Hardening Your WordPress Website
-
Upload
mike-venables -
Category
Technology
-
view
454 -
download
5
description
Transcript of Hardening Your WordPress Website
TriLink Technologies Group Inc.TriLink Technologies Group Inc.
HARDENING YOUR WEBSITE TO ATTACKS
Making It Easier to Hack Into Someone-Else’s Website
AGENDA
• Introduction• WordPress Security Myths• BlackListing• Security Flaws With Default Installation• Threats and Counter-Threats• Backup• Additional Security• Conclusions
INTRODUCTION
• 40 Years Experience in Aerospace– Most of it in marketing
• Independent Since 2009• Added Website Creation Using WordPress
in 2011– Main selling feature is self-maintenance
• Became Concerned With Security in 2012– Client’s site was hacked
WORDPRESS SECURITY MYTHS
• My Site Is Too Small or Insignificant– Any site is a target– Link building– Spam distribution
• WordPress Is Already Secure– Yes, but you can’t leave the front door
unlocked
• The “White Screen of Death” Is The Worst That You Can See
THE WORST THAT YOU CAN SEE
BLACKLISTING
• Problem– Google blocks access to your site– Removed from search engine listing
• Resolution– Fix The Hack– Report the fix to Google– Wait for Google to lift the ban
SECURING A WORDPRESS SITE
• Starts With The Installation• Easiest To Do Before Content Added
SECURITY FLAWS WITH DEFAULT INSTALL
• Most Attacks Based On Assumption That Defaults Were Accepted
• Threats and Counters Examples Based On:– Manual install with all defaults– One user: “admin”, password: “admin123”– “Pretty” permalinks turned on– Counters manually applied
• Automated “1-Click” installers starting to allow customization
DEFAULT TABLE PREFIX
• Default WordPress Table Prefix is “wp_”– Exploited by advanced “SQL Injection” attacks– WP internal hardening improving– .htaccess techniques help (beyond today’s
scope)
• Change It By Editing “wp-config.php” file– Must be done before any content added– Use “phpMyAdmin” to delete old tables– Use iThemes Security to change prefix after
content added
DEFAULT CONTENT FOLDER
• Default of “wp-content” Can Be Exploited• iThemes Security Can Change It• Breaks Lots and Lots of Plugins– “wp-content” hard coded– Should use “content_url()”
• Not Worth the Trouble
DEFAULT ADMIN NAME
• “admin” Default Username For Administrator– Hacker only needs to guess password– Automated tools make guessing easy
• Changing The Administrator Username Doesn’t Help– WordPress can easily expose admin’s
username• Click on post author name and check url• www.site.com/?author=1 (or 2 or 3, etc.)• Confirm by trying to login
DEFAULT ADMIN NAME (CONT’D)
• Accept Default Name But Use Secondary Email• User Table Auto Indexed
– 1, 2, 3, etc.
• Set Next Index To, Say, 145– phpMyAdmin
• ALTER TABLE `wp_users` AUTO_INCREMENT = 145
– SQL Executioner• ALTER TABLE $users AUTO_INCREMENT = 145
• Create New, Real, User• Login As Real User
– Delete first user
DEFAULT ADMIN NAME (CONT’D)
• WordPress Still Exposes Usernames• phpMyAdmin– UPDATE `wp_users` SET
`user_nicename`=‘Mike’ WHERE `user_login`=“mikevens”
• SQL Executioner– UPDATE $users SET `user_nicename`=“Mike”
WHERE `user_login`=“mikevens”
DISABLE FILE EDITING FROM DASHBOARD
• Bad Practice For Anyone To Edit Files From Dashboard– No undo– No configuration control
• Edit wp-config.php• Add– define (‘DISALLOW_FILE_EDIT’, true);– Semi-colon important
WORDFENCE
• Over 1,700,000 Downloads• Masks Username On Login• Enforces Strong Passwords• Alerts For Core, Theme and Plugin Updates• Scans Files For Unauthorized Changes• Locks Out Repeated Failed Login Attempts• Monitors DNS Settings• Etc.• Has Performance-Enhancing Cache Built-In
BACKWPUP
• Over 1,260,000 Downloads• Fully Configurable– Schedule multiple jobs
• Different Backup Locations– Email, folder (not with WP folder), FTP,
DropBox, etc.
• Requires FTP and phpMyAdmin Access For Restoral
• Vaultpress.com (Paid) Provides 1-Click Restorals
ADDITIONAL SECURITY
• Restrict Logins To One IP– Effective, but limits flexibility
• Two-Factor Authentication– Duo Security (Free Plugin)– Links to account at duosecurity.com– Free for <= 10 users otherwise $1/user/month
WHITE LABEL CMS
• Rebrand WordPress– Dashboard– Logos– Login Logo
• Control Access To “Advanced” Functions– Dependent on users level
TIDY UP
• Delete All Themes Except:– One In Use (and parent, if it’s a child)– Default theme (currently twenty-fourteen)
• Delete Unneeded Plugins– Especially SQL Executioner
ON GOING SECURITY
• Keep Your Installation Up To Date– WP Core– Themes– Plugins
• WordFence Can Send Alerts– Updates– Modified files– Repeated failed login attempts
TOOLS USED
• Editor– Komodo
• Plugins– WordFence– BackWPUp– SQL Executioner– iThemes Security– Duo Security– White Label CMS
CONCLUSIONS
• Risk Is Low But Real• Risk Reduction is Easy– 80% Protection With 20% The Work
• Strong Passwords• Backup• Backup• Backup