Successfully reported this slideshow.

Hardening Your WordPress Website

915 views

Published on

Hardening Your WordPress Website To Attacks

Published in: Technology, Business
  • Be the first to comment

Hardening Your WordPress Website

  1. 1. Mike Venables mikeve@trilink.aero TriLink Technologies Group Inc.TriLink Technologies Group Inc. HARDENING YOUR WEBSITE TO ATTACKS Making It Easier to Hack Into Someone-Else’s Website
  2. 2. Mike Venables mikeve@trilink.aero AGENDA • Introduction • WordPress Security Myths • BlackListing • Security Flaws With Default Installation • Threats and Counter-Threats • Backup • Additional Security • Conclusions
  3. 3. Mike Venables mikeve@trilink.aero INTRODUCTION • 40 Years Experience in Aerospace – Most of it in marketing • Independent Since 2009 • Added Website Creation Using WordPress in 2011 – Main selling feature is self-maintenance • Became Concerned With Security in 2012 – Client’s site was hacked
  4. 4. Mike Venables mikeve@trilink.aero WORDPRESS SECURITY MYTHS • My Site Is Too Small or Insignificant – Any site is a target – Link building – Spam distribution • WordPress Is Already Secure – Yes, but you can’t leave the front door open • The “White Screen of Death” Is The Worst That You Can See
  5. 5. Mike Venables mikeve@trilink.aero THE WORST THAT YOU CAN SEE
  6. 6. Mike Venables mikeve@trilink.aero BLACKLISTING • Problem – Google blocks access to your site – Removed from search engine listing • Resolution – Fix The Hack – Report the fix to Google – Wait for Google to lift the ban
  7. 7. Mike Venables mikeve@trilink.aero SECURING A WORDPRESS SITE • Risk Cannot Be Eliminated, Only Reduced • Starts With The Installation • Easiest To Do Before Content Added
  8. 8. Mike Venables mikeve@trilink.aero SECURITY FLAWS WITH DEFAULT INSTALL • Most Attacks Based On Assumption That Defaults Were Accepted • Threats and Counters Examples Based On: – Manual install with all defaults – One user: “admin”, password: “admin123” – “Pretty” permalinks turned on – Counters manually applied • Automated “1-Click” installers starting to allow customization
  9. 9. Mike Venables mikeve@trilink.aero DEFAULT TABLE PREFIX • Default WordPress Table Prefix is “wp_” – Exploited by advanced “SQL Injection” attacks – WP internal hardening improving – .htaccess techniques help (beyond today’s scope) • Change It By Editing “wp-config.php” file – Must be done before any content added – Use “phpMyAdmin” to delete old tables – Use iThemes Security to change prefix after content added
  10. 10. Mike Venables mikeve@trilink.aero DEFAULT CONTENT FOLDER • Default of “wp-content” Can Be Exploited • iThemes Security Can Change It • Breaks Lots and Lots of Plugins – “wp-content” hard coded – Should use “content_url()” • Not Worth the Trouble
  11. 11. Mike Venables mikeve@trilink.aero DEFAULT ADMIN NAME • “admin” Default Username For Administrator – Hacker only needs to guess password – Automated tools make guessing easy • Changing The Administrator Username Closes The Front Door, But Doesn’t Lock It – WordPress can easily expose admin’s username • Click on post author name and check url • www.site.com/?author=1 (or 2 or 3, etc.) • Confirm by trying to login
  12. 12. Mike Venables mikeve@trilink.aero DEFAULT ADMIN NAME (CONT’D) • Accept Default Name But Use Secondary Email • User Table Auto Indexed – 1, 2, 3, etc. • Set Next Index To, Say, 145 – phpMyAdmin • ALTER TABLE `wp_users` AUTO_INCREMENT = 145 – SQL Executioner • ALTER TABLE $users AUTO_INCREMENT = 145 • Create New, Real, User • Login As Real User – Delete first user
  13. 13. Mike Venables mikeve@trilink.aero DISABLE FILE EDITING FROM DASHBOARD • Bad Practice For Anyone To Edit Files From Dashboard – No undo – No configuration control • Edit wp-config.php • Add – “define (‘DISALLOW_FILE_EDIT’, true);” – Semi-colon important
  14. 14. Mike Venables mikeve@trilink.aero WORDFENCE • Over 1,700,000 Downloads • Masks Username On Login • Enforces Strong Passwords • Alerts For Core, Theme and Plugin Updates • Scans Files For Unauthorized Changes • Locks Out Repeated Failed Login Attempts • Monitors DNS Settings • Etc. • Has Performance-Enhancing Cache Built-In
  15. 15. Mike Venables mikeve@trilink.aero BACKWPUP • Over 1,260,000 Downloads • Fully Configurable – Schedule multiple jobs • Different Backup Locations – Email, folder (not within WP folder), FTP, DropBox, etc. • Requires FTP and phpMyAdmin Access For Restoral • Vaultpress.com (Paid) Provides 1-Click Restorals
  16. 16. Mike Venables mikeve@trilink.aero ADDITIONAL SECURITY • Restrict Logins To One IP – Effective, but limits flexibility • Two-Factor Authentication – Duo Security (Free Plugin) – Links to account at duosecurity.com – Free for <= 10 users otherwise $1/user/month
  17. 17. Mike Venables mikeve@trilink.aero WHITE LABEL CMS • Rebrand WordPress – Dashboard – Logos – Login Logo • Control Access To “Advanced” Functions – Dependent on users level
  18. 18. Mike Venables mikeve@trilink.aero TIDY UP • Delete All Themes Except: – One In Use (and parent, if it’s a child) – Default theme (currently twenty-fourteen) • Delete Unneeded Plugins – Especially SQL Executioner
  19. 19. Mike Venables mikeve@trilink.aero ON GOING SECURITY • Keep Your Installation Up To Date – WP Core – Themes – Plugins • WordFence Can Send Alerts – Updates – Modified files – Repeated failed login attempts
  20. 20. Mike Venables mikeve@trilink.aero TOOLS USED • Editor – Komodo (Free) • FTP – FileZilla (Free) • Plugins (All Free) – WordFence – BackWPUp – SQL Executioner – iThemes Security – Duo Security – White Label CMS
  21. 21. Mike Venables mikeve@trilink.aero IF YOU DO ONLY 1 THING… • According To Sucuri – 85% WP Sites use `admin` as username – Top 3 passwords • `password`- 14% • `admin` - 10% • `123456` - 6% • Change `admin` Username • Use Strong Passwords
  22. 22. Mike Venables mikeve@trilink.aero CONCLUSIONS • Risk Is Low But Real • Risk Reduction is Easy – 80% Protection With 20% The Work • Strong Passwords • Backup • Backup • Backup
  23. 23. Mike Venables mikeve@trilink.aero CONTACT INFO • Mike Venables • TriLink Technologies Group Inc. • +1 (613) 204-2413 • mikeve@TriLink.aero • www.TriLink.aero • Slides: – http://www.slideshare.net/mikevens/hardening-you- wordpress-website

×