Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress security for everyone

35,993 views

Published on

My speech at WordCamp Prague 2015 about WordPress security.

Published in: Technology
  • Be the first to comment

WordPress security for everyone

  1. 1. http://lynt.cz WordPress security for everyone Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o.
  2. 2. http://lynt.cz Content • Some facts • Common attack types • Recovery after infection • Security chain • Security plugins 27. 5. 2015 2 „WordPress = Plugins“
  3. 3. http://lynt.cz27. 5. 2015 3 The most serious vulnerability Question: „What is the most serious WP vulnerability?“ Answer: „Outdated Slider Revolution.“ http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html verze 4.1.4 are vulnerable • Probably the most stolen plugin • Included in many premium themes (sometimes no chance to update) • No auto-update in older versions • Easy to detect
  4. 4. http://lynt.cz27. 5. 2015 4 5 + 2 security tips Update Backup Use a security plugin Be careful Delete unnecessary stuff, don‘t provide sensitive information Update! UPDATE!!!
  5. 5. http://lynt.cz WordCamp HACK campaign • I found more than 400 vulnerable Czech WP sites in an hour • I was finding common (and just patched) vulnerabilities in 3 popular plugins • I informed creators/owners by mail and invited them to the WordCamp 27. 5. 2015 5
  6. 6. http://lynt.cz Who? 27. 5. 2015 6 Bots „Anonymous“ hackers Motivated hackers Script kiddies PhotobyLisa,CCBY-SA2.0
  7. 7. http://lynt.cz How? 27. 5. 2015 7 Vulnerable plugins and themes Brute force on administration Comment Spam (+pingbacks) Password and cookie tapping „Neighbour“ sites on shared hosting Indirect ways– phishing, malware (keylogger, saved FTP password)Vulnerabilities in WP core
  8. 8. http://lynt.cz Why and What? 27. 5. 2015 8 • „Alien“ code – Spammy links, adverts, redirection – Malware downloading – DDoS to other targets • Info stealing – E.g. Personal information of your customers • Out of service – web/server shutdown (DOS)
  9. 9. http://lynt.cz Facts 27. 5. 2015 9 http://www.akamai.com/stateoftheinternet/ 43% of attacks have origin in China Do I need Chinese traffic? How about to block the whole China? Block USA? Rather not (search engines, CDN,…) Block everything except the Czech Republic? Definitely not - IP geolocation isn‘t 100% accurate. Corporate users sometimes connect from a different country (proxy). How about vacation in foreign country?
  10. 10. http://lynt.cz27. 5. 2015 10
  11. 11. http://lynt.cz How to block China? – homework 27. 5. 2015 11 List of IP address: http://www.ip2location.com/blockvisitorsbycountry.aspx • Iptables – Don‘t use generated configuration from previous link – thousands of rules for every packet – iptables -A INPUT -m tcp -m state --state NEW -j CHINA_WALL – Advanced: optimization – more chains for different octets • .htaccess/nginx • mod_geoIP • Plugins (e.g. Premium Wordfence) • HW box (WAF appliance, Smarter firewall) • Another possibility – redirect to CAPTCHA instead of blocking //mod_geoIP in Apache GeoIPEnable On GeoIPDBFile /path/to/GeoIP.dat SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry Deny from env=BlockCountry //mod_geoIP in .htaccess RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CN|RU)$ RewriteRule ^(.*)$ - [F,L]
  12. 12. http://lynt.cz NEW WEB 27. 5. 2015 12 NEWS: 1.4.2003 our new web is running!
