The document discusses WordPress security best practices. It recommends continuously updating WordPress, plugins, and themes to address vulnerabilities. Additional tips include using strong and unique passwords, monitoring the site for attacks, backups, and raising barriers like multi-factor authentication and SSL certificates. Proper security is an ongoing process of hardening the installation and reducing risks from common attack vectors like brute force attempts.

1. WordPress
Security 101
WordCamp Nairobi 2019

2. ! @stkjj
! stefan@adminpress.de
https://profiles.w.org/stk_jj
About Me
• Stefan Kremer
• 14 yrs WordPress experience
• Contributor
• freelance IT Consultant,
mainly WordPress, Mac, CTI
• Owner of AdminPress (de)
and KeDe Digital LLP (ke)

3. .com or .org?
• wpisnotwp.com
• wordpress.com
• hosted service from Automattic
• Security covered by them
• no influence on the installation

4. • just a small private blog
• content which doesn't harm anyoine
• even not much outreach
• negligible audience
• no financial interest
Is it about me?

5. Content is King
• computational power (CPU)
• disk space
• bandwidth
• sendmail for spam
nothing

6. Y U d0n't want 2 B h4cked
• you lose reputation
• your sales are affected
• you spend money on others behalf
• you just feel bad!

7. CMS? No prob!
• CVE-Hitlist
• (32) Joomla: 382
• (37) WordPress: 342
• (39) Drupal: 300
• no entry ≠ secure, just not yet exposed

8. WordPress Security
• often referred as "insecure"
• core vs. 3rd party vs. operation
• large community that takes care
• WordPress security team
11 %
52 %
37 %
Core PlugIns Themes

9. • Brute-Force Attacs
• „default“ usernames
• weak passwords
• XSS - Cross Site Scripting / SQL Injections
• bad coding
• old and outdated installations
Attac Vectors

10. • »admin« default til v3.0
• part of the domain-name
• common: eMail-address like »info@…«
• best practice: 1 admin-, 1 user-account
• make sure user names are not accessible
User Name

12. • Anything that can be found in dictionaries
• socialhacking
• keyboard runs and sequences
• recycled passwords
• PW-lists in Word/Excel/Evernote
Password NoGos!

13. Kopfschmerzen? Finger wund?
➡ Passwortmanager!

15. Defense Strategy
➡ strong passwords
➡ disable/tweak login messages
➡ lockout after x malicious attempts for time y
➡ IP-blacklisting
➡ disable XML-RPC if not needed
➡ restrict REST-API access
➡ consider geoblocking where feasible

16. Update, Update, Update!
• autoupdate for minor core updates ✅
• update plugins and themes ASAP ⏰
• critical infrastructure: have a staging system #
• check functionalities after update $
• premium: renew your subscriptions %

17. wp.org Stuff Only!
• use themes and plugins from wp.org repo only
• avoid "premium" plugins and themes
• never ever use doubtful sources

18. Remove Unused Stuff
• uninstall themes and plugins not actively used
• keep the recent default theme for fallback
• disabled plugins are still accessible
&

19. Monitoring
• server up and running
• malicious login attempts
• 404's
• changed/added/deleted files
• user actions
• malware detection
• changes in UI after updates

20. Raise the Barrier
• get a free SSL certificate with Let's Encrypt
• Multi-Factor Authentification (MFA)
• very simple via eMail
• more sophsticted: Google Authenticator, Duo,
Rublon
• extra hardware: UbiKey, Fido U2F

21. • randomize version number
• change db-prefix
• renaming of /wp-content folder
• hide login window
• hide WordPress at all
Security Foo

22. Let's Get the
Complete Picture
• how secure is your local client?
• keylogger
• Do you still use FTP?
• change to SFTP or FTPS (SSL/TLS)!
• PW submitted via eMail?
• eMail is without encryption = postcard

23. Backup
• you don't want to have a backup,
➡ you want to have a restore!
• timed & regular, automatic, off-site
• both database and files
• practice restore
(

24. Recommendations
) harden your installation
✅ update, update, update
use themes and plugins from wp.org repo only
& remove unused plugins and themes
* monitor your site(s)
( have a backup

25. Summary
• Security is not installing a plugin
• Security is a continuous process
• Security should become a habit!
• effort vs. benefits?
• make or buy

26. Links
https://wpisnotwp.com
https://en.wikipedia.org/wiki/Hacker_ethic
https://wordpress.org/about/security/
http://codex.wordpress.org/WordPress_Versions
https://wordpress.org/about/stats/
http://trends.builtwith.com/cms/WordPress
https://www.cvedetails.com/top-50-vendor-
cvssscore-distribution.php
https://cve.mitre.org/cgi-bin/cvekey.cgi?
keyword=wordpress
http://wpengine.com/unmasked/
https://blog.resellerclub.com/most-common-
wordpress-security-issues-in-2019/
https://ithemes.com/wordpress-security-issues/
https://hackerone.com/hacktivity?
querystring=wordpress
https://sitecheck.sucuri.net
https://onwebchange.com
https://wpscan.org
https://wpvulndb.com
https://letsencrypt.org
https://aws.amazon.com
https://github.com/pluginkollektiv/2-Step-
Verification
https://github.com/afragen/github-updater

27. Q & A

28. Thank you!