The document discusses WordPress security best practices. It recommends continuously updating WordPress, plugins, and themes to address vulnerabilities. Additional tips include using strong and unique passwords, monitoring the site for attacks, backups, and raising barriers like multi-factor authentication and SSL certificates. Proper security is an ongoing process of hardening the installation and reducing risks from common attack vectors like brute force attempts.
3. .com or .org?
• wpisnotwp.com
• wordpress.com
• hosted service from Automattic
• Security covered by them
• no influence on the installation
4. • just a small private blog
• content which doesn't harm anyoine
• even not much outreach
• negligible audience
• no financial interest
Is it about me?
5. Content is King
• computational power (CPU)
• disk space
• bandwidth
• sendmail for spam
nothing
6. Y U d0n't want 2 B h4cked
• you lose reputation
• your sales are affected
• you spend money on others behalf
• you just feel bad!
7. CMS? No prob!
• CVE-Hitlist
• (32) Joomla: 382
• (37) WordPress: 342
• (39) Drupal: 300
• no entry ≠ secure, just not yet exposed
8. WordPress Security
• often referred as "insecure"
• core vs. 3rd party vs. operation
• large community that takes care
• WordPress security team
11 %
52 %
37 %
Core PlugIns Themes
9. • Brute-Force Attacs
• „default“ usernames
• weak passwords
• XSS - Cross Site Scripting / SQL Injections
• bad coding
• old and outdated installations
Attac Vectors
10. • »admin« default til v3.0
• part of the domain-name
• common: eMail-address like »info@…«
• best practice: 1 admin-, 1 user-account
• make sure user names are not accessible
User Name
11.
12. • Anything that can be found in dictionaries
• socialhacking
• keyboard runs and sequences
• recycled passwords
• PW-lists in Word/Excel/Evernote
Password NoGos!
15. Defense Strategy
➡ strong passwords
➡ disable/tweak login messages
➡ lockout after x malicious attempts for time y
➡ IP-blacklisting
➡ disable XML-RPC if not needed
➡ restrict REST-API access
➡ consider geoblocking where feasible
16. Update, Update, Update!
• autoupdate for minor core updates ✅
• update plugins and themes ASAP ⏰
• critical infrastructure: have a staging system #
• check functionalities after update $
• premium: renew your subscriptions %
17. wp.org Stuff Only!
• use themes and plugins from wp.org repo only
• avoid "premium" plugins and themes
• never ever use doubtful sources
18. Remove Unused Stuff
• uninstall themes and plugins not actively used
• keep the recent default theme for fallback
• disabled plugins are still accessible
&
19. Monitoring
• server up and running
• malicious login attempts
• 404's
• changed/added/deleted files
• user actions
• malware detection
• changes in UI after updates
20. Raise the Barrier
• get a free SSL certificate with Let's Encrypt
• Multi-Factor Authentification (MFA)
• very simple via eMail
• more sophsticted: Google Authenticator, Duo,
Rublon
• extra hardware: UbiKey, Fido U2F
21. • randomize version number
• change db-prefix
• renaming of /wp-content folder
• hide login window
• hide WordPress at all
Security Foo
22. Let's Get the
Complete Picture
• how secure is your local client?
• keylogger
• Do you still use FTP?
• change to SFTP or FTPS (SSL/TLS)!
• PW submitted via eMail?
• eMail is without encryption = postcard
23. Backup
• you don't want to have a backup,
➡ you want to have a restore!
• timed & regular, automatic, off-site
• both database and files
• practice restore
(
24. Recommendations
) harden your installation
✅ update, update, update
use themes and plugins from wp.org repo only
& remove unused plugins and themes
* monitor your site(s)
( have a backup
25. Summary
• Security is not installing a plugin
• Security is a continuous process
• Security should become a habit!
• effort vs. benefits?
• make or buy