WordPress Security Best Practices

Wil Brown
@DeveloperWil
zeropointdevelopment.com for WordPress Sydney
Best Practices
2016 Update

• Use complex usernames & passwords
• Check file permissions have minimum access
• Update software often & regularly
• Use security firewalls & scan regularly
• Consider using 2-factor authentication
• Stick to reputable theme providers
• Uninstall unused code/themes/plugins
• Lock all doors, windows & switch off Internet!
@DeveloperWil #wpsyd

There is always a current threat
The worst type of threats are those you don’t
know about
You need to understand your weaknesses
You need to build a solid defence
You need to have a plan of attack
The Art of War - Sun Tzu ~512BC
http://www.classicly.com/read-the-art-of-war-online-free/page/1
SO BE PREPARED

Got the T-Shirt

Locked away in a deep dark basement
No internet connection
No user interaction
= Pretty useless website
= There is a balance to be had

Everything is Hackable
Best we can do is make our site less attractive
than others to hack into.
Would you attempt to break into this car?

The most vulnerable part of your
website is…
YOU
Read this book!

Not just WordPress
cPanel, email, FTP, SSH, MySQL, WordPress
Avoid typical “Administrator” usernames
admin, administrator, root, manager, debug, user,
system, default, netman, superuser, guest, backup,
sys, sysadmin, siteadmin, test, …

No personal information such as DoB
e.g. bob1976 
No footie clubs, car regos, pet or family names
Use a random 16 (at least) character password
UPPER, lower, digits, punctuation
e.g. b9G#Z4YVemTN^X6S

Random character passwords
= difficult for you to remember 
= difficult for hackers to guess 
Use a password service such as LastPass
Local 256-bit encryption, SSL data transfer,
2-factor authentication
https://lastpass.com

Consider forcing users to have a strong
password
Force Strong Passwords plugin.
http://wordpress.org/plugins/force-strong-
passwords/
Gives more flexibility than built-in WordPress

Only allow one login per device.
Restrict logins under same username on
multiple devices (i.e. username/pass sharing)
WordPress Bouncer plugin
http://wordpress.org/plugins/wp-bouncer/

Change the default WordPress salt keys in wp-
config.php
WordPress uses cookies to store session
information. These are hashed with MD5 + salt
keys in the wp-config.php file
https://api.wordpress.org/secret-key/1.1/salt/

Restrict the number of users with the
Administrator role.
You do need at lease 1 Admin user – do you
need any more than that?
Editor role is sufficient for somebody to manage
90% of all the site’s day-to-day content.

Understanding Linux file permissions is key

In general…
WordPress folders/directories = 755
WordPress files = 644
Some hosting companies may recommend you
set /wp-content/uploads to 777
Move to another hosting company!

Probably your three most important sys files are:
.htaccess (Apache) or nginx.conf (nginx)
= permalinks, redirects, etc
This should be locked down to CHMOD 444
php.ini
= PHP settings
wp-config.php
= WordPress DB username & pass
These should be locked down to CHMOD 440

Malware can be hidden in Themes, Plugins &
other server scripts
Sucuri detects and cleans malware on servers
De-blacklists your server/site
Notify by SMS, Email, Private Twitter etc
http://sucuri.net/ USD $89.99 /site /year

Update WordPress Core, Themes and Plugins
regularly = at least weekly
ManageWP service good for multiple sites
https://managewp.com

Automatic Updates are in WordPress core for
point releases only by default
More control = “Automatic Updater” plugin
http://wordpress.org/plugins/automatic-updater/
Choose to update Core, Themes and/or Plugins

Especially “free” themes and torrents
– Very common to “insert” links into footer areas
– Code can read your wp-config.php file and
email/send it elsewhere = you’re screwed
– Don’t use themes or plugins from Torrent sites!
– Always try to download from original source
Read: http://premium.wpmudev.org/blog/free-wordpress-
themes-ultimate-guide/

Search through files for:
Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authenticity Checker
http://wordpress.org/plugins/tac/
Exploit Scanner
http://wordpress.org/plugins/exploit-scanner/

Not all Base64_decode function calls are evil
WordPress uses the function extensively
throughout the core.
Should be easy to decode and work out if good
or bad in plugins or themes.

Popular image/thumbnail resizing script
Bundled in many themes and plugins
Responsible for many WordPress security
breaches
“The ability for a site visitor to load content from a
remote website and to make the web server write that
remote content to a web accessible directory is the
cause of the vulnerability in timthumb.php.”
Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

Script was “fixed” of exploits however old
versions still lurk out there.
Search for TimThumb and check you are using
the “fixed” version 2.8.14
https://code.google.com/p/timthumb/

The nature of TimThumb still makes it
potentially very dangerous to have on your site.
TimThumb is no longer supported or maintained
as of Sept 2014
http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
Read this: http://www.limecanvas.com/timthumb-is-evil/

Won’t make your site “secure” from hacks
Will encrypt the data transmitted between
computer and server
More on SSL certificates at
http://www.symantec.com/en/au/ssl-certificates

If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.php
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