  13. 13. http://lynt.cz User Development Priorities 27. 5. 2015 13 Beauty Must have, right? Speed After launch Security After incident
  14. 14. http://lynt.cz What happens if… • Web is hacked? • Loss of sensitive data, loss of trust, out of service, penalization • Web is incredibly slow? • Visitors are annoyed, search engines don‘t want to index your site • There is no cool slider? • Nothing? 27. 5. 2015 14
  15. 15. http://lynt.cz Real priorities according to business impacts 27. 5. 2015 15 Security Speed Beauty
  16. 16. http://lynt.cz Demo time! 27. 5. 2015 16
  17. 17. http://lynt.cz Slider Revolution - LFI • Version 4.1.4 and lower • Enable to download any source file • Cause: Ajax call registration for all users (privileged/non privileged) • /wp-admin/admin- ajax.php?action=revslider_show_image&img=../ wp-config.php • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-slider-revolution-4-1-4 27. 5. 2015 17
  18. 18. http://lynt.cz FancyBox for Wordpress - XSS • Version 3.0.2 and lower • Enable to include an alien javascript into all pages • Cause: using admin_init hook without appropriate privileges check (it is activated by all requests to the administration – admin-ajax.php, admin-post.php) • /wp-admin/admin-ajax.php?page=fancybox-for- wordpress + variable mfbfw[padding]=</script><script>evil code</script> • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-fancybox-for-wordpress-3-0-2 27. 5. 2015 18
  19. 19. http://lynt.cz Mail Poet – Upload PHP • Version 2.6.8 and lower • Enable to upload PHP file and execute • Cause: Misuse of admin_init again + use of $_REQUEST in the first patch • /wp-admin/admin- post.php?page=wysija_campaigns&action=them eupload + variable my-theme = evil zip file • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-mail-poet-2-6-8 27. 5. 2015 19
  20. 20. http://lynt.cz Wordpress Video Gallery - SQLi • Version 2.7 • SQL injection – enable to get any data from database • Cause: Insufficient user inputs sanitization • /wp-admin/admin- ajax.php?action=rss&type=video&vid=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,3 9 FROM wp_users ;-- • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-wordpress-video-gallery-2-7 27. 5. 2015 20
  21. 21. http://lynt.cz Wordpress 3.9.2 - XSS „Wordpress version 3.9.2 is safe.“ Vladimír Smitka, 4th WP community conference, December 2014 27. 5. 2015 21 „Secure today != secure tomorrow.“ Vladimír Smitka, 4th WP community conference, December 2014 • Allowed HTML tags bypass in comments • [<blockquote cite="]">[" onmouseover="alert('evil!'); " style="background-color:red;position:absolute;top:0; left:0;height:100%;width:100%;"][<a href="]>hi there
  22. 22. http://lynt.cz What might reduce impacts? • Turn off PHP processing in /wp-content/uploads .htaccess in this folder: php_flag engine off 27. 5. 2015 22 Different option: <FilesMatch .php$> Order allow,deny Deny from all </FilesMatch> • Updates • To block requests including „wp-config.php“ global .htaccess: RewriteCond %{QUERY_STRING} wp-config.php RewriteRule ^(.*)$ - [F,L]
  23. 23. http://lynt.cz How do I know that I also use a vulnerable plugin? • Read all news • Plugin Vulnerabilities • https://wordpress.org/plugins/plugin-vulnerabilities/ 27. 5. 2015 23
  24. 24. http://lynt.cz How does the attacker know that you use a vulnerable plugin? • He performs reconnaissance • WPScan – very popular tool to do it 27. 5. 2015 24
  25. 25. http://lynt.cz I was hacked! 27. 5. 2015 25
  26. 26. http://lynt.cz Recovery after infection • Restoring from a clean backup – Delete everything and upload pure data from backup • Reinstall + disinfection by hand – FAR • If all php files were infected by the same evil code – SQL dump examination • Try to find <iframe, <script, x-shockwave-flash, eval, base64_decode, gzip_, preg_replace • Try to identify the evil ones • Malware removal isn‘t the final solution! 27. 5. 2015 26
  27. 27. http://lynt.cz FAR 27. 5. 2015 27
  28. 28. http://lynt.cz Checklist • Disinfection, imitate the cause (update) • Change FTP password • Change DB password • Change user passwords • New salts: https://api.wordpress.org/secret- key/1.1/salt/ – WP before 3.1.: define('AUTH_SALT', 'put your unique phrase here'); • Check files by a security plugin (Wordfence, Sucuri Scanner) 27. 5. 2015 28
  29. 29. http://lynt.cz Backup „Backup is the alpha and omega of Computing“ 27. 5. 2015 29 By hand Sometimes I copy everything somewhere. Not ideal but better than nothing. By server Unattented - ideal situation (ask your webhoster). By plugin Also a good solution, it can provide some benefits.
