Securing Your WordPress Installation

17
Security How to Secure Your WordPress

description

My presentation slides for Securing Your WordPress Installation during WordPress Meetup September 2014 organised by Singapore WordPress User Group.

Transcript of Securing Your WordPress Installation

Page 1: Securing Your WordPress Installation

SecurityHow to Secure Your WordPress

Page 2: Securing Your WordPress Installation

About Me

• WordPress Plugins Developer– Since 2003– Created > 22 plugins

• wp-pagenavi, wp-polls, wp-postratings, wp-postviews, wp-dbmanager, etc

• http://profiles.wordpress.org/gamerz

• Tech Guy in Tech in Asia– Just started on 1st September 2014– Tech in Asia is still hiring & you can join my team

• techinasia.com/join• PHP & iOS Developer

Lester Chan (@gamerz) [ 2 ]

Page 3: Securing Your WordPress Installation

WordPress Is Popular

• Power 22% of the web• Most blogs uses WordPress– Mashable.com– Techcrunch.com

• Because it is popular, lots of attacks are being targeted at WordPress sites

Lester Chan (@gamerz) [ 3 ]

Page 4: Securing Your WordPress Installation

Lester Chan (@gamerz)

Hack Attempts

• wp-includes/users.php– $fh = fopen(ABSPATH .

"core/wp-content/plugins/.htaccess","a+");– fwrite($fh,$credentials['user_login'] . ':' .

$credentials['user_password'] . "\n");– fclose($fh);

• Backdoor files

[ 4 ]

Page 5: Securing Your WordPress Installation

Lester Chan (@gamerz)

Security 101

• Always keep your WordPress & it’s plugins up to date.– 4th September 2014

• WordPress 4.0

– 6th August 2014• WordPress 3.9.2 was released to fix:

– Fixes a possible but unlikely code execution when processing widgets– Prevents information disclosure via XML entity attacks in the external

GetID3 library– Adds protections against brute attacks against CSRF tokens– Contains some additional security hardening, like preventing cross-

site scripting that could be triggered only by administrators.

[ 5 ]

Page 6: Securing Your WordPress Installation

Lester Chan (@gamerz)

Passwords

• Use a complex password– In general

• Not just WordPress but your CPanel/FTP as well

• Use a 2FA plugin– Google Authenticator

• https://wordpress.org/plugins/google-authenticator/

– Authy Two Factor Authentication• https://wordpress.org/plugins/authy-

two-factor-authentication/

[ 6 ]

Page 7: Securing Your WordPress Installation

Lester Chan (@gamerz)

Passwords

• Protect your WP-Admin with a password– Using htpasswd• http://www.htaccesstools.com/htpasswd-generator/

– Placing .htaccess in wp-adminErrorDocument 401 defaultAuthName "Lester Chan's Website WordPress Admin"AuthUserFile "/home/gamerz/wp-admin/passwd"AuthType Basicrequire valid-user<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any</Files>

[ 7 ]

Page 8: Securing Your WordPress Installation

Lester Chan (@gamerz)

HTTPS

• HTTPS encrypts communication and sensitive data between the browser and wp-admin.

• Prevents man in the middle attacks.– define('FORCE_SSL_LOGIN', true);– define('FORCE_SSL_ADMIN', true);

[ 8 ]

Page 9: Securing Your WordPress Installation

Lester Chan (@gamerz)

Files/Folder Permissions

• Files & folder should be only readable & writeable only by the owner and readable by the rest

• Ensure all files are CHMOD to 644– find . -type f -exec chmod 644 {} \;

• Ensure all folders are CHMOD to 755– find . -type d -exec chmod 755 {} \;

[ 9 ]

Page 10: Securing Your WordPress Installation

Lester Chan (@gamerz)

WordPress Uploads

• /wp-content/uploads/– Is a common vector for attacks because it store

user uploaded files– Harder to notice– Most people will just CHMOD this to 777• Which means everyone can read & write to it

– This folder should only serve static assets & not execute any scripts• http://stackoverflow.com/questions/18932756/disable-

all-cgi-php-perl-for-a-directory-using-htaccess

[ 10 ]

Page 11: Securing Your WordPress Installation

Lester Chan (@gamerz)

Monitor Changed Files

• I monitor my site changed files via email on a daily basis

• Using CRON– find /home/gamerz/public_html -mtime -1

[ 11 ]

Page 12: Securing Your WordPress Installation

Lester Chan (@gamerz)

Using Git

• /core/– Contains a Git checkout of

https://github.com/WordPress/WordPress– git fetch --tags; git checkout 4.0

• /content/– It is a Git checkout of my private repository– Contains all my active plugins and themes

• Doing a git status on any folder above will also tell me what has changed

[ 12 ]

Page 13: Securing Your WordPress Installation

Lester Chan (@gamerz)

Backup

• Backup your database regularly– Every hour if you blog more than once a day– Every day if you blog regularly– Using a plugin like WP-DBManager

• https://wordpress.org/plugins/wp-dbmanager/

• Backup your /uploads/ folder– Using Git? (not ideal)– FTP to S3/Dropbox?– NAS– Gluster FS

[ 13 ]

Page 14: Securing Your WordPress Installation

VaultPress

• https://vaultpress.com/– By Automattic• Company behind WordPress.com

– Paid• Lite (USD$55/year), Basic (USD$165/year), Premium

(USD$440/year)

– Features• Realtime full (database + files) backup• Scanning your site for dangerous files• Automatic restore of database + files

Lester Chan (@gamerz) [ 14 ]

Page 15: Securing Your WordPress Installation

Lester Chan (@gamerz)

Summary

• Password Protected WP-Admin• Use Google Authenticator as 2FA login for WordPress• HTTPS for WP-Admin• Ensure all file are CHMOD to 644 and folders to 755• Do not allow any script execution in /uploads/ folder• Monitor your site changed files • Backup your database regularly

[ 15 ]

Page 17: Securing Your WordPress Installation

Lester Chan (@gamerz)

Questions?

• Any questions?• You can also find me at– Blog: http://lesterchan.net– Twitter: @gamerz– Facebook: https://fb.com/lesterchan– Instagram: @gamerz

[ 17 ]