Some insights into WordPress Security at AfricaHackon Conference 2019

1. Security?
Hey, it's only WordPress!
AfricaHackon Conference
August 16th, 2019

2. About Me
❖ Stefan Kremer
❖ 14 yrs WordPress experience
❖ Contributor
❖ freelance IT Consultant,
mainly WordPress, Mac, CTI
❖ Owner of AdminPress (de)
and KeDe Digital LLP (ke)
! @stkjj
! stefan@adminpress.de

3. About WordPress
❖ started as a fork of "B2/cafelog" in 2003 by Matt
Mullenweg as blogging software
❖ Content Management System
❖ 2-tier architecture based on PHP/MySQL
❖ differentiate: WP.org and WP.com !

4. Why this talk?
WordPress can be more than just being a CMS
❖ hacked server can be used to spread malware
❖ critical infrastructure like eCommerce
❖ Portal for other services
❖ other isolated services on same infrastructure

5. ❖ often referred as "insecure"
❖ core vs. 3rd party vs. operation
❖ large community that takes care
❖ WordPress security team
WordPress Security
11 %
52 %
37 %
Core PlugIns Themes

6. Bug Bounty Program
❖ via hackerone.com
❖ ~ $8.000 paid out
❖ range from $25 to $750
❖ double for bugs reported in beta/RC
🐞

7. Policy
❖ responsible disclosure
❖ minor versions are bug- and security fixes
❖ autoupdate for minors
❖ backporting of sec-fixes to 3.7
📜

8. Recommendations

9. 🧠
Some Basics
❖ harden your infrastructure
➡ ServerOS, Apache/Ngnix, PHP, (My)SQL, Fail2Ban
❖ ensure device security
➡ OS, Malware scan, Firewall, encrypt-on-rest
❖ enumerate the common good practices
➡ strong passwords, encrypt-on-transit, use your brain!

10. Recommendations
1. update, update, update
2. use themes and plugins from wp.org repo only
3. remove unused plugins and themes
4. harden your installation
5. monitor your site(s)
6. have a backup

11. 1. Update, Update, Update!
❖ autoupdate for minor core updates ✅
❖ update plugins and themes ASAP ⏰
❖ critical infrastructure: have a staging system 🎭
❖ check functionalities after update 🚀
❖ premium: renew your subscriptions 💸

12. 2. wp.org Stuff Only!
❖ use themes and plugins from wp.org repo only
❖ avoid "premium" plugins and themes
❖ never ever use doubtful sources

13. 3. Remove Unused Stuff
❖ uninstall themes and plugins not actively used
❖ keep the recent default theme for fallback
❖ disabled plugins are still accessible
🚫

14. 4. Harden Your WP
❖ defeat bruteforce attacs
❖ disable XML-RPC
❖ restrict REST-API
❖ disable/tweak login messages
❖ consider geoblocking where feasible
❖ blacklist conspicuous IPs/user-agents/ 🔒🔓

15. 5. Monitoring
❖ server up and running
❖ malicious login attempts
❖ 404's
❖ changed/added/deleted files
❖ user actions
❖ malware detection
❖ changes in UI after updates

16. 6. Backup
❖ you don't want to have a backup,
➡ you want to have a restore!
❖ timed & regular, automatic, off-site
❖ both database and files
❖ practice restore

17. Recommendations
✅ update, update, update
ⓦ use themes and plugins from wp.org repo only
🚫 remove unused plugins and themes
🔒 harden your installation
🔭 monitor your site(s)
🚨 have a backup

18. DEMO

19. https://wpisnotwp.com
https://www.gatsbyjs.org
https://wordpress.org/about/security/
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
https://wpvulndb.com
https://blog.resellerclub.com/most-common-wordpress-security-issues-in-2019/
https://ithemes.com/wordpress-security-issues/
https://hackerone.com/hacktivity?querystring=wordpress
https://sitecheck.sucuri.net
https://onwebchange.com
https://wpscan.org
Links

20. Q & A

21. Thank you!