  30. 30. http://lynt.cz Backup plugins • BackWPup – Only backup – no automatic recovery – Backup to more places – You can trigger backup by external request • UpdraftPlus – Backup & recovery – Only one place (but there is Pro version available) • BackupBuddy – Not free – Complete solution (migration, per file recovery, …) 27. 5. 2015 30
  31. 31. http://lynt.cz How to backup via plugin • External storage is better • If local storage: – Check if backups aren‘t accessible from web browser – Check if folder with backups is excluded from backup (backup loop) • Backup scheduling – WP-Cron – almost in all plugins, it is triggered only if there is some traffic (you can check settings via Crontrol plugin) – External trigger – preferred way (server‘s cron, minicron, cron service e.g. http://www.webcron.org/, https://www.setcronjob.com, https://www.easycron.com) • Email notification after backup 27. 5. 2015 31
  32. 32. http://lynt.cz Defend ourselves! 27. 5. 2015 32
  33. 33. http://lynt.cz Power! 27. 5. 2015 33 Jeremy Clarkson
  34. 34. http://lynt.cz How to improve security by performance? • WP Super Cache – prevent (D)DoS attacks which consume all resources – dynamic pages to static • Autoptimize – hides „revealing“ js and css – reduces HTTP requests • Side effects: faster site, happier visitors, tastier SEO 27. 5. 2015 34
  35. 35. http://lynt.cz Security Chain 27. 5. 2015 35 HTTP Server (Apache/Nginx) PHP Internet log What can affect security?
  36. 36. http://lynt.cz Cloud 27. 5. 2015 36 HTTP Server (Apache/Nginx) PHP Internet Cloud security services (WAF)– attack is blocked before it reaches server Block bad behaving IP, common exploits, DDoS,… Incapsula, Sucuri, CloudFlare log
  37. 37. http://lynt.cz Webhoster 27. 5. 2015 37 HTTP Server (Apache/Nginx) PHP Internet Security appliance/firewall – some provides another security level, some not. Reduce DDoS impact, block some kind of network attacks, etc. log
  38. 38. http://lynt.cz Server 27. 5. 2015 38 HTTP Server (Apache/Nginx) PHP Internet Firewall, WAF, configuration – block some network attacks, IP addresses (whole ranges, countries) WAF – block exploits (XSS, SQLi,…) – mod_security, naxsi. Restrict file permissions, detect file changes. Backups log
  39. 39. http://lynt.cz Server – homework • Detecting changes in PHP files during last 24 hours: find /srv/htdocs/my_web/ -name '*.php' -type f -mtime -1 > output ; mail -s „Today changes" "vladimir.smitka@lynt.cz" < output 27. 5. 2015 39 root directory 755 wp-includes/ 755 .htaccess 644 wp-admin/index.php 644 wp-admin/js/ 755 wp-content/themes/ 755 wp-content/plugins/ 755 wp-admin/ 755 wp-content/ 755 wp-config.php 644 Permissions by All In One WP Security:Another country IP list: http://www.iwik.org/ipcountry/ Basic mod_security settings for WP: http://blog.erben.sk/2015/02/11/p rotecting-wordpress-with-mod- security/
  40. 40. http://lynt.cz HTTP Server & PHP 27. 5. 2015 40 HTTP Server (Apache/Nginx) PHP Internet HTTP server & PHP configuration – site isolation on shared hosting, filter suspicious URLs, restricting access, HTTPS enforcing, block countries (mod_geoip), logging log
  41. 41. http://lynt.cz Log analytics 27. 5. 2015 41 HTTP Server (Apache/Nginx) PHP Internet Realtime log analytics – if someting strange happens you can perform actions. One log record isn‘t a clue. Logstash, ElasticSearch, Kibana log
  42. 42. http://lynt.cz Realtime log analytics - example 27. 5. 2015 42 Something wrong?