Gives additional level of security.
WordFence plugin is recommended:
http://www.wordfence.com/
Scans for…
malware, TimThumb, differences in core/plugin/theme files from
repository, new available updates, login limiter, force strong passwords,
trojans, SQL injection, DNS changes, files outside WordPress folder, hide
login errors, prevent creating ‘admin’ user, country blocking*, cell phone
sign-in*, advanced scheduled scans*
*premium functions

Brute force attacks try to repeatedly guess
username & password.
Block IP address after X number of login
attempts within a period.
Limit Login Attempts plugin
http://wordpress.org/plugins/limit-login-attempts/

Don’t give the hackers a
helping hand
Remove that info!
Add this to functions.php
add_filter(‘login_errors', '__return_null');

There is NO EXCUSE not to back up your entire
site frequently (real-time, hourly, daily, weekly).
Back up to email http://wordpress.org/plugins/wponlinebackup/
Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/
Backup Buddy http://ithemes.com/purchase/backupbuddy/
VaultPress http://vaultpress.com/
Set your retention frequency.
Can you restore from an issue that’s been happening for 2
months?
Check your backup files – do a test restore!

Using another device to generate an
authentication code e.g. Mobile phone app
Verification code + login = 2 factor auth
Google Authenticator
http://wordpress.org/plugins/google-authenticator/

WordPress stores user passwords in the database
as salted MD5 hashes using Portable PHP
password hashing framework
e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP.
Passwords themselves are not stored in the DB
Password can be replaced in DB with MD5 hash.
After login it’s replaced by a salted MD5 hash.
PASSWORD TYPE
PASSWORD HASH

MD5 hash designed for high volume, not security.
“collision resistance” ~264 MD5 has been broken
but not resistance to preimages or second-
preimages.
MD5 + salts still poor choice as it’s designed to be
fast. Modern GPUs generate billions of candidate
passwords per second i.e. brute force
Ref: https://en.wikipedia.org/wiki/MD5
Ref: https://en.wikipedia.org/wiki/Collision_attack
Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996

Bcrypt is an adaptive hashing algorithm.
Bcrypt intentionally takes a relatively long time to
be calculated; over time, the iteration count can
be increased to make it even slower.
This is done intentionally to resist brute force
attacks as computational power increases.
Ref: https://en.wikipedia.org/wiki/Bcrypt

Plugin: https://roots.io/plugins/bcrypt-password/
Note: requires PHP >= 5.5.0
Ref: https://en.wikipedia.org/wiki/Bcrypt

Is two factor authentication
not enough for you?
Biometric authentication uses part of our own
body as the second verification part.
This is going to be the normal way of
authenticating with systems in the not so distant
future.

VoxedIn is a Smartphone app that lets you log in
to your WordPress site using voice biometrics.
http://wordpress.org/plugins/voxedin/

Move the wp-content folder to a new location.
Add the following into wp-config.php before the
line: /* That's all, stop editing! Happy blogging. */
define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');
define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');
Warning: badly developed plugins & themes
may have hard-coded wp-content location.

Use .htaccess to protect your wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
Nobody can access the wp-config.php file now
except for the web server owner.

Use .htaccess to stop SQL Injection attacks
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Any requests or changes to global variables
containing <script> gets blocked.

Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsing
Options –Indexes

Password protect wp-admin folder using cPanel
and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-
admin-wp-admin-directory/

Remove the WordPress dashboard Editor for
themes and plugins
Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

Default MySQL DB table prefix is wp_
Change before installing new WordPress sites.
Add to wp-config.php
$table_prefix = ‘mynewprefix_';
Existing websites – use WP Security Scan
http://wordpress.org/plugins/wp-security-scan/

Monitor who does what on your WordPress site.
Stream: http://wp-stream.com/

Using .htaccess
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:
http://www.mywebsite.com/login

Add to wp-config.php:
define('WP_ADMIN_DIR', 'secret-folder');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
Add to functions.php:
add_filter(‘site_url', ‘lc_wpadmin_filter', 10, 3);
function lc_wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}

Add to .htaccess:
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:
http://www.mysite.com/secret-folder/

Known as DoS or DDoS (distributed).
Consider using CloudFlare.
Attack Without CloudFlare Attack With CloudFlare

[Cover] zeropointdevelopment.com
[4] zeropointdevelopment.com
[5] activerain.com
[6] mybroadband.co.za
[7] wired.com
[15] zzee.com
[15] acm.uiuc.edu
[15] danielmiessler.com
[19] managewp.com
[22] wordpress.org
[27] promptwebhosting.com.au
[31] bestwpthemez.com
[33] blog.eternalvigilance.me
[34] mobyware.ru
[38] roots.io
[39] ibmsystemsmag.com
[40] disruptive.io
[44] gobalakrishnan.com
[45] trickytechs.com
[45] wpbeginner.com
[46] zeropointdevelopment.com
[48] wp-stream.com
[52] cloudflare.com
[Back Cover] zeropointdevelopment.com

 20+ years in IT: Dev & SysOps
 WordPress Developer since 2008
 Plugins, APIs, Security & Systems Integrations
 Organiser WPSyd & WordCamp Sydney
zeropointdevelopment.com
@DeveloperWil
♥ Pizza & Craft Beer

@DeveloperWil

WordPress Security Best Practices

More Related Content

What's hot

Viewers also liked

Similar to WordPress Security Best Practices

Recently uploaded

WordPress Security Best Practices