Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hardening Your WordPress Website

983 views

Published on

Hardening Your WordPress Website To Attacks

Published in: Technology, Business
  • Be the first to comment

Hardening Your WordPress Website

  1. 1. Mike Venables mikeve@trilink.aero TriLink Technologies Group Inc.TriLink Technologies Group Inc. HARDENING YOUR WEBSITE TO ATTACKS Making It Easier to Hack Into Someone-Else’s Website
  2. 2. Mike Venables mikeve@trilink.aero AGENDA • Introduction • WordPress Security Myths • BlackListing • Security Flaws With Default Installation • Threats and Counter-Threats • Backup • Additional Security • Conclusions
  3. 3. Mike Venables mikeve@trilink.aero INTRODUCTION • 40 Years Experience in Aerospace – Most of it in marketing • Independent Since 2009 • Added Website Creation Using WordPress in 2011 – Main selling feature is self-maintenance • Became Concerned With Security in 2012 – Client’s site was hacked
  4. 4. Mike Venables mikeve@trilink.aero WORDPRESS SECURITY MYTHS • My Site Is Too Small or Insignificant – Any site is a target – Link building – Spam distribution • WordPress Is Already Secure – Yes, but you can’t leave the front door open • The “White Screen of Death” Is The Worst That You Can See
  5. 5. Mike Venables mikeve@trilink.aero THE WORST THAT YOU CAN SEE
  6. 6. Mike Venables mikeve@trilink.aero BLACKLISTING • Problem – Google blocks access to your site – Removed from search engine listing • Resolution – Fix The Hack – Report the fix to Google – Wait for Google to lift the ban
  7. 7. Mike Venables mikeve@trilink.aero SECURING A WORDPRESS SITE • Risk Cannot Be Eliminated, Only Reduced • Starts With The Installation • Easiest To Do Before Content Added
  8. 8. Mike Venables mikeve@trilink.aero SECURITY FLAWS WITH DEFAULT INSTALL • Most Attacks Based On Assumption That Defaults Were Accepted • Threats and Counters Examples Based On: – Manual install with all defaults – One user: “admin”, password: “admin123” – “Pretty” permalinks turned on – Counters manually applied • Automated “1-Click” installers starting to allow customization
  9. 9. Mike Venables mikeve@trilink.aero DEFAULT TABLE PREFIX • Default WordPress Table Prefix is “wp_” – Exploited by advanced “SQL Injection” attacks – WP internal hardening improving – .htaccess techniques help (beyond today’s scope) • Change It By Editing “wp-config.php” file – Must be done before any content added – Use “phpMyAdmin” to delete old tables – Use iThemes Security to change prefix after content added
  10. 10. Mike Venables mikeve@trilink.aero DEFAULT CONTENT FOLDER • Default of “wp-content” Can Be Exploited • iThemes Security Can Change It • Breaks Lots and Lots of Plugins – “wp-content” hard coded – Should use “content_url()” • Not Worth the Trouble
  11. 11. Mike Venables mikeve@trilink.aero DEFAULT ADMIN NAME • “admin” Default Username For Administrator – Hacker only needs to guess password – Automated tools make guessing easy • Changing The Administrator Username Closes The Front Door, But Doesn’t Lock It – WordPress can easily expose admin’s username • Click on post author name and check url • www.site.com/?author=1 (or 2 or 3, etc.) • Confirm by trying to login
  12. 12. Mike Venables mikeve@trilink.aero DEFAULT ADMIN NAME (CONT’D) • Accept Default Name But Use Secondary Email • User Table Auto Indexed – 1, 2, 3, etc. • Set Next Index To, Say, 145 – phpMyAdmin • ALTER TABLE `wp_users` AUTO_INCREMENT = 145 – SQL Executioner • ALTER TABLE $users AUTO_INCREMENT = 145 • Create New, Real, User • Login As Real User – Delete first user
  13. 13. Mike Venables mikeve@trilink.aero DISABLE FILE EDITING FROM DASHBOARD • Bad Practice For Anyone To Edit Files From Dashboard – No undo – No configuration control • Edit wp-config.php • Add – “define (‘DISALLOW_FILE_EDIT’, true);” – Semi-colon important
  14. 14. Mike Venables mikeve@trilink.aero WORDFENCE • Over 1,700,000 Downloads • Masks Username On Login • Enforces Strong Passwords • Alerts For Core, Theme and Plugin Updates • Scans Files For Unauthorized Changes • Locks Out Repeated Failed Login Attempts • Monitors DNS Settings • Etc. • Has Performance-Enhancing Cache Built-In
  15. 15. Mike Venables mikeve@trilink.aero BACKWPUP • Over 1,260,000 Downloads • Fully Configurable – Schedule multiple jobs • Different Backup Locations – Email, folder (not within WP folder), FTP, DropBox, etc. • Requires FTP and phpMyAdmin Access For Restoral • Vaultpress.com (Paid) Provides 1-Click Restorals
  16. 16. Mike Venables mikeve@trilink.aero ADDITIONAL SECURITY • Restrict Logins To One IP – Effective, but limits flexibility • Two-Factor Authentication – Duo Security (Free Plugin) – Links to account at duosecurity.com – Free for <= 10 users otherwise $1/user/month
  17. 17. Mike Venables mikeve@trilink.aero WHITE LABEL CMS • Rebrand WordPress – Dashboard – Logos – Login Logo • Control Access To “Advanced” Functions – Dependent on users level
  18. 18. Mike Venables mikeve@trilink.aero TIDY UP • Delete All Themes Except: – One In Use (and parent, if it’s a child) – Default theme (currently twenty-fourteen) • Delete Unneeded Plugins – Especially SQL Executioner
  19. 19. Mike Venables mikeve@trilink.aero ON GOING SECURITY • Keep Your Installation Up To Date – WP Core – Themes – Plugins • WordFence Can Send Alerts – Updates – Modified files – Repeated failed login attempts
  20. 20. Mike Venables mikeve@trilink.aero TOOLS USED • Editor – Komodo (Free) • FTP – FileZilla (Free) • Plugins (All Free) – WordFence – BackWPUp – SQL Executioner – iThemes Security – Duo Security – White Label CMS
  21. 21. Mike Venables mikeve@trilink.aero IF YOU DO ONLY 1 THING… • According To Sucuri – 85% WP Sites use `admin` as username – Top 3 passwords • `password`- 14% • `admin` - 10% • `123456` - 6% • Change `admin` Username • Use Strong Passwords
  22. 22. Mike Venables mikeve@trilink.aero CONCLUSIONS • Risk Is Low But Real • Risk Reduction is Easy – 80% Protection With 20% The Work • Strong Passwords • Backup • Backup • Backup
  23. 23. Mike Venables mikeve@trilink.aero CONTACT INFO • Mike Venables • TriLink Technologies Group Inc. • +1 (613) 204-2413 • mikeve@TriLink.aero • www.TriLink.aero • Slides: – http://www.slideshare.net/mikevens/hardening-you- wordpress-website

×