  43. 43. http://lynt.cz Countermeasure 27. 5. 2015 43 HTTP Server (Apache/Nginx) PHP Internet Actions – block after many 404 logged (scanning), many failed logins, … Ban in firewall, notify Fail2Ban log
  44. 44. http://lynt.cz Fail2Ban – homework 27. 5. 2015 44 • Fail2Ban can replace some functions of security plugins – brute force/404 detection • filter.d/wp-auth.conf # WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf: # # Block IPs trying to auth wp wordpress # # Matches e.g. # 178.63.72.184 - - [16/Oct/2014:11:40:50 +0200] "POST /wp-login.php HTTP/1.0" 200 1531 "-" "-" [Definition] failregex = ^<HOST> .* "POST /wp-login.php • jail.conf [wp-auth] enabled = true filter = wp-auth action = iptables-multiport[name=wp-auth, port="http,https", protocol=tcp] sendmail-whois[name=WPauth, dest=vladimir.smitka@lynt.cz, sendername="Fail2Ban"] logpath = /var/log/wordpress/access.*.log • Be careful with logrotate - /usr/bin/fail2ban-client reload wp-auth • To log failed WP logins: https://wordpress.org/plugins/wp-fail2ban/
  45. 45. http://lynt.cz WordPress settings 27. 5. 2015 45 HTTP Server (Apache/Nginx) PHP Internet Good WP setting – everything is updated, well written plugins, usage of a security plugin (blocks access to administration, scanning attempts, dangerous URLs, monitors files for changes, searches for malaware, hides some sensitive data) iThemes Security, All in One WP security & Firewall, WordFence log
  46. 46. http://lynt.cz Security plugin 27. 5. 2015 46
  47. 47. http://lynt.cz WordFence • Active protection • Bot detection, traffic limiting (HTTP 503) • Live traffic • Scan – files, common infections, blacklists • Notify about updates • Cache • + Naturally: – File changes detection – Brute force protection – 404 limitation – Blocking spam in comments 27. 5. 2015 47
  48. 48. http://lynt.cz WordFence – after installation 27. 5. 2015 48 Level 2: failed login limits, more notifications Level 3: traffic limiting Level 4: more traffic limiting, block invalid user names
  49. 49. http://lynt.cz WordFence – Live Traffic 27. 5. 2015 49
  50. 50. http://lynt.cz WordFence – changes detection 27. 5. 2015 50
  51. 51. http://lynt.cz WordFence – traffic limitation 27. 5. 2015 51
  52. 52. http://lynt.cz WordFence – login security 27. 5. 2015 52 Tip: block username discovery via .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://screw.you? [L,R=301]
  53. 53. http://lynt.cz WordFence – other options 27. 5. 2015 53
  54. 54. http://lynt.cz WordFence – other options 27. 5. 2015 54
  55. 55. http://lynt.cz WordFence Premium – Country blocking 27. 5. 2015 55
  56. 56. http://lynt.cz WordFence Premium – other 27. 5. 2015 56 • Better spam protection • Early warning during scan 2 factor autentification via SMS: Your Wordfence code is ABCDEF. – password + space + code Better solution: WP Google Authenticator Scan scheduling – more frequent scan, triggered externally
  57. 57. http://lynt.cz Security plugin 27. 5. 2015 57
  58. 58. http://lynt.cz iThemes security • Prevention • Hides administration, changes DB prefix • Evil URL filter • + Naturally: – Brute force protection, 404 limitation – File changes detection – Comment spam reduction 27. 5. 2015 58
  59. 59. http://lynt.cz iThemes Security – after installation 27. 5. 2015 59 One-Click – failed login limit, strong password enforcing, hides some sensitive information
  60. 60. http://lynt.cz iThemes Security – API Key 27. 5. 2015 60
  61. 61. http://lynt.cz iThemes Security - dashboard 27. 5. 2015 61
  62. 62. http://lynt.cz iThemes security - configuration • Global Settings – Write to Files - Allow iThemes Security to write to wp- config.php and .htaccess – if disabled, I can copy config from dashboard to relevant files by hand – Lockout White List – set my IP to prevent lockout – Log Type - Database Only (small sites, available from administration), File Only (large sites, it can be used in fail2ban) – Path to Log Files – set path outside web if possible • 404 detection – Enable 404 detection – block scanning for vulnerably 27. 5. 2015 62 RED = important settings
