Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security 101 - Meetup Nairobi March 2020

246 views

Published on

Nairobi WordPress Meetup March 2020: some general thoughts about WordPress Security and demoing of iThemes Security

Published in: Internet
  • Be the first to comment

  • Be the first to like this

WordPress Security 101 - Meetup Nairobi March 2020

  1. 1. WordPress Security 101 WordPress Meetup Nairobi March 2020
  2. 2. ! @stkjj ! stefan@adminpress.de https://profiles.w.org/stk_jj About Me • Stefan Kremer • 14 yrs WordPress experience • Contributor • freelance IT Consultant, mainly WordPress, Mac, CTI • Owner of AdminPress (de) and KeDe Digital LLP (ke)
  3. 3. .com or .org? • wpisnotwp.com • wordpress.com • hosted service from Automattic • Security covered by them • no influence on the installation
  4. 4. • just a small private blog • content which doesn't harm anyoine • even not much outreach • negligible audience • no financial interest Is it about me?
  5. 5. • just a small private blog • content which doesn't harm anyoine • even not much outreach • negligible audience • no financial interest Is it about me?
  6. 6. Content is King • computational power (CPU) • disk space • bandwidth • sendmail for spam nothing
  7. 7. Y U d0n't want 2 B h4cked • you lose reputation • your sales are affected • you spend money on others behalf • you just feel bad!
  8. 8. CMS? No prob!
  9. 9. CMS? No prob! • CVE-Hitlist
  10. 10. CMS? No prob! • CVE-Hitlist • (32) Joomla: 382 • (37) WordPress: 342 • (39) Drupal: 300 • no entry ≠ secure, just not yet exposed
  11. 11. WordPress Security • often referred as "insecure" • core vs. 3rd party vs. operation • large community that takes care • WordPress security team 11% 52% 37% Core PlugIns Themes
  12. 12. • Brute-Force Attacs • „default“ usernames • weak passwords • XSS - Cross Site Scripting / SQL Injections • bad coding • old and outdated installations Attac Vectors
  13. 13. • »admin« default til v3.0 • part of the domain-name • common: eMail-address like »info@…« • best practice: 1 admin-, 1 user-account • make sure user names are not accessible User Name
  14. 14. • Anything that can be found in dictionaries • socialhacking • keyboard runs and sequences • recycled passwords • PW-lists in Word/Excel/Evernote Password NoGos!
  15. 15. Kopfschmerzen? Finger wund? ➡ Passwortmanager!
  16. 16. Defense Strategy ➡ strong passwords ➡ disable/tweak login messages ➡ lockout after x malicious attempts for time y ➡ IP-blacklisting ➡ disable XML-RPC if not needed ➡ restrict REST-API access ➡ consider geoblocking where feasible
  17. 17. Update, Update, Update! • autoupdate for minor core updates ✅ • update plugins and themes ASAP ⏰ • critical infrastructure: have a staging system 🎭 • check functionalities after update 🚀 • premium: renew your subscriptions 💸
  18. 18. wp.org Stuff Only! • use themes and plugins from wp.org repo only • avoid "premium" plugins and themes • never ever use doubtful sources
  19. 19. Remove Unused Stuff • uninstall themes and plugins not actively used • keep the recent default theme for fallback • disabled plugins are still accessible 🚫
  20. 20. Monitoring • server up and running • malicious login attempts • 404's • changed/added/deleted files • user actions • malware detection • changes in UI after updates
  21. 21. Raise the Barrier • get a free SSL certificate with Let's Encrypt • Multi-Factor Authentification (MFA) • very simple via eMail • more sophsticted: Google Authenticator, Duo, Rublon • extra hardware: UbiKey, Fido U2F
  22. 22. Security Foo
  23. 23. • randomize version number • change db-prefix • renaming of /wp-content folder • hide login window • hide WordPress at all Security Foo
  24. 24. Let's Get the Complete Picture • how secure is your local client? • keylogger • Do you still use FTP? • change to SFTP or FTPS (SSL/TLS)! • PW submitted via eMail? • eMail is without encryption = postcard
  25. 25. Backup • you don't want to have a backup, ➡ you want to have a restore! • timed & regular, automatic, off-site • both database and files • practice restore 🚒 🚨
  26. 26. Recommendations 🔒 harden your installation ✅ update, update, update ⓦ use themes and plugins from wp.org repo only 🚫 remove unused plugins and themes 🔭 monitor your site(s) 🚨 have a backup
  27. 27. en detail • Chose the right hoster • Limit access rights • Have a SSL Certificate • Disable FileEditor
  28. 28. various single solutions or All-in-one Suite ? • Limit Login Attempts • Login Lockdown • 2-Factor Authentification • Simple Firewall • Edit Author Slug • manuell .htaccess entries • iThemes Security • Sucuri • WordFence • Security Ninja • Cerber Security • Bulletproof Security
  29. 29. DEMO
  30. 30. Summary • Security is not installing a plugin • Security is a continuous process • Security should become a habit! • effort vs. benefits? • make or buy
  31. 31. Links https://wpisnotwp.com https://en.wikipedia.org/wiki/Hacker_ethic https://wordpress.org/about/security/ http://codex.wordpress.org/WordPress_Versions https://wordpress.org/about/stats/ http://trends.builtwith.com/cms/WordPress https://www.cvedetails.com/top-50-vendor- cvssscore-distribution.php https://cve.mitre.org/cgi-bin/cvekey.cgi? keyword=wordpress http://wpengine.com/unmasked/ https://blog.resellerclub.com/most-common- wordpress-security-issues-in-2019/ https://ithemes.com/wordpress-security-issues/ https://hackerone.com/hacktivity? querystring=wordpress https://sitecheck.sucuri.net https://onwebchange.com https://wpscan.org https://wpvulndb.com https://letsencrypt.org https://aws.amazon.com
  32. 32. Links Login LockDown https://wordpress.org/plugins/login-lockdown/ Limit Login Attempts https://de.wordpress.org/plugins/limit-login-attempts- reloaded/ Two Factor https://de.wordpress.org/plugins/two-factor/ 2-Step-Verification https://github.com/pluginkollektiv/2-Step-Verification .htaccess Entries https://gist.github.com/zottto/608a18d109bd22e76aa4 Edit Author Slug https://de.wordpress.org/plugins/edit-author-slug/ All In One WP Security & Firewall https://de.wordpress.org/plugins/all-in-one-wp- security-and-firewall/ Security Ninja: https://de.wordpress.org/plugins/security-ninja/ iThemes Security: https://de.wordpress.org/plugins/ better-wp-security/ Sucuri: https://de.wordpress.org/plugins/sucuri- scanner/ Wordfence: https://de.wordpress.org/plugins/wordfence/ Bulletproof Security https://wordpress.org/plugins/bulletproof-security/ Cerber Security, Antispam & Malware Scan https://de.wordpress.org/plugins/wp-cerber/ Shield Security https://de.wordpress.org/plugins/wp-simple-firewall/ Ninja Firewall https://de.wordpress.org/plugins/ninjafirewall/ Simple Firewall http://de.wordpress.org/plugins/wp-simple-firewall/
  33. 33. Q & A
  34. 34. Thank you!

×