2. – Kevin Fu “Much web security rests on illusion and hope.”
  3. 3. Marko Heijnen • Web developer @ Plesk • Founder of CodeKitchen • Core contributor for WordPress of 14 releases • 1 of the organizers for WordCamp Belgrade • Plugin developer of Tabify Edit Screen, Site Manager etc
  4. 4. Today’s topics
  5. 5. Today’s topics Current Status Hardening
  6. 6. Current Status
  7. 7. WordPress related to all websites worldwide 0% 6% 11% 17% 22% 28% 2011 2012 2013 2014 2015 2016 13.1% 15.8% 17.4% 21.0% 23.3% 26.6%
  8. 8. 26.6% 2.8% 2.2%
  9. 9. Target
  10. 10. https://sucuri.net/website-security/website-hacked-report
  11. 11. 44% was updated
  12. 12. The S0P is a Dutch community program for everyone with interest in software security. From enthusiastic beginners to the 1337est hackers out there. So Students, Learners, Coders, Hackers, Breakers and... BBQ Kings, join us!
  13. 13. One team, One month, One target.
  14. 14. Only popular plugins
 with at least 10k+ installs
  15. 15. 118 pwns! 5 in core 2 got fixed 58 fixed 2 in security plugins
  16. 16. Stats 4%3%3% 4% 8% 12% 66% Cross-Site Scripting Cross-Site Request Forgery PHP Object injection Remote Code Execution Local File Inclusion Denial of Service Misc https://www.securify.nl/blog/SFY20160801/summer_of_pwnage__one_month_of_wordpress_pwning.html
  17. 17. Hardening
  18. 18. It’s time to update
  19. 19. Lock things down
  20. 20. Disable the Plugin and Theme Editor
 Don’t make people to easy to change files. define( 'DISALLOW_FILE_EDIT', true ); Disable Plugin and Theme Update and Installation
 Prevent people from installing new plugins. Downside is that you can’t do any updates. This can be prevented by removing the install capabilities instead. define( 'DISALLOW_FILE_MODS', true ); or
  21. 21. Limit PHP execution in folders
 Preventing PHP execution in certain folder increases security in case of a breach. For example:
 /wp-content/uploads or wp-content completely.
 /wp-includes/
  22. 22. Login
  23. 23. Limit login attempts
 Use something like fail2ban when possible otherwise use a WordPress plugin Use secure passwords
 Don’t make people it to easy Two-Step Authentication
 Use your Phone to authenticate with something you have. Force SSL for Admin
 This can be done at most hosts for free with Let’s Encrypt define( 'FORCE_SSL_ADMIN', true );
  24. 24. wp-config magic
  25. 25. Move the wp-config.php file
 Moving one folder up will prevent that people can access the file Don’t use the table prefix wp_
 Could potential being used to identify it’s a WordPress site
  26. 26. Move wp-content directory
 Makes it a bit harder for bots to find out what plugins/ themes you are using define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/blog/wp-content' );
 define( 'WP_CONTENT_URL', 'http://example/blog/wp-content' ); Block External URL Requests
 define( 'WP_HTTP_BLOCK_EXTERNAL', true );
 define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );
  27. 27. Server software
  28. 28. NGINX
 You can use limit_req_zone inside your configuration to limit the amount of requests or use limit_conn_zone to limit the amount of connections IPTables / UFW
 Having a firewall let’s you only allow people accessing your server. UFW is an easy to use wrapper for IPTables
  29. 29. fail2ban
 Fail2ban scans log files and bans IPs that show the malicious signs, mostly focussing on authentication ModSecurity
 An open source web application firewall (WAF). Default with not that many rules but there are some good open source sets available.
  30. 30. Keep everything
 up-to-date!
  31. 31. External services
  32. 32. Cloudflare
 CloudFlare is best known for their free CDN service. They specialize in mitigating DDOS attacks using their Website Application Firewall product. For WAF it starts at $20 a month. Sucuri
 Sucuri is one of the most reputable website security and monitoring service. They offer comprehensive website monitoring, scanning for malware, DDoS protection, and malware removal services. Starts at $16.99 per month.

  33. 33. Akismet
 Akismet is an advanced hosted anti-spam service. Not directly security protection but could jump in when needed. Free for basic spam protection and they do malware scanning at the price of $9/month per site. VaultPress or something similar
 Daily or realtime backups but in combination with daily malware scanning. With their premium plan you also get Automated Threat Resolution. $9/month or $29/month.
  34. 34. Obscurity?
  35. 35. Don’t use the admin account
 Prevents bots from trying to login into the admin account. Remove WordPress version from header etc.
 Could potential being used to identify it’s a WordPress site. Password protected WP-Admin (to avoid)
 Can break front-end ajax requests and with a proper login protection in combination with a WAF it would not be needed.
  36. 36. Security plugins
  37. 37. Last and should be last
 Plugins can create a false sense of security and should be used as an additional security layer. Like scanning or other WordPress specific tasks. Enough things can be done by server software
 Thinks like brute force protection or WAF should be done by the server to keep your fast as possible. All of these plugins had security issues before
 Everything will have security issues but the problem with plugins is that they are more public facing.
  38. 38. Server software is a one click update
 Instead of update all sites, software is just one click enhancement of all your site security. Server software is a one click update
 Instead of update all sites, software is just one click enhancement of all your site security. Control Panels do help out
 For example Plesk has ModSecurity, Fail2ban and firewall support. This in combination their WordPress toolkit and security scan you got yourself already an awesome combo.
  39. 39. Marko Heijnen Web developer @ Plesk Founder of CodeKitchen @MarkoHeijnen info@markoheijnen.com markoheijnen.com

×