  63. 63. http://lynt.cz iThemes security - configuration • Away Mode – e.g. to disable administration outside working hours • Banned Users – Default Blacklist - Enable HackRepair.com's blacklist feature – add known bad behaving user- agents to .htaccess – Enable ban Users - banned IP and user-agents by hand (it is also connected to the Enable Blacklist Repeat Offender in Global settings) 27. 5. 2015 63
  64. 64. http://lynt.cz iThemes security - configuration • Brute Force Protection – Get your iThemes Brute Force Protection API Key – access to global IP blacklist by iThemes.com – Enable iThemes Brute Force Network Protection – to use global blacklist – Enable local brute force protection – block attempts to guess passwords (table _itsec_lockouts in DB) – Automatically ban "admin" user - Immediately ban a host that attempts to login using the "admin" username – good honeypot trick  27. 5. 2015 64
  65. 65. http://lynt.cz iThemes security - configuration • Database Backups – Backup Method - Email Only, Save local only – if it is possible to save backup files to public inaccessible folder (Backup Location) – Schedule Database Backups - Enable Scheduled Database Backups – automatic backup/by hand on the Backups tab – Notice: it is really only DB backup • File Change Detection – File Change Detection - Enable File Change detection – Split File Scanning - Split file checking into chunks – consumes less RAM, generates more mails – Files and Folders List – exclude folder contains cache when you use a caching plugin • Hide Login Area – Hide Backend- Enable the hide backend feature – redirect /wp-admin to different URL – Login Slug – new address, e.g. admin5547 – Enable Theme Compatibility - Enable theme compatibility – turn on if redirection caused problems with some plugins 27. 5. 2015 65
  66. 66. http://lynt.cz iThemes security - configuration • Malware Scanning – Enable Malware scanning - API key fromVirusTotal.com – you can check your homepage against about 60 blacklists (Sucuri SiteCheck, Google Safebrowsing,...) • Secure Socket Layers (SSL) – Enforce https to access in the administration – try if https is really available before enabling this option • Strong Passwords – Strong Passwords - Enable strong password enforcement – new passwords must be strong – Select Role for Strong Passwords – Set to „Editor“ at least (he can put JS in comments) 27. 5. 2015 66
  67. 67. http://lynt.cz iThemes security - configuration • System Tweaks – System Files - protect System Files – disallow access to sensitive files (readme.html, .htaccess, readme.txt) – Suspicious Query Strings - Filter Suspicious Query Strings in the URL – prevents simple SQL injections (be careful with nginx , see next slides) – Long URL Strings - Filter Long URL Strings – block very long URLs (over 255 chars) and URLs containing „eval“, „base64“ and „union select“ (like Block Bad Queries (BBQ) plugin) + you should also add rule to block URLs containing „wp-config.php“ – Non-English Characters - Filter Non-English Characters –not good for Czech environment – File Writing Permissions – set right permissions for .htaccess and wp- config.php – it is better to do so by hand – Uploads - Disable PHP in Uploads 27. 5. 2015 67
  68. 68. http://lynt.cz iThemes security - configuration • System Tweaks – Generator Meta Tag + Display Random Version – hide WP version – Windows Live Writer Header & EditURI Header – they are used rarely – Comment Spam – check comment origin (your web or wordpress.com), block comments from clients without user-agent – File Editor – similar to define('DISALLOW_FILE_EDIT', true ); in wp- config.php – XML-RPC - "Completely Disable XMLRPC" disables all XML-RPC requests e.g. Trackbacks (if you want to use trackbacks securely, try https://wordpress.org/plugins/simple-trackback-validation-with- topsy-blocker/) – Login Error Messages – hide „wrong password“ notice – Force Unique Nickname – prevent users to take the same login and „real“ name – Disable Extra User Archives – hide users without (e.g. admins) 27. 5. 2015 68
  69. 69. http://lynt.cz iThemes security – advanced • Advanced – Admin user – tool to change admin login name • Better way is to create new admin user • Login as him and delete old admin user (there will be a form to move content under the new user) – Change content directory – rename wp-content, may caused some troubles and brings only little benefit (you can see renamed folder in HTML source) – Change database prefix – tool to change default prefix table wp_ to something else (to prevent some kinds of automatized attacks) 27. 5. 2015 69
