Download to read offline
More Related Content
Similar to WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
- 1. WordPress Security 101 WordPress MeetupNairobi March 2020
- 2. ! @stkjj ! stefan@adminpress.de https://profiles.w.org/stk_jj AboutMe • Stefan Kremer • 14 yrs WordPress experience • Contributor • freelance IT Consultant, mainly WordPress, Mac, CTI • Owner of AdminPress (de) and KeDe Digital LLP (ke)
- 3. .com or .org? •wpisnotwp.com • wordpress.com • hosted service from Automattic • Security covered by them • no influence on the installation
- 4. • just asmall private blog • content which doesn't harm anyoine • even not much outreach • negligible audience • no financial interest Is it about me?
- 5. • just asmall private blog • content which doesn't harm anyoine • even not much outreach • negligible audience • no financial interest Is it about me?
- 6. Content is King •computational power (CPU) • disk space • bandwidth • sendmail for spam nothing
- 7. Y U d0n'twant 2 B h4cked • you lose reputation • your sales are affected • you spend money on others behalf • you just feel bad!
- 8.
- 9. CMS? No prob! •CVE-Hitlist
- 10. CMS? No prob! •CVE-Hitlist • (32) Joomla: 382 • (37) WordPress: 342 • (39) Drupal: 300 • no entry ≠ secure, just not yet exposed
- 11. WordPress Security • oftenreferred as "insecure" • core vs. 3rd party vs. operation • large community that takes care • WordPress security team 11% 52% 37% Core PlugIns Themes
- 12. • Brute-Force Attacs •„default“ usernames • weak passwords • XSS - Cross Site Scripting / SQL Injections • bad coding • old and outdated installations Attac Vectors
- 13. • »admin« defaulttil v3.0 • part of the domain-name • common: eMail-address like »info@…« • best practice: 1 admin-, 1 user-account • make sure user names are not accessible User Name
- 15. • Anything thatcan be found in dictionaries • socialhacking • keyboard runs and sequences • recycled passwords • PW-lists in Word/Excel/Evernote Password NoGos!
- 17. Kopfschmerzen? Finger wund? ➡Passwortmanager!
- 18. Defense Strategy ➡ strongpasswords ➡ disable/tweak login messages ➡ lockout after x malicious attempts for time y ➡ IP-blacklisting ➡ disable XML-RPC if not needed ➡ restrict REST-API access ➡ consider geoblocking where feasible
- 19. Update, Update, Update! •autoupdate for minor core updates ✅ • update plugins and themes ASAP ⏰ • critical infrastructure: have a staging system 🎭 • check functionalities after update 🚀 • premium: renew your subscriptions 💸
- 20. wp.org Stuff Only! •use themes and plugins from wp.org repo only • avoid "premium" plugins and themes • never ever use doubtful sources
- 21. Remove Unused Stuff •uninstall themes and plugins not actively used • keep the recent default theme for fallback • disabled plugins are still accessible 🚫
- 22. Monitoring • server upand running • malicious login attempts • 404's • changed/added/deleted files • user actions • malware detection • changes in UI after updates
- 23. Raise the Barrier •get a free SSL certificate with Let's Encrypt • Multi-Factor Authentification (MFA) • very simple via eMail • more sophsticted: Google Authenticator, Duo, Rublon • extra hardware: UbiKey, Fido U2F
- 24.
- 25. • randomize versionnumber • change db-prefix • renaming of /wp-content folder • hide login window • hide WordPress at all Security Foo
- 26. Let's Get the CompletePicture • how secure is your local client? • keylogger • Do you still use FTP? • change to SFTP or FTPS (SSL/TLS)! • PW submitted via eMail? • eMail is without encryption = postcard
- 27. Backup • you don'twant to have a backup, ➡ you want to have a restore! • timed & regular, automatic, off-site • both database and files • practice restore 🚒 🚨
- 28. Recommendations 🔒 harden yourinstallation ✅ update, update, update ⓦ use themes and plugins from wp.org repo only 🚫 remove unused plugins and themes 🔭 monitor your site(s) 🚨 have a backup
- 29. en detail • Chosethe right hoster • Limit access rights • Have a SSL Certificate • Disable FileEditor
- 30. various single solutions orAll-in-one Suite ? • Limit Login Attempts • Login Lockdown • 2-Factor Authentification • Simple Firewall • Edit Author Slug • manuell .htaccess entries • iThemes Security • Sucuri • WordFence • Security Ninja • Cerber Security • Bulletproof Security
- 31.
- 32. Summary • Security isnot installing a plugin • Security is a continuous process • Security should become a habit! • effort vs. benefits? • make or buy
- 33.
- 34. Links Login LockDown https://wordpress.org/plugins/login-lockdown/ Limit LoginAttempts https://de.wordpress.org/plugins/limit-login-attempts- reloaded/ Two Factor https://de.wordpress.org/plugins/two-factor/ 2-Step-Verification https://github.com/pluginkollektiv/2-Step-Verification .htaccess Entries https://gist.github.com/zottto/608a18d109bd22e76aa4 Edit Author Slug https://de.wordpress.org/plugins/edit-author-slug/ All In One WP Security & Firewall https://de.wordpress.org/plugins/all-in-one-wp- security-and-firewall/ Security Ninja: https://de.wordpress.org/plugins/security-ninja/ iThemes Security: https://de.wordpress.org/plugins/ better-wp-security/ Sucuri: https://de.wordpress.org/plugins/sucuri- scanner/ Wordfence: https://de.wordpress.org/plugins/wordfence/ Bulletproof Security https://wordpress.org/plugins/bulletproof-security/ Cerber Security, Antispam & Malware Scan https://de.wordpress.org/plugins/wp-cerber/ Shield Security https://de.wordpress.org/plugins/wp-simple-firewall/ Ninja Firewall https://de.wordpress.org/plugins/ninjafirewall/ Simple Firewall http://de.wordpress.org/plugins/wp-simple-firewall/
- 35.
- 36.