Securing Your WordPress Site 040814

Report
Securing your WordPress Site
Presented by Russ Sanderlin
Russ Sanderlin, RHCE
Senior Network Systems Analyst, AAA National Office
Owner, Tearstone Graphics
@Tearstone
Agenda
•
•
•
•
•
•
Importance
Attack Surface
Basic Hardening
Ongoing Security
Plugins
Read More
Importance
• WordPress continues to grow in popularity
• Bigger the platform, the greater the reported
incidents for security.
• 2012 – 117,000 WordPress hacked sites were
reported
• 2013 – 73.2 % of the top 40,000+ WordPress sites
were vulnerable to exploits
Source: WP White Security
Attack Surface
• Definition: Sum of the amount of points an attacker
could use to get into a system.
• Points of entry for extracting data, or inserting
malware are called "attack vectors“
• Minimize attack vectors by minimizing the amount
of code running on the site.
o Minimize the amount of Themes, Plug-Ins
Source: OWASP.ORG
NEW! Wordpress 3.8.2
• Potential authentication cookie forgery.
• Privilege escalation: prevent contributors from
publishing posts.
• (Hardening) Pass along additional information when
processing pingbacks to help hosts identify
potentially abusive requests.
• (Hardening) Fix a low-impact SQL injection by
trusted users.
• (Hardening) Prevent possible cross-domain scripting
through Plupload, the third-party library WordPress
uses for uploading files.
Basic Hardening
Start With A Secure Foundation
Users
• Delete “admin” account, create new login with
unusual name for administration.
• All users, especially with elevated privileges should
have complex passwords.
o
o
o
o
Changed every 60-90 days
At least 8 characters
Combination of mixed case, numbers and special character i.e. #5hN!uM
Avoid dictionary passwords
Database - MySQL
• Use an abstract naming convention (security
through obsecurity)
o Database names
o table prefixes, not wp_
o MySQL User names
• Assign limited privileges to SQL user.
o WordPress database user only needs SELECT, INSERT, DELETE and UPDATE
o GRANT, DROP and ALTER are not needed
Webhost
• Find a webhost that understands WordPress
• Takes security seriously
• Find out if host performs backups.
o If not, implement a backup solution
• Server side scans and malware cleanup
• Host should have VPS options for growth and better
security.
Site
• Avoid running multiple WordPress installations on
one domain
• Do not run a development version of the site on
your production site.
• Disable FTP, use SFTP
Permissions
• Unix/Linux permissions
o R = 4, W = 2, X =1 (Combine values to set permission)
o Owner – Group – Public
o I.e. 775 = rwxrwxr_x (Owner + group have full perms, world cannot write)
• File and Folder Permissions
o Default is 664 for files, 775 for folders
o Wp-config.php and .htaccess
• 664 to allow for modification
• 444 to allow read, not modify
Ongoing Security
Ounce of prevention is worth a pound of cure – Benjamin
Franklin
Update Your Site
• Update WordPress Core, Plug-Ins and Themes
• WP White Security found 42,106 Top Alexa-based
ranked sites running WordPress:
o 73.2% were running old versions which had documented vulnerabilities
o 74 different versions of WordPress, 10 of which were reported as fake
• Older versions of WordPress are not maintained with
security updates.
Perform Routine
Inspections
• Perform site cleanups on a regular basis
• Review all installed plug-ins
• Remove themes and plug-ins no longer needed
(reduce attack surface)
• Identify anything you do not remember installing
and handle with care
Scan with SiteCheck
•
•
•
•
Scan site with Scuri.Net SiteCheck
Free general site malware checker
Premium clean up service
Premium monitoring service
WPScan
• Black Box WordPress security scanner
• Pre-Installed on these operating systems
o
o
o
o
BlackBox Linux
Kali Linux
Pentoo
SamuraiWTF
• Download, Install Instructions, Arguments found on
http://wpscan.org
Security Plugins
Providing a pre-coded helping hand
Understand Your Plugin
• Understand what the security plugins do, and what
effects they have on your site
o Your requirements should drive the choice in plugin, the plugin should not
drive your site requirements
o Plugins have performance implications to WordPress sites, more code can
slow down site loads.
o Multiple plugins or excessive functionality extends attack surface
• Misconfiguration can break your site
o i.e. intrusion detection could stop search engines from crawling your site
• Security plugins could lock you out of your own site
• Plugin support can be a challenge
Limit Login Attempts
• Customize the rate of invalid login attempts
o Limit login attempts by IP
o Limit login via cookies
• Makes brute-force attacks impossible
Manage WP
• Plugin that integrates with https://managewp.com/
• Centralize update administrations of multiple
WordPress sites
• Automated backups
• Provides email notification alerts
iThemes Security
(Better WP Security)
• Automatically Secure Site from Basic Attacks
o
o
o
o
Prevent non-admins from accessing admin content
Default usernames with “admin” replaced
Brute force login protection
Prevent website scanning
• Change admin, register and login URL
• Limit Logins and time restrictions
o Restrict max login attempts by user or host
o Disable site access on a schedule
• Blacklist: Users, Groups or IPs
• Data Backup
• Change Database Prefix
WordFence
• Delivers Enterprise-Class Security
• Includes
o
o
o
o
Fast Cache Engine
Firewall
(Premium) Anti-Virus Scanning
(Premium) Two-Factor authentication (use cell phone to login)
• Repair core, theme and plugin files
• Consumes a lot resources, not ideal for shared
hosting.
Bulletproof Security
• Automatically optimizes website for security
• Protects WordPress site against a number of
documented hack attempts.
• Security Logging (Account use, HTTP errors)
• File and Folder Permission Scans
• Maintenance Mode with countdown timer
• Focuses on .htaccess protection
All In One Security and
Firewall
• Security Points – Assesses a score based on how
secure your site is
• Classifies security configuration features on risk
• Secures
o
o
o
o
o
User Accounts
User Logins
Database Security (Change table prefix)
Visual file system review
Blacklist IP addresses
• Incorporates DB Backup to schedule automated
backups
Sources, Read More
• http://codex.wordpress.org/Hardening_WordPress
• http://www.designwall.com/blog/how-to-handle-awordpress-security-attack/
• http://www.cvedetails.com/vulnerability-list/vendor_id2337/product_id-4096/Wordpress-Wordpress.html
• https://managewp.com/security-plugins-problem
• https://www.owasp.org/index.php/Attack_Surface_Analysis_C
heat_Sheet
• http://codex.wordpress.org/Changing_File_Permissions
• http://codex.wordpress.org/Version_3.8.2
Any Questions??
Grab a WordPress Decal

similar documents