  70. 70. http://lynt.cz iThemes security – homework Suspicious Query Strings in Nginx: set $susquery 0; if ($args ~* "wp-config.php") { set $susquery 1; } # + block query do download wp-config.php if ($args ~* "../") { set $susquery 1; } if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; } if ($args ~* "etc/passwd") { set $susquery 1; } if ($args ~* "boot.ini") { set $susquery 1; } if ($args ~* "ftp:") { set $susquery 1; } if ($args ~* "http:") { set $susquery 1; } if ($args ~* "https:") { set $susquery 1; } if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; } if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; } if ($args ~* "base64_encode") { set $susquery 1; } if ($args ~* "(%24&x)") { set $susquery 1; } if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; } if ($args ~* "(127.0)") { set $susquery 1; } if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; } if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; } if ($args !~ "^loggedout=true"){ set $susquery 0; } # <= bad logic, correct: ~* if ($args !~ "^action=jetpack-sso"){ set $susquery 0; } # <= bad logic, correct: ~* if ($args !~ "^action=rp"){ set $susquery 0; } # <= bad logic, correct: ~* if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 0; } # <= bad logic, correct: ~* if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; } # <= bad logic, correct: ~* if ($susquery = 1) { return 403; } 27. 5. 2015 70 Block query do download wp-config.php in .htaccess: RewriteCond %{QUERY_STRING} wp-config.php [NC,OR]
  71. 71. http://lynt.cz iThemes security – homework Better version hiding: functions.php / plugin in mu-plugins: function remove_wp_version() { return ; } add_filter('the_generator', remove_wp_version'); 27. 5. 2015 71 Off topic: MU-plugins (Must Use Plugins) There is a special folder: /wp-content/mu-plugins Skripts/plugins in this folders are interpreted everytime, you cannot disable them in administration. It is useful for some security settings, e.g. automatic updates of plugins and themes: add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
  72. 72. http://lynt.cz Users 27. 5. 2015 72 HTTP Server (Apache/Nginx) PHP Internet User and admin behavior – strong passwords, connect from trusted networks only, backup, antivirus software, certificate checking, phishing-proof log
  73. 73. http://lynt.cz Tips for WP admins • Use HTTPS in administration – https://wordpress.org/plugins/wordpress-https/ – VPN is also a good choice • Backup regularly – both: files and database • Don‘t test plugins in production environment • Remove unnecessary stuff (users, themes, plugins, content) • Set up appropriate permissions to your users • Use tools for bulk management if you administer more WP sites (InfiniteWP, ManageWP), for a smaller number of sites use WP Updates Notifier plugin • Maintain list of all used plugins and themes • If somebody tells you: „don‘t update this “, ask „Why?“, there is usually no serious reason! (if somebody did some changes in original files, ask him for a patch file) 27. 5. 2015 73
  74. 74. http://lynt.cz Tips for everyone • Use strong passwords (use password manager e.g. Keepass) • Be careful of bad certificates • Use good and updated antivirus software • Don‘t use unknown Wi-Fi • Delete all saved unprotected Wi-Fi networks from your cellphone/tablet/laptop • Don‘t believe everything that comes by mail 27. 5. 2015 74
  75. 75. http://lynt.cz Useful sites • https://www.owasp.org/ • https://wpvulndb.com/ • http://blog.sucuri.net/ • http://packetstormsecurity.com/ • http://www.rankwp.com/ 27. 5. 2015 75
  76. 76. http://lynt.cz Homework due tomorrow □ Check for vulnerable plugins □ Check hashes in wp-config.php □ Make a backup □ Remove unnecessary plugins □ Remove unnecessary themes (keep one default template and parent theme if used) □ Lower user rights, if they don‘t need them □ Update everything possible 27. 5. 2015 76
  77. 77. http://lynt.cz And that's all, folks  27. 5. 2015 77 Update, backup, use security plugin, be careful Also check my research about WP in the Czech Republic!

×